Izin federasi Amazon Redshift - contoh end-to-end - Amazon Redshift
PrasyaratPada instance katalog, berikan sys:secadmin Peran ke Peran IAM yang sesuaiMenyiapkan LingkunganMenyiapkan Izin Tingkat Kolom (CLP)Membuat Kebijakan Keamanan Tingkat Baris (RLS)Membuat Kebijakan Dynamic Data Masking (DDM)Kebijakan Audit Available/Applied Menguji Pola AksesMengubah KebijakanKebijakan Melepaskan dan MenjatuhkanBersihkan: Matikan kebijakan RLS dan jatuhkanSetel ulang identitas Global

Amazon Redshift tidak akan lagi mendukung pembuatan Python UDFs baru mulai 1 November 2025. Jika Anda ingin menggunakan Python UDFs, buat UDFs sebelum tanggal tersebut. Python yang ada UDFs akan terus berfungsi seperti biasa. Untuk informasi lebih lanjut, lihat posting blog.

Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.

Izin federasi Amazon Redshift - contoh end-to-end

Berikut ini adalah end-to-end contoh yang menunjukkan bagaimana Anda dapat membuat dan mengelola kebijakan tata kelola data yang komprehensif menggunakan Izin Federasi Amazon Redshift. Kebijakan ini meliputi Row Level Security (RLS), Dynamic Data Masking (DDM), dan Column Level Permissions (CLP) yang bekerja sama untuk mengontrol akses data berdasarkan peran dan kondisi pengguna.

Anda harus menjadi superuser atau memiliki peran sys:secadmin untuk menjalankan contoh ini.

Prasyarat

Contoh mengasumsikan bahwa peran “IAMR: role_name” di bawah ini sudah ada di akun, jika tidak, buatlah. Selain itu, gudang data Redshift terdaftar AWS Glue Data Catalog dengan nama “catalog_name” dan memiliki database “db_name”.

Pada instance katalog, berikan sys:secadmin Peran ke Peran IAM yang sesuai

-- Grant sys:secadmin role to relevant user (must be run on Redshift catalog instance)   
        GRANT ROLE sys:secadmin TO "IAMR:AccountSecurityAdminrole_name";

Istirahat akan dijalankan di gudang komputasi Redshift

Jika Anda menggunakan pengguna IAM atau IDC, Anda dapat melewati dua langkah berikut untuk membuat pengguna gudang lokal dan pemetaan identitas Global.

Langkah 1: Membuat gudang lokal yang diperlukan pengguna untuk menguji kebijakan tata kelola

-- Create test users.  
CREATE USER alice WITH PASSWORD 'Alice_pass_1';  
CREATE USER oscar WITH PASSWORD 'Oscar_pass_1';  
CREATE USER sierra WITH PASSWORD 'Sierra_pass_1';

Langkah 2: Menyiapkan Pemetaan Peran IAM Identitas Global

-- Map local users to IAM roles (executed by superuser).  
        
-- Make user sierra a sys:secadmin by setting the global identity  
-- to `IAMR:AccountSecurityAdmin`.  
-- This role has been granted secadmin privilege on Redshift catalog instance.  

ALTER USER sierra SET GLOBAL IDENTITY  
IAM_ROLE 'arn:aws:iam::123456789012:role/AccountSecurityAdmin';  

ALTER USER alice SET GLOBAL IDENTITY  
IAM_ROLE 'arn:aws:iam::123456789012:role/Analyst';  

ALTER USER oscar SET GLOBAL IDENTITY  
IAM_ROLE 'arn:aws:iam::123456789012:role/Operator';  

-- Verify global identity settings.  
SET SESSION AUTHORIZATION sierra;  
SHOW GLOBAL IDENTITY;  

SET SESSION AUTHORIZATION alice;  
SHOW GLOBAL IDENTITY;  

SET SESSION AUTHORIZATION oscar;  
SHOW GLOBAL IDENTITY;  

-- Reset to default session.  
RESET SESSION AUTHORIZATION;

Menyiapkan Lingkungan

Pertama, buat tabel dan isi dengan sampel data pelanggan dan tabel pencarian untuk kebijakan tata kelola.

