Redshift security

Introduction to Redshift

Jason Myers

Principal Engineer

Redshift security

  • Column level access control
  • Row level security via policies
  • Data masking via policies

Redshift Security Portfolio

Introduction to Redshift

Column level permissions

  • Hides a column completely
  • Can verify via SVV_COLUMN_PRIVILEGES
SELECT *
  FROM SVV_COLUMN_PRIVILEGES
 WHERE relation_name = 'products';

relation_name | column_name  | privilege_type | identity_name | identity_type
==============|==============|================|===============|==============
products      | product_name | SELECT         | amelia        | user
products      | product_name | SELECT         | analytics     | role
Introduction to Redshift

Row-level security

  • Policies that prefilter data
CREATE RLS POLICY policy_books
WITH (category VARCHAR(255))
USING (category = 'Dark Academia');

SELECT product_line, category, product_name
FROM products;

product_line | category      | product_name
=============|===============|===================
Books        | Dark Academia | A Deadly Education
Introduction to Redshift

Row-level security

  • SVV_RLS_POLICY to view policies
SELECT polname AS policy_name, 
       polatts AS column_details,
       polqual AS condition
  FROM SVV_RLS_POLICY;

policy_name  | column_details                                 | condition
 ============|================================================|===========================
policy_books | [{"colname":"category","type":"VARCHAR(255)"}] | category = 'Dark Academia'
Introduction to Redshift

Row-level security admin view

  • SVV_RLS_APPLIED_POLICY can be used by Superusers to see affected queries
SELECT username, 
       command, 
       relschema, 
       relname, 
       polname,
FROM SVV_RLS_APPLIED_POLICY;

username | command | relschema | relname  | polname  
=========|=========|===========|==========|=============
aashvi   |    s    | public    | products | policy_books
Introduction to Redshift

Dynamic Masking overview

  • Policy that obscures values returned by a query
  • Only a super user or someone granted can see them
  • Uses
    • National ID numbers (e.g. Social Security Number)
    • Credit cards
SELECT name, social_security_number
  FROM customers;

name     | social_security_number
======== | =======================
John Doe | XXX-XX-1234
Jane Doe | XXX-XX-5678
Introduction to Redshift

Let's practice!

Introduction to Redshift

Preparing Video For Download...