Keamanan Redshift

Pengantar Redshift

Jason Myers

Principal Engineer

Keamanan Redshift

  • Kontrol akses tingkat kolom
  • Keamanan tingkat baris via kebijakan
  • Masking data via kebijakan

Portofolio Keamanan Redshift

Pengantar Redshift

Izin tingkat kolom

  • Menyembunyikan satu kolom sepenuhnya
  • Dapat diverifikasi via SVV_COLUMN_PRIVILEGES
SELECT *
  FROM SVV_COLUMN_PRIVILEGES
 WHERE relation_name = 'products';

relation_name | column_name  | privilege_type | identity_name | identity_type
==============|==============|================|===============|==============
products      | product_name | SELECT         | amelia        | user
products      | product_name | SELECT         | analytics     | role
Pengantar Redshift

Keamanan tingkat baris

  • Kebijakan yang memfilter data lebih dulu
CREATE RLS POLICY policy_books
WITH (category VARCHAR(255))
USING (category = 'Dark Academia');

SELECT product_line, category, product_name
FROM products;

product_line | category      | product_name
=============|===============|===================
Books        | Dark Academia | A Deadly Education
Pengantar Redshift

Keamanan tingkat baris

  • SVV_RLS_POLICY untuk melihat kebijakan
SELECT polname AS policy_name, 
       polatts AS column_details,
       polqual AS condition
  FROM SVV_RLS_POLICY;

policy_name  | column_details                                 | condition
 ============|================================================|===========================
policy_books | [{"colname":"category","type":"VARCHAR(255)"}] | category = 'Dark Academia'
Pengantar Redshift

Tampilan admin keamanan tingkat baris

  • SVV_RLS_APPLIED_POLICY dapat digunakan oleh Superuser untuk melihat kueri yang terdampak
SELECT username, 
       command, 
       relschema, 
       relname, 
       polname,
FROM SVV_RLS_APPLIED_POLICY;

username | command | relschema | relname  | polname  
=========|=========|===========|==========|=============
aashvi   |    s    | public    | products | policy_books
Pengantar Redshift

Ikhtisar Dynamic Masking

  • Kebijakan yang menyamarkan nilai hasil kueri
  • Hanya superuser atau yang diberi hak yang dapat melihatnya
  • Penggunaan
    • Nomor ID nasional (mis. Social Security Number)
    • Kartu kredit
SELECT name, social_security_number
  FROM customers;

name     | social_security_number
======== | =======================
John Doe | XXX-XX-1234
Jane Doe | XXX-XX-5678
Pengantar Redshift

Ayo berlatih!

Pengantar Redshift

Preparing Video For Download...