AWS Security ChangesHomeSearch

AWS redshift documentation change

Service: redshift · 2025-11-22 · Documentation medium

File: redshift/latest/mgmt/redshift-iam-access-control-identity-based.md

Summary

Added documentation for new AmazonRedshiftFederatedAuthorization managed policy supporting federated permissions with Glue Data Catalog

Security assessment

The change introduces documentation for a new IAM policy that manages authorization delegation between Redshift and AWS Glue. While this relates to access control (a security aspect), there is no evidence of addressing a specific vulnerability. It documents security features for federated authorization workflows.

Diff

diff --git a/redshift/latest/mgmt/redshift-iam-access-control-identity-based.md b/redshift/latest/mgmt/redshift-iam-access-control-identity-based.md
index 3d3266c9c..ef857ea36 100644
--- a//redshift/latest/mgmt/redshift-iam-access-control-identity-based.md
+++ b//redshift/latest/mgmt/redshift-iam-access-control-identity-based.md
@@ -5 +5 @@
-AWS managed policies for Amazon RedshiftPolicy updatesAmazonRedshiftReadOnlyAccessAmazonRedshiftFullAccessAmazonRedshiftQueryEditorAmazonRedshiftDataFullAccessAmazonRedshiftQueryEditorV2FullAccessAmazonRedshiftQueryEditorV2NoSharingAmazonRedshiftQueryEditorV2ReadSharingAmazonRedshiftQueryEditorV2ReadWriteSharingAmazonRedshiftServiceLinkedRolePolicyAmazonRedshiftAllCommandsFullAccessPermissions required to use Redshift SpectrumPermissions required to use the Amazon Redshift consolePermissions required to use the Amazon Redshift console query editorPermissions required to use the query editor v2 Permissions required to use the Amazon Redshift schedulerPermissions required to use the Amazon EventBridge schedulerPermissions required to use Amazon Redshift machine learning (ML)Permissions for streaming ingestionPermissions required to use the data sharing API operationsResource policies for GetClusterCredentialsCustomer managed policy examplesExample 8: IAM policy for using GetClusterCredentials
+AWS managed policies for Amazon RedshiftPolicy updatesAmazonRedshiftReadOnlyAccessAmazonRedshiftFullAccessAmazonRedshiftQueryEditorAmazonRedshiftDataFullAccessAmazonRedshiftQueryEditorV2FullAccessAmazonRedshiftQueryEditorV2NoSharingAmazonRedshiftQueryEditorV2ReadSharingAmazonRedshiftQueryEditorV2ReadWriteSharingAmazonRedshiftServiceLinkedRolePolicyAmazonRedshiftAllCommandsFullAccessAmazonRedshiftFederatedAuthorizationPermissions required to use Redshift SpectrumPermissions required to use the Amazon Redshift consolePermissions required to use the Amazon Redshift console query editorPermissions required to use the query editor v2 Permissions required to use the Amazon Redshift schedulerPermissions required to use the Amazon EventBridge schedulerPermissions required to use Amazon Redshift machine learning (ML)Permissions for streaming ingestionPermissions required to use the data sharing API operationsResource policies for GetClusterCredentialsCustomer managed policy examplesExample 8: IAM policy for using GetClusterCredentials
@@ -79,0 +80 @@ Change | Description | Date
+AmazonRedshiftFederatedAuthorization – New policy |  Amazon Redshift added a new ease-of-use policy policy for running queries with Amazon Redshift Federated Authorization.  | November 21, 2025  
@@ -288,0 +290,8 @@ You can find the [AmazonRedshiftAllCommandsFullAccess](https://console.aws.amazo
+## AmazonRedshiftFederatedAuthorization
+
+The policy consolidates IAM actions needed to run a query against a Glue Data Catalog database with Amazon Redshift Federated Permissions. Such query goes through AWS Glue and therefore needs Get actions on catalog objects to discover the objects, and Create, Update, Rename and Delete actions to modify the objects. Note that the resources are managed by Amazon Redshift, therefore the principal will also need Redshift permissions to complete the query. `glue:FederateAuthorization` action allows AWS Glue to delegate authorization decisions on the catalog objects to Amazon Redshift. 
+
+This policy allows the principal to run queries against the catalog with Amazon Redshift Federated Permissions, but does not allow Registering and Unregistering the Amazon Redshift namespace to AWS Glue. Refer to documentation on IAM Policy Requirements for Amazon Redshift Federated Permissions Setup. 
+
+You can find the [AmazonRedshiftFederatedAuthorization](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftFederatedAuthorization) policy on the IAM console and [AmazonRedshiftFederatedAuthorization](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftFederatedAuthorization.html) in the _AWS Managed Policy Reference Guide_.
+