Skip to main content

About Amazon Redshift Serverless

Redshift Serverless APIs use the redshift-serverless: prefix, distinct from redshift: for provisioned clusters. There is no dedicated AWS managed read-only policy; attach an inline policy covering List* and Get* for namespaces, workgroups, snapshots, and usage limits.

How It Works

Iru runs in its own AWS account. It assumes a role in your account, gated by an External ID, to read Redshift Serverless metadata through the API. AWS does not ship a managed read-only policy scoped only to Redshift Serverless, so you attach an inline (or equivalent customer-managed) policy. The permission statement usually matches the following: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "redshift-serverless:ListNamespaces",
        "redshift-serverless:ListWorkgroups",
        "redshift-serverless:ListSnapshots",
        "redshift-serverless:ListUsageLimits",
        "redshift-serverless:GetNamespace",
        "redshift-serverless:GetWorkgroup",
        "redshift-serverless:GetSnapshot",
        "redshift-serverless:GetUsageLimit"
      ],
      "Resource": "*"
    }
  ]
}
DetailValue
CategoryDatabases
AuthenticationCross-account IAM role

Prerequisites

  • IAM rights to create roles in the account hosting Serverless workgroups.

Connect Amazon Redshift Serverless to Iru

Start here: open the source wizard and copy the trust policy (and note the external ID). When you are ready to create the role in AWS, switch to the AWS tab and follow Create the IAM role. After you have the Role ARN, return to the Iru Compliance tab and complete Submit the role ARN in Iru below.

Get the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on Amazon Redshift Serverless

Find Amazon Redshift Serverless (use Category or Search by name or description). On that card, turn on the toggle. Leave the Iru is requesting access to external services wizard tab open.
3

Copy the trust policy JSON

The wizard shows the trust policy JSON your IAM role must use (Principal and sts:ExternalId). Below is an example of the structure; copy the live JSON from your wizard so the account, principal ARN, and external ID match exactly.
copy=false
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
4

Switch to AWS to create the role

Keep the Iru wizard tab open for reference, then switch to the AWS tab and follow Create the IAM role.

Submit the role ARN in Iru

Finish the AWS tab first (through Create the IAM role) so you have the Role ARN from the new role.
1

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN where the connector prompts for it.
2

Finish the connection

Click Submit Role. When the connection succeeds, the wizard shows Connection Configured.
3

Confirm the source is Active

Close the Iru is requesting access to external services browser tab, then return to ComplianceSources and confirm the Amazon Redshift Serverless card is Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Serverless requires redshift-serverless:.
Resource: "*" is typical; scoped ARNs need explicit enumeration.
External ID mismatch.

Amazon Redshift Data API

Connect and manage the related source in Compliance.

AWS Redshift

Connect and manage the related source in Compliance.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.