Amazon Redshift - AWS GovCloud (US)
How Amazon Redshift Differs for AWS GovCloud (US)Documentation for Amazon RedshiftITAR Boundary

Amazon Redshift

Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools. It is optimized for datasets ranging from a few hundred gigabytes to a petabyte or more and costs less than $1,000 per terabyte per year, a tenth the cost of most traditional data warehousing solutions.

How Amazon Redshift Differs for AWS GovCloud (US)

  • In AWS GovCloud (US) Regions, Amazon Redshift Spectrum is available in AWS GovCloud (US-West) only.

  • In AWS GovCloud (US) Regions, all Amazon Redshift clusters must be launched in an Amazon VPC.

  • Snapshot copy is not available in the AWS GovCloud (US) Regions.

  • To connect to Amazon Redshift with SSL, you must download the Amazon Redshift certificate bundle from https://s3.us-gov-west-1.amazonaws.com/redshift-downloads/redshift-ca-bundle-ugw1.crt. For more information, see Configure Security Options for Connections.

  • If you want Amazon Redshift to write logs to an Amazon S3 bucket, the bucket must have a policy that uses the Amazon Redshift account ID for the AWS Region. The account ID for AWS GovCloud (US-West) is 665727464434. The account ID for AWS GovCloud (US-East) is 876460406779. For more information, see Managing Log Files in the Amazon Redshift Cluster Management Guide.

    The following shows an example of a bucket policy that enables audit logging for AWS GovCloud (US) Regions, where BucketName is a placeholder for your bucket name: 

    {
    "Statement": [
        {
            "Sid": "Put bucket policy needed for audit logging",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-us-gov:iam::665727464434:user/logs"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws-us-gov:s3:::BucketName/*"
        },
        {
            "Sid": "Get bucket policy needed for audit logging ",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-us-gov:iam::665727464434:user/logs"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws-us-gov:s3:::BucketName"
        }
    ]
}

Documentation for Amazon Redshift

Amazon Redshift documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • Amazon Redshift master passwords are protected as ITAR-regulated data.

  • All data stored and processed in Amazon Redshift clusters can contain ITAR-regulated data. You cannot transfer ITAR-regulated data in and out of Amazon Redshift using the API or CLI. You must use database tools for data transfer of ITAR-regulated data.

  • Amazon Redshift metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your Amazon Redshift clusters except the master password.

  • Do not enter ITAR-regulated data in the following fields:

    • Database instance identified

    • Master user name

    • Database name

    • Database snapshot name

    • Database security group name

    • Database security group description

    • Database parameter group name

    • Database parameter group description

    • Option group name

    • Option group description

    • Database subnet group name

    • Database subnet group description

    • Event subscription name

    • Resource tags

If you are processing ITAR-regulated data with Amazon Redshift, follow these guidelines in order to maintain ITAR compliance:

  • When you use the console or the AWS APIs, the only data field that is protected as ITAR-regulated data is the Amazon Redshift Master Password.

  • After you create your database, change the master password of your Amazon Redshift cluster by directly using the database client.

  • You can enter ITAR-regulated data into any data fields by using your database client-side tools. Do not pass ITAR-regulated data by using the web service APIs that are provided by Amazon Redshift.

  • To secure ITAR-regulated data in your VPC, set up access control lists (ACLs) to control traffic entering and exiting your VPC. If you have multiple databases configured with different ports, set up ACLs on all the ports.

    • For example, if you're running an application server on an Amazon EC2 instance that connects to an Amazon Redshift cluster, a non-U.S. person could reconfigure the DNS to redirect ITAR-regulated data out of the VPC and into any server that could possibly be outside of the AWS GovCloud (US) Regions.

      To prevent this type of attack and to maintain ITAR compliance, use network ACLs to prevent network traffic from exiting the VPC on the database port. For more information, see Network ACLs in the Amazon VPC User Guide.

  • For each cluster that contains ITAR-regulated data, ensure that only specific CIDR ranges and Amazon EC2 security groups can access the cluster, especially when an Internet gateway is attached to the VPC. Only allow connections that are from the AWS GovCloud (US) Regions or other ITAR-controlled environments to ITAR-controlled clusters.

If you are processing ITAR-regulated data with this service, use the SSL (HTTPS) endpoint to maintain ITAR compliance. For a list of endpoints, see Service Endpoints.