AWS redshift documentation change
Summary
Updated requirements for federated query permissions, removing temporary workaround with Lake Formation and emphasizing use of AmazonRedshiftFederatedAuthorization policy with granular controls
Security assessment
The change simplifies permission requirements but adds guidance about implementing fine-grained IAM controls. While it improves security practices, there is no evidence of addressing an active vulnerability
Diff
diff --git a/redshift/latest/dg/federated-permissions-querying.md b/redshift/latest/dg/federated-permissions-querying.md index 3b3e4013f..58db6e451 100644 --- a//redshift/latest/dg/federated-permissions-querying.md +++ b//redshift/latest/dg/federated-permissions-querying.md @@ -17,5 +17 @@ Before querying federated databases, ensure you have: - * Redshift Federated Databases should automatically be mounted on the Redshift Warehouses in the same AWS account. However, in current version of Amazon Redshift, add Redshift Service linked IAM Role `AWSServiceRoleForRedshift` as a Data Lake Read only Admin in Lakeformation. This requirement will be removed in a later release. - - * For information on service-linked roles, see [Using service-linked roles for Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/using-service-linked-roles.html) in the Amazon Redshift Management Guide. - - * IAM actions listed in the `[AmazonRedshiftFederatedAuthorization](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftFederatedAuthorization.html)` AWS managed policy + * The [AmazonRedshiftFederatedAuthorization](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftFederatedAuthorization.html) AWS managed policy attached to your IAM user or role. For fine-grained access control, you can grant specific IAM actions from this policy instead of attaching the full policy.