Guide: Redshift Security Guide

The Basics of Amazon Redshift Authentication

Amazon Redshift fills a need for a cloud-based warehousing solution for large-scale data storage and processing. Access to this data is granted through an authentication process that relies on user credentials. In this guide we will take a closer look at the authentication process for AWS Redshift.  

This is part of our Amazon Redshift Security guide.

What is Amazon Redshift?

Amazon Redshift, commonly called AWS Redshift, is a fully-managed petabyte-scale cloud-based data warehouse platform designed for database users who handle large-scale dataset storage and processing. Amazon Redshift is also used for migrating huge databases.

 

The column-oriented database in Redshift is built to link to SQL-based clients and business intelligence tools, allowing users to access data in real time. Redshift, based on PostgreSQL 8, provides quick performance and effective querying to help teams make informed business decisions.

Amazon Redshift Clusters

A cluster collects computing resources called nodes grouped into an Amazon Redshift data warehouse. Every cluster uses the Amazon Redshift engine and may house anywhere from one to multiple databases.

 

Notably, there is a leader node, and one or more compute nodes in each cluster.

 

Client applications send queries to the leader node, parsing them, and creating query execution plans. The leader node then organizes the concurrent execution of these plans with the compute nodes, aggregating the interim results. Finally, the findings are returned to the client.

Authentication

Amazon Redshift requires that all connections are authenticated with user credentials. In some cases a Secure Sockets Layer (SSL) protocol is necessary. The SSL protocol can be with or without one-way authentication. The following options are available to authenticate Redshift.

Standard Authentication

Access is established through a username and password that is authenticated with the Redshift server. This option requires the host name or IP address and the port of the server hosting the Redshift database. Access is limited to the particular user and their role-based credentials will determine their access to data. This option does not require SSL authentication and is the least secure of the authentication options.

SSL Authentication

SSL authentication is available both with and without identity verification.

Without Identity Verification

In this case you can use an SSL authentication with the same user name and password you use to access the Redshift data store. 

With Identity Verification

The final and most secure option for gaining access to Amazon Redshift is using SSL Authentication with identity verification using a single sign-on (SSO) authentication. In this option Amazon Redshift generates an AWS certificate manager (ACM) issued SSL certificate on each cluster.

 

To connect to Redshift using Satori use the Satori hostname that was generated by the management console which can be found under Satori Hostname in the data store settings view, for example: abc123.ci3gimsawmqt.us-east-2.a.p0.satoricyber.net

 

This option allows access to Redshift through a 2-way SSL secure session. The connection properties are established through the client certificate. The certificate outlines the user credentials and their access to specific objects. SSO requires a signed and trusted SSL certification to verify the identity of the server. The default certificate is Java TrustStore, however, you can configure the drive to use a specific certificate or access a TrustStore. 

 

The SSO options are OKTA, OneLogin, and ADFS. The SSO provider authenticates the user. The user then has access to data as outlined by their role-based credentials. This option is available through OKTA, OneLogin, and ADFS. 

IAM Authentication

It is also possible to authenticate to Redshift using an IAM authentication. In this case you can use a data source connections string. There are several options available as an IAM user, you can use AWS root user, IAM user, or an IAM role. Satori requires that data consumers change the Redshift connection string in your data query tool.  

AWS Account Root User

An account root user can authenticate by logging in with the email address and password used to create the account.

IAM User

An IAM user is an identity in your AWS account with particular user credentials, claim rules, and permissions, such as the ability to build a cluster in Amazon Redshift. You can also generate Access Keys for each user in addition to a username and password. To use AWS services programmatically, you can either use one of the several SDKs or the Command Line Interface (CLI). Under this type of identity and access management, access keys get used by the SDK and CLI tools to encrypt your request. Alternatively, you must sign the request manually if you do not use AWS tools.

IAM Role

Another access management IAM feature is the use of an IAM role. Creating an IAM role in your account is a way to grant certain permissions to the IAM identity you make. Permission policies govern what the identity can and cannot do in Amazon Web Services through an IAM role, just like an IAM user does. However, you should give anyone who needs it a role rather than being linked to a single individual.

 

There are no long-term credentials connected with roles, such as passwords or access keys. Thus, the temporary security credentials you receive when you assume a role are what you will use to log in to your role session.

 

Notably, you can have acceptable credentials to validate your requests, but you cannot build or access Amazon Redshift resources unless you have permission.

 

However, access to data is managed at the cluster level. Network access controls do not differentiate between different members within a cluster, limiting granular control. Instead once network access is granted to a cluster there is no way to enable or limit access to specific securable objects. 

Redshift and Satori

Satori provides data teams with a variety of access controls and helps organizations with security and compliance policies. Satori supports your existing authentication scheme providing easy and simple access to Redshift without having to write new code. 

 

To access redshift from Satori use the Satori hostname in the data store settings view, for example:  abc123.ci3gimsawmqt.us-east-2.a.p0.satoricyber.net.

Satori works with your existing authentication scheme, and with Satori you can also create temporary authentication credentials for Amazon Redshift.

Learn more about how Satori helps managing Amazon Redshift security policies and access control at scale in a simple way here.

Conclusion

When you need to combine data from multiple sources, such as inventory systems, financial systems, and retail sales systems, into a single format and store it for lengthy periods, a data warehouse like Amazon Redshift is ideal. A data warehouse like Amazon Redshift is one of the popular options for creating sophisticated business reports from historical data.

 

In this context, Satori is the besy way for getting the most out of your data while using Amazon Redshift in a secure way. Schedule a demo to learn more about how Satori might benefit you.

 

Satori helps organizations streamline access to sensitive data stored on Amazon Redshift. Learn more about how we help keep your Amazon Redshift data access simple and secure or read about our key capabilities: