AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Redshift

Amazon Redshift (service prefix: redshift) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Redshift

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptReservedNodeExchange Exchanges a DC1 Reserved Node for a DC2 Reserved Node with no changes to the configuration (term, payment type, or number of nodes) and no additional costs Write
AuthorizeClusterSecurityGroupIngress Adds an inbound (ingress) rule to an Amazon Redshift security group. Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

AuthorizeSnapshotAccess Authorizes the specified AWS customer account to restore the specified snapshot Permissions management

snapshot*

BatchDeleteClusterSnapshots Deletes the snapshots in a batch of size upto 100 Write

snapshot*

BatchModifyClusterSnapshots Modifies the settings for a batch of snapshots Write

snapshot*

CancelQuery Give permission to Cancel a Query through Redshift Query Editor Write
CancelQuerySession [permission only] Controls whether a user can see queries in the Amazon Redshift console in the Queries tab of the Cluster section. Write
CancelResize Cancels an ongoing classic resize Write

cluster*

CopyClusterSnapshot Copies the specified automated cluster snapshot to a new manual cluster snapshot Write

snapshot*

CreateCluster Creates a new cluster Write

cluster*

CreateClusterParameterGroup Creates an Amazon Redshift parameter group Write

parametergroup*

CreateClusterSecurityGroup Creates a new Amazon Redshift security group Write

securitygroup*

CreateClusterSnapshot Creates a manual snapshot of the specified cluster Write

snapshot*

CreateClusterSubnetGroup Creates a new Amazon Redshift subnet group Write

subnetgroup*

CreateClusterUser Give permission to auto create the specified redshift user if it does not exist Permissions management

dbuser*

redshift:DbUser

CreateEventSubscription Creates an Amazon Redshift event notification subscription Write

eventsubscription*

CreateHsmClientCertificate Creates an HSM client certificate that an Amazon Redshift cluster will use to connect to the client's HSM in order to store and retrieve the keys used to encrypt the cluster databases Write

hsmclientcertificate*

CreateHsmConfiguration Creates an HSM configuration that contains the information required by an Amazon Redshift cluster to store and use database encryption keys in a Hardware Security Module (HSM) Write

hsmconfiguration*

CreateSavedQuery Give permission to Create Saved Queries through Redshift Saved Queries Write
CreateSnapshotCopyGrant Creates a snapshot copy grant that permits Amazon Redshift to use a customer master key (CMK) from AWS Key Management Service (AWS KMS) to encrypt copied snapshots in a destination region Permissions management

snapshotcopygrant*

CreateSnapshotSchedule Creates the given snapshot schedule Write

snapshotschedule*

CreateTags Adds one or more tags to a specified resource Tagging
DeleteCluster Deletes a previously provisioned cluster Write

cluster*

DeleteClusterParameterGroup Deletes a specified Amazon Redshift parameter group Write

parametergroup*

DeleteClusterSecurityGroup Deletes an Amazon Redshift security group Write

securitygroup*

DeleteClusterSnapshot Deletes the specified manual snapshot Write

snapshot*

DeleteClusterSubnetGroup Deletes the specified cluster subnet group Write

subnetgroup*

DeleteEventSubscription Deletes an Amazon Redshift event notification subscription Write

eventsubscription*

DeleteHsmClientCertificate Deletes the specified HSM client certificate Write

hsmclientcertificate*

DeleteHsmConfiguration Deletes the specified Amazon Redshift HSM configuration Write

hsmconfiguration*

DeleteSavedQueries Give permission to Delete Saved Queries through Redshift Saved Queries Write
DeleteSnapshotCopyGrant Deletes the specified snapshot copy grant Write

snapshotcopygrant*

DeleteSnapshotSchedule Deletes the given snapshot schedule Write

snapshotschedule*

DeleteTags Deletes a tag or tags from a resource Tagging
DescribeAccountAttributes Enables the user to get a list of attributes attached to an account Read
DescribeClusterDbRevisions Enables the user to get a list of database revisions for a cluster List
DescribeClusterParameterGroups Returns a list of Amazon Redshift parameter groups, including parameter groups you created and the default parameter group Read
DescribeClusterParameters Returns a detailed list of parameters contained within the specified Amazon Redshift parameter group Read

parametergroup*

DescribeClusterSecurityGroups Returns information about Amazon Redshift security groups Read
DescribeClusterSnapshots Returns one or more snapshot objects, which contain metadata about your cluster snapshots Read
DescribeClusterSubnetGroups Returns one or more cluster subnet group objects, which contain metadata about your cluster subnet groups Read
DescribeClusterTracks Enables the user to get a list of all the available maintenance tracks List
DescribeClusterVersions Returns descriptions of the available Amazon Redshift cluster versions Read
DescribeClusters Returns properties of provisioned clusters including general cluster properties, cluster database properties, maintenance and backup properties, and security and access properties List
DescribeDefaultClusterParameters Returns a list of parameter settings for the specified parameter group family Read
DescribeEventCategories Displays a list of event categories for all event source types, or for a specified source type Read
DescribeEventSubscriptions Lists descriptions of all the Amazon Redshift event notifications subscription for a customer account Read
DescribeEvents Returns events related to clusters, security groups, snapshots, and parameter groups for the past 14 days List
DescribeHsmClientCertificates Returns information about the specified HSM client certificate Read
DescribeHsmConfigurations Returns information about the specified Amazon Redshift HSM configuration Read
DescribeLoggingStatus Describes whether information, such as queries and connection attempts, is being logged for the specified Amazon Redshift cluster Read

