AWS Security ChangesHomeSearch

AWS redshift medium security documentation change

Service: redshift · 2025-04-11 · Security-related medium

File: redshift/latest/dg/c-spectrum-iam-policies.md

Summary

Updated IAM policy examples and recommendations for Redshift Spectrum access. Removed user agent conditions, added ListBucketVersions permission, and emphasized using dedicated IAM roles with minimal permissions.

Security assessment

The change removes reliance on user agent conditions (which can be spoofed) and promotes security best practices by recommending dedicated IAM roles with least-privilege permissions. This addresses potential insecure configurations.

Diff

diff --git a/redshift/latest/dg/c-spectrum-iam-policies.md b/redshift/latest/dg/c-spectrum-iam-policies.md
index 4cb731953..88ca3a7ef 100644
--- a//redshift/latest/dg/c-spectrum-iam-policies.md
+++ b//redshift/latest/dg/c-spectrum-iam-policies.md
@@ -97 +97 @@ To grant Redshift Spectrum permission to access data in an Amazon S3 bucket that
-To grant access to an Amazon S3 bucket only using Redshift Spectrum, include a condition that allows access for the user agent `AWS Redshift/Spectrum`. The following policy allows access to Amazon S3 buckets only for Redshift Spectrum. It excludes other access, such as COPY operations.
+The following example policy allows access to Amazon S3 buckets for Amazon Redshift. When adding this policy to an IAM role, we recommend using an IAM role that is only used for Amazon Redshift. We also recommend that you don't reuse existing roles or add extra permissions to this IAM role.
@@ -102,11 +102 @@ To grant access to an Amazon S3 bucket only using Redshift Spectrum, include a c
-        "Statement": [{
-            "Effect": "Allow",
-            "Action": ["s3:Get*", "s3:List*"],
-            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
-                    "Condition": {"StringEquals": {"aws:UserAgent": "AWS Redshift/Spectrum"}}
-        }]
-    }
-
-Similarly, you might want to create an IAM role that allows access for COPY operations, but excludes Redshift Spectrum access. To do so, include a condition that denies access for the user agent `AWS Redshift/Spectrum`. The following policy allows access to an Amazon S3 bucket with the exception of Redshift Spectrum.
-    
-    
+        "Statement": [
@@ -114,2 +103,0 @@ Similarly, you might want to create an IAM role that allows access for COPY oper
-        "Version": "2012-10-17",
-        "Statement": [{
@@ -117,4 +105,11 @@ Similarly, you might want to create an IAM role that allows access for COPY oper
-            "Action": ["s3:Get*", "s3:List*"],
-            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
-                    "Condition": {"StringNotEquals": {"aws:UserAgent": "AWS Redshift/Spectrum"}}
-        }]
+                "Action": [
+                    "s3:GetObject",
+                    "s3:ListBucketVersions",
+                    "s3:ListBucket"
+                ],
+                "Resource": [ 
+                    "arn:aws:s3:::amzn-s3-demo-bucket", 
+                    "arn:aws:s3:::amzn-s3-demo-bucket/*" 
+                ]
+            }
+        ]
@@ -134,3 +129 @@ The following policy grants the minimum permissions required to use Redshift Spe
-                    "s3:GetBucketLocation",
-                    "s3:GetObject",
-                    "s3:ListMultipartUploadParts",
+                    "s3:ListBucketVersions",
@@ -138 +131 @@ The following policy grants the minimum permissions required to use Redshift Spe
-                    "s3:ListBucketMultipartUploads"
+                    "s3:GetObject"
@@ -168,3 +161 @@ The following policy grants the minimum permissions required to use Redshift Spe
-                "Resource": [
-                    "*"
-                ]
+                "Resource": "*"