-- Create the main customer table.  
CREATE TABLE db_name@catalog_name.public.customers (  
    id INTEGER,  
    name VARCHAR(50),  
    email VARCHAR(100),  
    region VARCHAR(20),  
    revenue DECIMAL(10,2)  
);  

-- Populate with sample customer data.  
INSERT INTO db_name@catalog_name.public.customers VALUES  
(1, 'John Smith', 'john@email.com', 'US', 1000.00),  
(2, 'Jane Doe', 'jane@email.com', 'EU', 500.00),  
(3, 'Mike Johnson', 'mike@email.com', 'US', 2000.00);  

-- Grant basic table access.  
GRANT ALL ON db_name@catalog_name.public.customers TO PUBLIC;  

-- Create lookup table for region-based policies.  
CREATE TABLE db_name@catalog_name.public.lookup_regions (  
    region_code VARCHAR(20),  
    allowed BOOLEAN  
);  

INSERT INTO db_name@catalog_name.public.lookup_regions VALUES   
('US', TRUE),   
('EU', FALSE),   
('APAC', TRUE);  

GRANT ALL ON db_name@catalog_name.public.lookup_regions TO PUBLIC;  

-- Create lookup table for revenue-based masking.  
CREATE TABLE db_name@catalog_name.public.lookup_revenue_tiers (base_revenue INTEGER);  

INSERT INTO db_name@catalog_name.public.lookup_revenue_tiers VALUES (1000), (2000);  
GRANT ALL ON db_name@catalog_name.public.lookup_revenue_tiers TO PUBLIC;

Menyiapkan Izin Tingkat Kolom (CLP)

Konfigurasikan akses tingkat kolom untuk pengguna yang berbeda untuk mengontrol kolom mana yang dapat diakses pengguna.

-- Grant specific column access to Analyst i.e. `alice`.  
GRANT SELECT (id, region) ON db_name@catalog_name.public.customers  
    TO "IAMR:Analyst";  

-- Grant different column access to Operator i.e. `oscar`.  
GRANT SELECT (id, name, revenue) ON db_name@catalog_name.public.customers  
    TO "IAMR:operator";

Membuat Kebijakan Keamanan Tingkat Baris (RLS)

Buat kebijakan RLS untuk mengontrol baris mana yang dapat dilihat pengguna berdasarkan hibah dan kondisi data mereka.

-- Switch to admin user to create policies.  
SET SESSION AUTHORIZATION sierra;  

-- Create simple RLS policy: Analysts see only US customers.  
CREATE RLS POLICY db_name@catalog_name.us_only   
WITH (region VARCHAR(20))   
USING (region = 'US');  

-- Attach the policy to the Analyst i.e. `alice`.  
ATTACH RLS POLICY db_name@catalog_name.us_only   
ON db_name@catalog_name.public.customers   
TO "IAMR:Analyst";  

-- Enable row level security on the table.  
ALTER TABLE db_name@catalog_name.public.customers ROW LEVEL SECURITY ON;  

-- Create advanced RLS policy using lookup table.  
CREATE RLS POLICY db_name@catalog_name.region_lookup_policy  
WITH (region VARCHAR(20)) AS r  
USING (r.region IN (  
    SELECT region_code   
    FROM public.lookup_regions   
    WHERE allowed = TRUE  
));  

-- Attach the lookup-based policy to Operator i.e. `oscar`.  
ATTACH RLS POLICY db_name@catalog_name.region_lookup_policy   
ON db_name@catalog_name.public.customers   
TO "IAMR:Operator";

Membuat Kebijakan Dynamic Data Masking (DDM)

Buat kebijakan masking untuk mengaburkan data sensitif berdasarkan peran dan kondisi pengguna.

-- Create masking policy for PII data (names and emails).  
CREATE MASKING POLICY db_name@catalog_name.mask_pii   
WITH (DATA VARCHAR(100))  
USING (SHA2(DATA + 'secret', 256)::TEXT);  

-- Attach masking to name and email columns for all users.  
ATTACH MASKING POLICY db_name@catalog_name.mask_pii   
ON db_name@catalog_name.public.customers (name)   
TO PUBLIC;  

ATTACH MASKING POLICY db_name@catalog_name.mask_pii   
ON db_name@catalog_name.public.customers (email)   
TO PUBLIC;  

-- Create conditional masking policy for revenue data.  
CREATE MASKING POLICY db_name@catalog_name.conditional_mask  
WITH (revenue DECIMAL(10,2))  
USING (CASE WHEN revenue IN (SELECT base_revenue  
                                    FROM public.lookup_revenue_tiers)  
            THEN revenue ELSE 0.00 END);  

-- Attach conditional masking to Analyst i.e. `alice` with priority.  
ATTACH MASKING POLICY db_name@catalog_name.conditional_mask   
ON db_name@catalog_name.public.customers (revenue)   
TO "IAMR:Analyst"   
PRIORITY 20;

Kebijakan Audit Available/Applied

Gunakan perintah SHOW untuk mengonfirmasi kebijakan tata kelola Anda telah dikonfigurasi dengan benar.

