AWS odb documentation change
Summary
Updated CLI commands to use CMK ARNs instead of IDs, added detailed IAM policy for Zero-ETL integration permissions, modified Redshift resource policy configuration flags
Security assessment
The change replaces key IDs with ARNs which is a security best practice for precise resource targeting but doesn't indicate a vulnerability fix. The added IAM policy documents necessary security permissions for integration services including KMS, Secrets Manager, and Redshift access.
Diff
diff --git a/odb/latest/UserGuide/setting-up-zero-etl.md b/odb/latest/UserGuide/setting-up-zero-etl.md index 73b0bafc0..a1c5615fb 100644 --- a//odb/latest/UserGuide/setting-up-zero-etl.md +++ b//odb/latest/UserGuide/setting-up-zero-etl.md @@ -94 +94 @@ Create a Customer Managed Key (CMK) and store your database credentials. - --kms-key-id your-cmk-key-id \ + --kms-key-id your-cmk-key-arn \ @@ -125 +125 @@ In the preceding command, `secret-resource-policy.json` contains the following J - --key-id your-cmk-key-id \ + --key-id your-cmk-key-arn \ @@ -186,0 +187,105 @@ Create and attach IAM policies that allow Zero-ETL integration operations. +The following policy grants the necessary permissions. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ODBGlueIntegrationAccess", + "Effect": "Allow", + "Action": [ + "glue:CreateIntegration", + "glue:ModifyIntegration", + "glue:DeleteIntegration", + "glue:DescribeIntegrations", + "glue:DescribeInboundIntegrations" + ], + "Resource": "*" + }, + { + "Sid": "ODBZetlOperations", + "Effect": "Allow", + "Action": "odb:CreateOutboundIntegration", + "Resource": "*" + }, + { + "Sid": "ODBRedshiftFullAccess", + "Effect": "Allow", + "Action": [ + "redshift:*", + "redshift-serverless:*", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeInternetGateways", + "sns:CreateTopic", + "sns:Get*", + "sns:List*", + "cloudwatch:Describe*", + "cloudwatch:Get*", + "cloudwatch:List*", + "cloudwatch:PutMetricAlarm", + "cloudwatch:EnableAlarmActions", + "cloudwatch:DisableAlarmActions", + "tag:GetResources", + "tag:UntagResources", + "tag:GetTagValues", + "tag:GetTagKeys", + "tag:TagResources" + ], + "Resource": "*" + }, + { + "Sid": "ODBRedshiftDataAPI", + "Effect": "Allow", + "Action": [ + "redshift-data:ExecuteStatement", + "redshift-data:CancelStatement", + "redshift-data:ListStatements", + "redshift-data:GetStatementResult", + "redshift-data:DescribeStatement", + "redshift-data:ListDatabases", + "redshift-data:ListSchemas", + "redshift-data:ListTables", + "redshift-data:DescribeTable" + ], + "Resource": "*" + }, + { + "Sid": "ODBKMSAccess", + "Effect": "Allow", + "Action": [ + "kms:CreateKey", + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:ListKeys", + "kms:CreateAlias", + "kms:ListAliases" + ], + "Resource": "*" + }, + { + "Sid": "ODBSecretsManagerAccess", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", + "secretsmanager:CreateSecret", + "secretsmanager:UpdateSecret", + "secretsmanager:DeleteSecret", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecrets", + "secretsmanager:GetResourcePolicy", + "secretsmanager:PutResourcePolicy", + "secretsmanager:ValidateResourcePolicy" + ], + "Resource": "*" + } + ] + } + @@ -193 +298,2 @@ Set up resource policies on your Amazon Redshift cluster to authorize inbound in - --resource-arn your-redshift-cluster-arn \ + --no-verify-ssl \ + --resource-arn "your-redshift-cluster-arn" \ @@ -214 +320 @@ Set up resource policies on your Amazon Redshift cluster to authorize inbound in - "aws": "your-aws-account-id" + "AWS": "your-account-id" @@ -221 +327,2 @@ Set up resource policies on your Amazon Redshift cluster to authorize inbound in - }' + }' \ + --region us-west-2