AWS Security ChangesHomeSearch

AWS aws-backup documentation change

Service: aws-backup · 2026-07-10 · Documentation medium

File: aws-backup/latest/devguide/redshift-restores.md

Summary

Added requirements for IAM permissions and KMS key access when restoring Redshift clusters with managed passwords

Security assessment

Documents necessary permissions for Secrets Manager and KMS to securely handle password secrets during restores. While security-related, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/aws-backup/latest/devguide/redshift-restores.md b/aws-backup/latest/devguide/redshift-restores.md
index e0d8439fa..f3ef4ecc8 100644
--- a//aws-backup/latest/devguide/redshift-restores.md
+++ b//aws-backup/latest/devguide/redshift-restores.md
@@ -27,0 +28,38 @@ When you restore a Amazon Redshift cluster, the original cluster settings are in
+###### Additional permissions for clusters with managed passwords
+
+If the cluster uses Amazon Redshift managed passwords, you must set `ManageMasterPassword` to `true` in the restore metadata.
+
+You must also add the required permissions to the IAM role for the restore operation. For more information about Amazon Redshift managed passwords, see [Managing Amazon Redshift admin passwords with AWS Secrets Manager](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-secrets-manager-integration.html) in the _Amazon Redshift Management Guide_.
+
+Add the following AWS Secrets Manager permissions to the restore role:
+
+  * `secretsmanager:CreateSecret`
+
+  * `secretsmanager:DeleteSecret`
+
+  * `secretsmanager:DescribeSecret`
+
+  * `secretsmanager:GetRandomPassword`
+
+  * `secretsmanager:RotateSecret`
+
+  * `secretsmanager:TagResource`
+
+  * `secretsmanager:UpdateSecret`
+
+
+
+
+If the cluster uses a customer managed key for the managed password secret, you must also grant the following AWS KMS permissions on the AWS KMS key:
+
+  * `kms:CreateGrant`
+
+  * `kms:Decrypt`
+
+  * `kms:GenerateDataKey`
+
+  * `kms:RetireGrant`
+
+
+
+