Amazon Redshift
Cluster Management Guide

Managing Cluster Security Groups Using the Console

You can create, modify, and delete cluster security groups by using the Amazon Redshift console. You can also manage the default cluster security group in the Amazon Redshift console. All of the tasks start from the cluster security group list. You must choose a cluster security group to manage it.

You can't delete the default cluster security group, but you can modify it by authorizing or revoking ingress access.

Creating a Cluster Security Group

Note

A new console is available for Amazon Redshift. Choose either the New Console or the Original Console instructions based on the console that you are using. The New Console instructions are open by default.

New Console

To create a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. On the navigation menu, choose CONFIG, then choose Security groups to display the Cluster security groups page.

    Note

    You can only manage cluster security groups when logged in with an EC2-Classic AWS account.

  3. Choose Create cluster security group to display the Create cluster security group window.

  4. For the new security group, enter values for the following:

    • Name

    • Description

    • CIDR/IP range to authorize in the form nnn.nnn.nnn.nn/nn

    • AWS account ID (without hyphens)

    • EC2 security group name

  5. Choose Create to create the security group.

Original Console

To create a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security.

  3. On the Security Groups tab, choose Create Cluster Security Group.

  4. In the Create Cluster Security Group dialog box, specify a cluster security group name and description.

  5. Choose Create.

    The new group is displayed in the list of cluster security groups.

Tagging a Cluster Security Group

Note

A new console is available for Amazon Redshift. Choose either the New Console or the Original Console instructions based on the console that you are using. The New Console instructions are open by default.

New Console

To tag a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. On the navigation menu, choose CONFIG, then choose Security groups to display the Cluster security groups page.

    Note

    You can only manage cluster security groups when logged in with an EC2-Classic AWS account.

  3. Choose a cluster security group, then choose Manage tags to display the Manage tags page.

  4. On the Manage tags page, add new tags, and update or delete existing tags. For each new tag, provide information for Key and Value.

  5. Choose Apply to save your tags.

Original Console

To tag a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security.

  3. On the Security Groups tab, choose the cluster security group and choose Manage Tags.

  4. In the Manage Tags dialog box, do one of the following:

    • Remove a tag.

      • In the Applied Tags section, choose Delete next to the tag you want to remove.

      • Choose Apply Changes.

    • Add a tag.

      • In the Add Tags section, enter a key-value pair for the tag.

      • Choose Apply Changes.

      For more information about tagging an Amazon Redshift resource, see How to Manage Tags in the Amazon Redshift Console.

Managing Ingress Rules for a Cluster Security Group

(Original Console) Manage Ingress Rules for a Cluster Security Group

To manage ingress rules for a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security.

  3. On the Security Groups tab, in the cluster security group list, choose the cluster security group whose rules you want to manage.

  4. On the Security Group Connections tab, choose Add Connection Type.

  5. In the Add Connection Type dialog box, do one of the following:

    • Add an ingress rule based on CIDR/IP:

      • In the Connection Type box, choose CIDR/IP.

      • In the CIDR/IP to Authorize box, specify the range.

      • Choose Authorize.

    • Add an ingress rule based on an EC2 security group:

      • Under Connection Type, choose EC2 Security Group.

      • Choose the AWS account to use. By default, the account currently logged into the console is used. If you choose Another account, specify the AWS account ID.

      • For EC2 Security Group Name, enter the name of the EC2 security group that you want.

      • Choose Authorize.

Revoking Ingress Rules for a Cluster Security Group

(Original Console) Revoke Ingress Rule for a Cluster Security Group

To revoke ingress rules for a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security.

  3. On the Security Groups tab, in the cluster security group list, choose the cluster security group whose rules you want to manage.

  4. On the Security Group Connections tab, choose the rule that you want to remove and choose Revoke.

Tagging Ingress Rules for a Cluster Security Group

(Original Console) Tag Ingress Rules for a Cluster Security Group

To tag ingress rules for a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security.

  3. On the Security Groups tab, choose the cluster security group whose rules you want to manage.

  4. On the Security Group Connections tab, choose the rule that you want to tag and choose Manage Tags.

  5. In the Manage Tags dialog box, do one of the following:

    • Remove a tag:

      • In the Applied Tags section, choose Delete next to the tag that you want to remove.

      • Choose Apply Changes.

    • Add a tag.

      Note

      Tagging an EC2 security group rule only tags that rule, not the EC2 security group itself. If you want the EC2 security group tagged also, do that separately.

      • In the Add Tags section, enter a key-value pair for the tag.

      • Choose Apply Changes.

    For more information about tagging an Amazon Redshift resource, see How to Manage Tags in the Amazon Redshift Console.

Deleting a Cluster Security Group

If a cluster security group is associated with one or more clusters, you can't delete it.

Note

A new console is available for Amazon Redshift. Choose either the New Console or the Original Console instructions based on the console that you are using. The New Console instructions are open by default.

New Console

To delete a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. On the navigation menu, choose CONFIG, then choose Security groups to display the Cluster security groups page.

    Note

    You can only manage cluster security groups when logged in with an EC2-Classic AWS account.

  3. Choose the security group that you want to delete, then choose Delete.

Original Console

To delete a cluster security group

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshift/.

  2. In the navigation pane, choose Security.

  3. On the Security Groups tab, choose the cluster security group that you want to delete, and then choose Delete.

    One row must be selected for the Delete button to be enabled.

    Note

    You can't delete the default cluster security group.

  4. In the Delete Cluster Security Groups dialog box, choose Continue.

    If the cluster security group is used by a cluster, you can't delete it. The following example shows that securitygroup1 is used by examplecluster2.

Associating a Cluster Security Group with a Cluster

If you are on the EC2-VPC platform, see Managing VPC Security Groups for a Cluster for more information about associating VPC security groups with your cluster. We recommend that you launch your cluster in an EC2-VPC platform. However, you can restore an EC2-Classic snapshot to an EC2-VPC cluster using the Amazon Redshift console. For more information, see Restoring a Cluster from a Snapshot.

Each cluster you provision on the EC2-Classic platform has one or more cluster security groups associated with it. You can associate a cluster security group with a cluster when you create the cluster, or you can associate a cluster security group later by modifying the cluster. For more information, see Creating a Cluster by Using Launch Cluster and To modify a cluster.