AWS aws-backup documentation change
Summary
Added requirements for IAM permissions and KMS key access when restoring Redshift clusters with managed passwords
Security assessment
Documents necessary permissions for Secrets Manager and KMS to securely handle password secrets during restores. While security-related, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/aws-backup/latest/devguide/redshift-restores.md b/aws-backup/latest/devguide/redshift-restores.md index e0d8439fa..f3ef4ecc8 100644 --- a//aws-backup/latest/devguide/redshift-restores.md +++ b//aws-backup/latest/devguide/redshift-restores.md @@ -27,0 +28,38 @@ When you restore a Amazon Redshift cluster, the original cluster settings are in +###### Additional permissions for clusters with managed passwords + +If the cluster uses Amazon Redshift managed passwords, you must set `ManageMasterPassword` to `true` in the restore metadata. + +You must also add the required permissions to the IAM role for the restore operation. For more information about Amazon Redshift managed passwords, see [Managing Amazon Redshift admin passwords with AWS Secrets Manager](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-secrets-manager-integration.html) in the _Amazon Redshift Management Guide_. + +Add the following AWS Secrets Manager permissions to the restore role: + + * `secretsmanager:CreateSecret` + + * `secretsmanager:DeleteSecret` + + * `secretsmanager:DescribeSecret` + + * `secretsmanager:GetRandomPassword` + + * `secretsmanager:RotateSecret` + + * `secretsmanager:TagResource` + + * `secretsmanager:UpdateSecret` + + + + +If the cluster uses a customer managed key for the managed password secret, you must also grant the following AWS KMS permissions on the AWS KMS key: + + * `kms:CreateGrant` + + * `kms:Decrypt` + + * `kms:GenerateDataKey` + + * `kms:RetireGrant` + + + +