AWS Security ChangesHomeSearch

AWS odb documentation change

Service: odb · 2025-07-10 · Documentation low

File: odb/latest/UserGuide/setting-up-zero-etl.md

Summary

Updated CLI commands to use CMK ARNs instead of IDs, added detailed IAM policy for Zero-ETL integration permissions, modified Redshift resource policy configuration flags

Security assessment

The change replaces key IDs with ARNs which is a security best practice for precise resource targeting but doesn't indicate a vulnerability fix. The added IAM policy documents necessary security permissions for integration services including KMS, Secrets Manager, and Redshift access.

Diff

diff --git a/odb/latest/UserGuide/setting-up-zero-etl.md b/odb/latest/UserGuide/setting-up-zero-etl.md
index 73b0bafc0..a1c5615fb 100644
--- a//odb/latest/UserGuide/setting-up-zero-etl.md
+++ b//odb/latest/UserGuide/setting-up-zero-etl.md
@@ -94 +94 @@ Create a Customer Managed Key (CMK) and store your database credentials.
-      --kms-key-id your-cmk-key-id \
+      --kms-key-id your-cmk-key-arn \
@@ -125 +125 @@ In the preceding command, `secret-resource-policy.json` contains the following J
-      --key-id your-cmk-key-id \
+      --key-id your-cmk-key-arn \
@@ -186,0 +187,105 @@ Create and attach IAM policies that allow Zero-ETL integration operations.
+The following policy grants the necessary permissions.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "ODBGlueIntegrationAccess",
+          "Effect": "Allow",
+          "Action": [
+            "glue:CreateIntegration",
+            "glue:ModifyIntegration",
+            "glue:DeleteIntegration",
+            "glue:DescribeIntegrations",
+            "glue:DescribeInboundIntegrations"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "ODBZetlOperations",
+          "Effect": "Allow",
+          "Action": "odb:CreateOutboundIntegration",
+          "Resource": "*"
+        },
+        {
+          "Sid": "ODBRedshiftFullAccess",
+          "Effect": "Allow",
+          "Action": [
+            "redshift:*",
+            "redshift-serverless:*",
+            "ec2:DescribeAccountAttributes",
+            "ec2:DescribeAddresses",
+            "ec2:DescribeAvailabilityZones",
+            "ec2:DescribeSecurityGroups",
+            "ec2:DescribeSubnets",
+            "ec2:DescribeVpcs",
+            "ec2:DescribeInternetGateways",
+            "sns:CreateTopic",
+            "sns:Get*",
+            "sns:List*",
+            "cloudwatch:Describe*",
+             "cloudwatch:Get*",
+            "cloudwatch:List*",
+            "cloudwatch:PutMetricAlarm",
+            "cloudwatch:EnableAlarmActions",
+            "cloudwatch:DisableAlarmActions",
+            "tag:GetResources",
+            "tag:UntagResources",
+            "tag:GetTagValues",
+            "tag:GetTagKeys",
+            "tag:TagResources"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "ODBRedshiftDataAPI",
+          "Effect": "Allow",
+          "Action": [
+            "redshift-data:ExecuteStatement",
+            "redshift-data:CancelStatement",
+            "redshift-data:ListStatements",
+            "redshift-data:GetStatementResult",
+            "redshift-data:DescribeStatement",
+            "redshift-data:ListDatabases",
+            "redshift-data:ListSchemas",
+            "redshift-data:ListTables",
+            "redshift-data:DescribeTable"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "ODBKMSAccess",
+          "Effect": "Allow",
+          "Action": [
+            "kms:CreateKey",
+            "kms:DescribeKey",
+            "kms:Encrypt",
+            "kms:Decrypt",
+            "kms:GenerateDataKey",
+            "kms:ListKeys",
+            "kms:CreateAlias",
+            "kms:ListAliases"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "ODBSecretsManagerAccess",
+          "Effect": "Allow",
+          "Action": [
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:PutSecretValue",
+            "secretsmanager:CreateSecret",
+            "secretsmanager:UpdateSecret",
+            "secretsmanager:DeleteSecret",
+            "secretsmanager:DescribeSecret",
+            "secretsmanager:ListSecrets",
+            "secretsmanager:GetResourcePolicy",
+            "secretsmanager:PutResourcePolicy",
+            "secretsmanager:ValidateResourcePolicy"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+
@@ -193 +298,2 @@ Set up resource policies on your Amazon Redshift cluster to authorize inbound in
-      --resource-arn your-redshift-cluster-arn \
+      --no-verify-ssl \
+      --resource-arn "your-redshift-cluster-arn" \
@@ -214 +320 @@ Set up resource policies on your Amazon Redshift cluster to authorize inbound in
-              "aws": "your-aws-account-id"
+              "AWS": "your-account-id"
@@ -221 +327,2 @@ Set up resource policies on your Amazon Redshift cluster to authorize inbound in
-      }'
+      }' \
+      --region us-west-2