cluster*

DescribeOrderableClusterOptions Returns a list of orderable cluster options Read
DescribeQuery Give permission to Describe Query through Redshift Query Editor Read
DescribeReservedNodeOfferings Returns a list of the available reserved node offerings by Amazon Redshift with their descriptions including the node type, the fixed and recurring costs of reserving the node and duration the node will be reserved for you Read
DescribeReservedNodes Returns the descriptions of the reserved nodes Read
DescribeResize Returns information about the last resize operation for the specified cluster Read

cluster*

DescribeSnapshotCopyGrants Returns a list of snapshot copy grants owned by the AWS account in the destination region Read
DescribeSnapshotSchedules Describes created snapshot schedules Write

snapshotschedule*

DescribeStorage Returns account level backups storage size and provisional storage Read
DescribeTable Give permission to Describe Table through Redshift Query Editor Read
DescribeTableRestoreStatus Lists the status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action Read
DescribeTags Returns a list of tags Read
DisableLogging Stops logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster Write

cluster*

DisableSnapshotCopy Disables the automatic copying of snapshots from one region to another region for a specified cluster Write

cluster*

EnableLogging Starts logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster Write

cluster*

EnableSnapshotCopy Enables the automatic copy of snapshots from one region to another region for a specified cluster Write

cluster*

ExecuteQuery Give permission to Execute Query through Redshift Query Editor Write
FetchResults Give permission to Fetch Query Results through Redshift Query Editor Read
GetClusterCredentials Get a temporary cluster credential for the specified redshift user Write

dbuser*

dbgroup

dbname

redshift:DbName

redshift:DbUser

redshift:DurationSeconds

GetReservedNodeExchangeOfferings Returns an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node Read
JoinGroup Give permission to join the specified redshift groups Permissions management

dbgroup*

ListDatabases Give permission to List Databases through Redshift Query Editor List
ListSavedQueries Give permission to List Saved Queries through Redshift Saved Queries List
ListSchemas Give permission to List Schemas through Redshift Query Editor List
ListTables Give permission to List Tables through Redshift Query Editor List
ModifyCluster Modifies the settings for a cluster Write

cluster*

ModifyClusterDbRevision Enables the user to modify the database revision of a cluster Write

cluster*

ModifyClusterIamRoles Modifies the list of AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services Permissions management

cluster*

ModifyClusterMaintenance Enables the user to modify the maintenance settings of a cluster Write
ModifyClusterParameterGroup Modifies the parameters of a parameter group Write

parametergroup*

ModifyClusterSnapshot Modifies the settings for a snapshot Write

snapshot*

ModifyClusterSnapshotSchedule Modifies the snapshot schedule settings for a cluster Write

cluster*

ModifyClusterSubnetGroup Modifies a cluster subnet group to include the specified list of VPC subnets Write

subnetgroup*

ModifyEventSubscription Modifies an existing Amazon Redshift event notification subscription Write

eventsubscription*

ModifySavedQuery Give permission to Modify existing Saved Queries through Redshift Saved Queries Write
ModifySnapshotCopyRetentionPeriod Modifies the number of days to retain automated snapshots in the destination region after they are copied from the source region Write

cluster*

ModifySnapshotSchedule Modifies the given snapshot schedule Write

snapshotschedule*

PurchaseReservedNodeOffering Allows you to purchase reserved nodes. Amazon Redshift offers a predefined set of reserved node offerings Write
RebootCluster Reboots a cluster Write

cluster*

ResetClusterParameterGroup Sets one or more parameters of the specified parameter group to their default values and sets the source values of the parameters to "engine-default" Write

parametergroup*

ResizeCluster Changes the size of the cluster. You can change the cluster's type, or change the number or type of nodes Write

cluster*

RestoreFromClusterSnapshot Creates a new cluster from a snapshot Write

snapshot*

RestoreTableFromClusterSnapshot Creates a new table from a table in an Amazon Redshift cluster snapshot Write

cluster*

snapshot*

RevokeClusterSecurityGroupIngress Revokes an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

RevokeSnapshotAccess Removes the ability of the specified AWS customer account to restore the specified snapshot Permissions management

snapshot*

RotateEncryptionKey Rotates the encryption keys for a cluster Permissions management

cluster*

ViewQueriesFromConsole Give permission to View Query Results From Console through Redshift Query Editor List
ViewQueriesInConsole [permission only] Controls whether a user can terminate running queries and loads from the Cluster section in the Amazon Redshift console. List

Resources Defined by Redshift

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}
dbgroup arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}
dbname arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}
dbuser arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}
eventsubscription arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}
hsmclientcertificate arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}
hsmconfiguration arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}
parametergroup arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}
securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}
securitygroupingress-cidr arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}
securitygroupingress-ec2securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}
snapshot arn:${Partition}:redshift:${Region}:${Account}:snapshot:${ClusterName}/${SnapshotName}
snapshotcopygrant arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}
snapshotschedule arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName}
subnetgroup arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}

Condition Keys for Amazon Redshift

Amazon Redshift defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
redshift:DbName Control access based on the database name. String
redshift:DbUser Control access based on the database user name. String
redshift:DurationSeconds Control access based on the number of seconds until a temporary credential set expires. String