AWS Security ChangesHomeSearch

AWS redshift documentation change

Service: redshift · 2025-11-25 · Documentation medium

File: redshift/latest/dg/r_GRANT.md

Summary

Added documentation for Amazon Redshift Federated Permissions Catalog and CONNECT privilege management for AWS IAM Identity Center federated users

Security assessment

The changes document security features like column-level permissions, scoped permissions, and CONNECT privilege controls for federated users. While these are security-related features, there is no evidence of addressing a specific vulnerability. The additions enhance security documentation by explaining access control mechanisms.

Diff

diff --git a/redshift/latest/dg/r_GRANT.md b/redshift/latest/dg/r_GRANT.md
index a1527cbff..f85a20970 100644
--- a//redshift/latest/dg/r_GRANT.md
+++ b//redshift/latest/dg/r_GRANT.md
@@ -36,0 +37,17 @@ For more information about datashare permissions, see [Permissions you can grant
+Permissions also include the following Amazon Redshift Federated Permissions Catalog:
+
+  * Granting table-level permissions to users and roles.
+
+  * Granting fine-grained column-level permissions on tables, views and materialized views.
+
+  * Granting scoped permissions to users and roles.
+
+  * Granting database-level permissions on Amazon Redshift Federated Permissions Catalog.
+
+
+
+
+For more information about managing permissions on Amazon Redshift Federated Permissions Catalog, see [Managing access control on Amazon Redshift federated permissions catalog](./federated-permissions-managing-access.html). For more information about Amazon Redshift Federated Permissions Catalog supported grant/revoke syntaxes, see [Grant/Revoke](https://docs.aws.amazon.com/redshift/latest/dg/federated-permissions-managing-access.html#federated-permissions-managing-access-grant-revoke).
+
+Permissions also include the CONNECT privilege for AWS IAM Identity Center federated users. This privilege enables administrators to control user access through granular permissions at each Amazon Redshift workgroup(s) or cluster(s) where Amazon Redshift Federated Permissions are enabled. Amazon Redshift administrator can specify which AWS IAM Identity Center federated user(s) or group(s) have access to directly connect to the Amazon Redshift workgroup, providing fine-grained control over the AWS IAM Identity Center user access at each workgroup or cluster.
+
@@ -251,0 +269,6 @@ The following is the syntax for granting lookup table permissions to the specifi
+The following is the syntax for granting permissions for AWS IAM Identity Center federated users (or groups) to connect to a workgroup/cluster:
+    
+    
+    GRANT CONNECT [ON WORKGROUP]
+    TO [USER] _< prefix>:<username>_ | ROLE _< prefix>:<rolename>_ | PUBLIC;
+
@@ -398,0 +422,5 @@ Granting PUBLIC to a Lake Formation EXTERNAL TABLE results in granting the permi
+CONNECT [ON WORKGROUP] TO { [USER] <prefix>:<username> | ROLE <prefix>:<rolename> | PUBLIC }
+    
+
+Grants the permission to connect to a workgroup or cluster to AWS IAM Identity Center federated users or groups. The prefix identifies the identity provider. When granted to PUBLIC, the permission applies to all AWS IAM Identity Center federated users, including users created later. This permission is applicable only when Amazon Redshift Federated Permissions are enabled on the workgroup or cluster.
+