k9 Security now summarizes principals’ access to the Redshift APIs and reports whether principals may administer or read Redshift cluster configurations, use clusters, or read, write or delete cluster data. AWS Redshift is a data warehouse service where can you query and combine exabytes of structured and semi-structured data across your data warehouse, operational database, and data lake using standard SQL.

If you’re wondering which IAM principals can administer, use, or change data your Redshift data warehouse, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Redshift APIs and maps each principal’s access to a k9 access capability.

Here’s an example of how Redshift access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

k9 Principal Access Summary for Redshift

This example shows the ci IAM user has full access to Redshift APIs from administration through reading and deleting data. The k9-auditor role has only read-config capability to Redshift APIs.

read-config is a new capability that means the principal has the ability to read service or resource configuration metadata, e.g. the names of database clusters and the number of instances in those clusters.

The AWS Redshift API currently has 106 actions. We won’t list all those actions here, but this summary of k9’s AWS service coverage provides a sense of scale:

k9 AWS Service Analysis Summary

Four of those Redshift API actions are mapped to multiple capabilities:

BatchDeleteClusterSnapshotsadminister-resource, delete-data
CopyClusterSnapshotadminister-resource, write-data
DeleteClusteradminister-resource, delete-data
DeleteClusterSnapshotadminister-resource, delete-data

These API actions demonstrate the rule that when an action classifies to multiple access capabilities, those capabilities usually combine administration of resources and destruction or modification of data. Manage risk by continuously reviewing and adjusting access to these critical administration and data delete capabilities.

We hope k9’s new Redshift analysis capabilities help you identify which IAM users and roles can administer Redshift clusters, use clusters, or read, write or delete Redshift cluster data in your AWS accounts. We are happy to answer any questions!