AWS Redshift provisioned cluster, Spectrum access S3 via private link

0

Config of Redshift Cluster:

  • Enhanced VPC routing has enabled
  • Redshift subnet in the same subnet as S3 vpc endpoint

Config of S3

  • VPC endpoints created for S3
  • Routing has configured to route traffic to the S3 vpc endpoints

My S3 policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-VPCE",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::xxxxxxx-159170848751291",
        "arn:aws:s3:::xxxxxxx-159170848751291/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": [
            "vpce-xxxxxxxxxxxxxxxxx",
            "vpce-xxxxxxxxxxxxxxxxx"
          ]
        }
      }
    }
  ]
}

With this configuration Redshift Specturum cant accesss external tables

So my goal here. To restrict access to the S3 from outside but also give access to Redshift Spectrum to work with S3.

From the documentation I see that: Redshift Spectrum on provisioned clusters can't access data stored in Amazon S3 buckets that use a bucket policy that restricts access to only specified VPC endpoints.

Any ideas how I can achieve this ?

1 Answer
2
Accepted Answer

Hello.

How about setting "aws:PrincipalArn" as an exception for access from the IAM role used by Redshift, as shown below?
I think that by making this setting, it would be possible to access S3 without going through the VPC endpoint when connecting from an AWS resource that has the IAM role set with "aws:PrincipalArn".
Although it is not Redshift, I tried it with an EC2 IAM role and confirmed that if I configured the following settings, I could access S3 from EC2.
In other words, it is likely that Redshift will behave similarly.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-VPCE",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::xxxxxxx-159170848751291",
        "arn:aws:s3:::xxxxxxx-159170848751291/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": [
            "vpce-xxxxxxxxxxxxxxxxx",
            "vpce-xxxxxxxxxxxxxxxxx"
          ],
          "aws:PrincipalArn": "Redshift IAM Role ARN"
        }
      }
    }
  ]
}
profile picture
EXPERT
answered 11 days ago
profile picture
EXPERT
reviewed 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions