1 Answer
- Newest
- Most votes
- Most comments
2
Hello.
How about setting "aws:PrincipalArn" as an exception for access from the IAM role used by Redshift, as shown below?
I think that by making this setting, it would be possible to access S3 without going through the VPC endpoint when connecting from an AWS resource that has the IAM role set with "aws:PrincipalArn".
Although it is not Redshift, I tried it with an EC2 IAM role and confirmed that if I configured the following settings, I could access S3 from EC2.
In other words, it is likely that Redshift will behave similarly.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-VPCE",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxxxxxx-159170848751291",
"arn:aws:s3:::xxxxxxx-159170848751291/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": [
"vpce-xxxxxxxxxxxxxxxxx",
"vpce-xxxxxxxxxxxxxxxxx"
],
"aws:PrincipalArn": "Redshift IAM Role ARN"
}
}
}
]
}
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 4 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
As far as I read the following document, it seems that it can also be controlled by the user agent. https://docs.aws.amazon.com/redshift/latest/dg/c-spectrum-iam-policies.html#spectrum-iam-policies-spectrum-only