AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Redshift

Amazon Redshift (service prefix: redshift) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Redshift

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AuthorizeClusterSecurityGroupIngress Adds an inbound (ingress) rule to an Amazon Redshift security group. Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

AuthorizeSnapshotAccess Authorizes the specified AWS customer account to restore the specified snapshot Permissions management

snapshot*

CancelQuerySession [permission only] Controls whether a user can see queries in the Amazon Redshift console in the Queries tab of the Cluster section. Write
CopyClusterSnapshot Copies the specified automated cluster snapshot to a new manual cluster snapshot Write

snapshot*

CreateCluster Creates a new cluster Write

cluster*

CreateClusterParameterGroup Creates an Amazon Redshift parameter group Write

parametergroup*

CreateClusterSecurityGroup Creates a new Amazon Redshift security group Write

securitygroup*

CreateClusterSnapshot Creates a manual snapshot of the specified cluster Write

snapshot*

CreateClusterSubnetGroup Creates a new Amazon Redshift subnet group Write

subnetgroup*

CreateClusterUser Give permission to auto create the specified redshift user if it does not exist Permissions management

dbuser*

redshift:DbUser

CreateEventSubscription Creates an Amazon Redshift event notification subscription Write

eventsubscription*

CreateHsmClientCertificate Creates an HSM client certificate that an Amazon Redshift cluster will use to connect to the client's HSM in order to store and retrieve the keys used to encrypt the cluster databases Write

hsmclientcertificate*

CreateHsmConfiguration Creates an HSM configuration that contains the information required by an Amazon Redshift cluster to store and use database encryption keys in a Hardware Security Module (HSM) Write

hsmconfiguration*

CreateSnapshotCopyGrant Creates a snapshot copy grant that permits Amazon Redshift to use a customer master key (CMK) from AWS Key Management Service (AWS KMS) to encrypt copied snapshots in a destination region Permissions management

snapshotcopygrant*

CreateTags Adds one or more tags to a specified resource Tagging
DeleteCluster Deletes a previously provisioned cluster Write

cluster*

DeleteClusterParameterGroup Deletes a specified Amazon Redshift parameter group Write

parametergroup*

DeleteClusterSecurityGroup Deletes an Amazon Redshift security group Write

securitygroup*

DeleteClusterSnapshot Deletes the specified manual snapshot Write

snapshot*

DeleteClusterSubnetGroup Deletes the specified cluster subnet group Write

subnetgroup*

DeleteEventSubscription Deletes an Amazon Redshift event notification subscription Write

eventsubscription*

DeleteHsmClientCertificate Deletes the specified HSM client certificate Write

hsmclientcertificate*

DeleteHsmConfiguration Deletes the specified Amazon Redshift HSM configuration Write

hsmconfiguration*

DeleteSnapshotCopyGrant Deletes the specified snapshot copy grant Write

snapshotcopygrant*

DeleteTags Deletes a tag or tags from a resource Tagging
DescribeClusterParameterGroups Returns a list of Amazon Redshift parameter groups, including parameter groups you created and the default parameter group Read
DescribeClusterParameters Returns a detailed list of parameters contained within the specified Amazon Redshift parameter group Read

parametergroup*

DescribeClusterSecurityGroups Returns information about Amazon Redshift security groups Read
DescribeClusterSnapshots Returns one or more snapshot objects, which contain metadata about your cluster snapshots Read
DescribeClusterSubnetGroups Returns one or more cluster subnet group objects, which contain metadata about your cluster subnet groups Read
DescribeClusterVersions Returns descriptions of the available Amazon Redshift cluster versions Read
DescribeClusters Returns properties of provisioned clusters including general cluster properties, cluster database properties, maintenance and backup properties, and security and access properties List
DescribeDefaultClusterParameters Returns a list of parameter settings for the specified parameter group family Read
DescribeEventCategories Displays a list of event categories for all event source types, or for a specified source type Read
DescribeEventSubscriptions Lists descriptions of all the Amazon Redshift event notifications subscription for a customer account Read
DescribeEvents Returns events related to clusters, security groups, snapshots, and parameter groups for the past 14 days List
DescribeHsmClientCertificates Returns information about the specified HSM client certificate Read
DescribeHsmConfigurations Returns information about the specified Amazon Redshift HSM configuration Read
DescribeLoggingStatus Describes whether information, such as queries and connection attempts, is being logged for the specified Amazon Redshift cluster Read

cluster*

DescribeOrderableClusterOptions Returns a list of orderable cluster options Read
DescribeReservedNodeOfferings Returns a list of the available reserved node offerings by Amazon Redshift with their descriptions including the node type, the fixed and recurring costs of reserving the node and duration the node will be reserved for you Read
DescribeReservedNodes Returns the descriptions of the reserved nodes Read
DescribeResize Returns information about the last resize operation for the specified cluster Read

cluster*

DescribeSnapshotCopyGrants Returns a list of snapshot copy grants owned by the AWS account in the destination region Read
DescribeTableRestoreStatus Lists the status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action Read
DescribeTags Returns a list of tags Read
DisableLogging Stops logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster Write

cluster*

DisableSnapshotCopy Disables the automatic copying of snapshots from one region to another region for a specified cluster Write

cluster*

EnableLogging Starts logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster Write

cluster*

EnableSnapshotCopy Enables the automatic copy of snapshots from one region to another region for a specified cluster Write

cluster*

GetClusterCredentials Get a temporary cluster credential for the specified redshift user Write

dbuser*

dbgroup

dbname

redshift:DbName

redshift:DbUser

redshift:DurationSeconds

JoinGroup Give permission to join the specified redshift groups Permissions management

dbgroup*

ModifyCluster Modifies the settings for a cluster Write

cluster*

ModifyClusterIamRoles Modifies the list of AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services Permissions management

cluster*

ModifyClusterParameterGroup Modifies the parameters of a parameter group Write

parametergroup*

ModifyClusterSubnetGroup Modifies a cluster subnet group to include the specified list of VPC subnets Write

subnetgroup*

ModifyEventSubscription Modifies an existing Amazon Redshift event notification subscription Write

eventsubscription*

ModifySnapshotCopyRetentionPeriod Modifies the number of days to retain automated snapshots in the destination region after they are copied from the source region Write

cluster*

PurchaseReservedNodeOffering Allows you to purchase reserved nodes. Amazon Redshift offers a predefined set of reserved node offerings Write
RebootCluster Reboots a cluster Write

cluster*

ResetClusterParameterGroup Sets one or more parameters of the specified parameter group to their default values and sets the source values of the parameters to "engine-default" Write

parametergroup*

RestoreFromClusterSnapshot Creates a new cluster from a snapshot Write

snapshot*

RestoreTableFromClusterSnapshot Creates a new table from a table in an Amazon Redshift cluster snapshot Write

cluster*

snapshot*

RevokeClusterSecurityGroupIngress Revokes an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group Permissions management

securitygroup*

securitygroupingress-ec2securitygroup*

RevokeSnapshotAccess Removes the ability of the specified AWS customer account to restore the specified snapshot Permissions management

snapshot*

RotateEncryptionKey Rotates the encryption keys for a cluster Permissions management

cluster*

ViewQueriesInConsole [permission only] Controls whether a user can terminate running queries and loads from the Cluster section in the Amazon Redshift console. List

Resources Defined by Redshift

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}
dbgroup arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}
dbname arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}
dbuser arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}
eventsubscription arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}
hsmclientcertificate arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}
hsmconfiguration arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}
parametergroup arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}
securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}
securitygroupingress-cidr arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}
securitygroupingress-ec2securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}
snapshot arn:${Partition}:redshift:${Region}:${Account}:${ClusterName}/${SnapshotName}
snapshotcopygrant arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}
subnetgroup arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}

Condition Keys for Amazon Redshift

Amazon Redshift defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
redshift:DbName Control access based on the database name. String
redshift:DbUser Control access based on the database user name. String
redshift:DurationSeconds Control access based on the number of seconds until a temporary credential set expires. String