-- Show all RLS policies in the database.  
SHOW RLS POLICIES FROM DATABASE db_name@catalog_name LIMIT 10;  

-- Show RLS policies for specific users and tables.  
SHOW RLS POLICIES ON db_name@catalog_name.public.customers FOR "IAMR:Analyst" LIMIT 10;  
SHOW RLS POLICIES ON db_name@catalog_name.public.customers FOR "IAMR:Operator" LIMIT 10;  
SHOW RLS POLICIES ON db_name@catalog_name.public.customers FOR PUBLIC LIMIT 10;  

-- Show all masking policies in the database.  
SHOW MASKING POLICIES FROM DATABASE db_name@catalog_name LIMIT 10;  

-- Show Masking policies for specific users and tables.  
SHOW MASKING POLICIES ON db_name@catalog_name.public.customers FOR "IAMR:Analyst" LIMIT 10;  
SHOW MASKING POLICIES ON db_name@catalog_name.public.customers FOR "IAMR:Operator" LIMIT 10;  
SHOW MASKING POLICIES ON db_name@catalog_name.public.customers FOR PUBLIC LIMIT 10;

Menguji Pola Akses

Uji bagaimana pengguna yang berbeda melihat data berdasarkan peran dan kebijakan yang diterapkan.

-- Test as analyst: Only US customers, only id/region columns,  
-- conditional revenue masking.  
SET SESSION AUTHORIZATION alice;  
SELECT id, region FROM db_name@catalog_name.public.customers ORDER BY id;  
SELECT id, region, revenue FROM db_name@catalog_name.public.customers ORDER BY id;  

-- Test as operator: Allowed regions only, masked names, specific columns.  
SET SESSION AUTHORIZATION oscar;  
SELECT id, name, revenue FROM db_name@catalog_name.public.customers ORDER BY id;  
SELECT id, name, region FROM db_name@catalog_name.public.customers ORDER BY id;  

-- Test as admin: Full access to all data.  
SET SESSION AUTHORIZATION sierra;  
SELECT * FROM db_name@catalog_name.public.customers ORDER BY id;

Mengubah Kebijakan

Ubah kebijakan yang ada untuk mengubah perilaku mereka tanpa membuatnya kembali.

-- Switch back to admin user.  
SET SESSION AUTHORIZATION sierra;  

-- Alter the PII masking policy to use simple string replacement.  
ALTER MASKING POLICY db_name@catalog_name.mask_pii  
USING ('***MASKED***'::TEXT);  

-- Alter the conditional masking policy to use different threshold.  
ALTER MASKING POLICY db_name@catalog_name.conditional_mask  
USING (CASE WHEN revenue >= 500.00 THEN revenue ELSE -1.00 END);  

-- Alter the RLS policy to show only disallowed regions.  
ALTER RLS POLICY db_name@catalog_name.region_lookup_policy  
USING (r.region IN (  
    SELECT region_code   
    FROM db_name@catalog_name.public.lookup_regions   
    WHERE allowed = FALSE  
));

Kebijakan Melepaskan dan Menjatuhkan

Hapus kebijakan saat tidak lagi diperlukan.

-- Detach RLS policies from users.  
DETACH RLS POLICY db_name@catalog_name.us_only   
ON db_name@catalog_name.public.customers   
FROM "IAMR:Analyst";  

DETACH RLS POLICY db_name@catalog_name.region_lookup_policy   
ON db_name@catalog_name.public.customers   
FROM "IAMR:Operator";  

-- Detach masking policies.  
DETACH MASKING POLICY db_name@catalog_name.mask_pii   
ON db_name@catalog_name.public.customers (name)   
FROM PUBLIC;  

DETACH MASKING POLICY db_name@catalog_name.mask_pii   
ON db_name@catalog_name.public.customers (email)   
FROM PUBLIC;  

DETACH MASKING POLICY db_name@catalog_name.conditional_mask   
ON db_name@catalog_name.public.customers (revenue)   
FROM "IAMR:Analyst";

Bersihkan: Matikan kebijakan RLS dan jatuhkan

-- Turn off Row-level security.  
ALTER TABLE db_name@catalog_name.public.customers ROW LEVEL SECURITY OFF;  

-- Drop policies.  
DROP RLS POLICY db_name@catalog_name.us_only CASCADE;  
DROP RLS POLICY db_name@catalog_name.region_lookup_policy CASCADE;  
DROP MASKING POLICY db_name@catalog_name.mask_pii CASCADE;  
DROP MASKING POLICY db_name@catalog_name.conditional_mask CASCADE;  

-- Drop tables.  
DROP TABLE db_name@catalog_name.public.customers;  
DROP TABLE db_name@catalog_name.public.lookup_regions;  
DROP TABLE db_name@catalog_name.public.lookup_revenue_tiers;

Setel ulang identitas Global

-- TO rest the global identity.  
ALTER USER alice RESET GLOBAL IDENTITY;  
ALTER USER oscar RESET GLOBAL IDENTITY;  
ALTER USER sierra RESET GLOBAL IDENTITY;