Monday, October 23, 2023
HomeBig DataImprove your safety posture by storing Amazon Redshift admin credentials with out...

Improve your safety posture by storing Amazon Redshift admin credentials with out human intervention utilizing AWS Secrets and techniques Supervisor integration


Amazon Redshift is a totally managed, petabyte-scale knowledge warehouse service within the cloud. You can begin with only a few hundred gigabytes of information and scale to a petabyte or extra. Right now, tens of 1000’s of AWS clients—from Fortune 500 firms, startups, and every part in between—use Amazon Redshift to run mission-critical enterprise intelligence (BI) dashboards, analyze real-time streaming knowledge, and run predictive analytics. With the fixed enhance in generated knowledge, Amazon Redshift clients proceed to attain success in delivering higher service to their end-users, enhancing their merchandise, and operating an environment friendly and efficient enterprise.

AWS Secrets and techniques Supervisor helps you handle, retrieve, and rotate database credentials, and natively helps storing database secrets and techniques for Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon Redshift, and Amazon DocumentDB (with MongoDB compatibility). We suggest you utilize Secrets and techniques Supervisor for storing Amazon Redshift consumer credentials as a result of it permits you to configure safer secret rotation, customise fine-grained entry management, and audit and monitor secrets and techniques centrally. You’ll be able to natively use current Secrets and techniques Supervisor secrets and techniques to entry Amazon Redshift utilizing the Amazon Redshift API and question editor.

Till now, you’ll have wanted to configure your Amazon Redshift admin credentials in plaintext, or let Amazon Redshift generate credential for you. To retailer these credentials in Secrets and techniques Supervisor, you both wanted to manually create a secret, or configure scripts with the credentials hardcoded or generated. Each choices required a human to retrieve them. Amazon Redshift now permits you to create and retailer admin credentials routinely with out a human needing to see the credentials. As a part of this workflow, the admin credentials are configured to rotate each 30 days routinely. By lowering the necessity for people to see the key throughout configuration, you’ll be able to enhance the safety posture of your Amazon Redshift knowledge warehouse and enhance the accuracy of your audit trails.

On this submit, we present methods to combine Amazon Redshift admin credentials with Secrets and techniques Supervisor for each new and beforehand provisioned Redshift clusters and Amazon Redshift Serverless namespaces.

Conditions

Full the next stipulations earlier than beginning:

  1. Have admin privileges to create and handle Redshift Serverless namespaces or Redshift clusters.
  2. Have admin privileges to create and handle secrets and techniques in Secrets and techniques Supervisor.
  3. Optionally, have a Redshift Serverless namespace or a Redshift cluster to allow Secrets and techniques Supervisor integration.
  4. Optionally, have totally different AWS Key Administration Service (AWS KMS) keys for credentials encryption with Secrets and techniques Supervisor.
  5. Have entry to Amazon Redshift Question Editor v2.

Arrange a brand new cluster utilizing Secrets and techniques Supervisor

On this part, we offer steps to configure both a Redshift provisioned cluster or a Redshift Serverless workgroup with Secrets and techniques Supervisor.

Create a Redshift provisioned cluster

To get began utilizing Secrets and techniques Supervisor with a brand new Redshift provisioned cluster, full the next steps:

  1. On the Amazon Redshift console, select Create cluster.
  2. Outline the Cluster configuration and Pattern knowledge sections as wanted.
  3. Within the Database configurations part, specify your required admin consumer title.
  4. To make use of Secrets and techniques Supervisor to routinely create and retailer your password, choose Handle admin credentials in AWS Secrets and techniques Supervisor.
  5. You may also customise the encryption settings with your personal AWS buyer managed KMS key by making a key or selecting an current one. That is the important thing that’s used to encrypt the key in Secrets and techniques Supervisor. In the event you don’t choose Customise encryption settings, an AWS managed key shall be used as default.
  6. Present the knowledge in Cluster permissions and Further configurations as applicable and select Create cluster.
  7. When the cluster is accessible, you’ll be able to examine the ARN of the key containing the admin password on the Properties tab of the cluster within the Database configurations part.

Create a Redshift Serverless workgroup

To get began utilizing Secrets and techniques Supervisor with Redshift Serverless, create a Redshift Serverless workgroup with the next steps:

  1. On the Amazon Redshift Serverless dashboard, select Create workgroup.
  2. Outline the Workgroup title, Capability, and Community and safety sections as applicable and select Subsequent.
  3. Choose Create a brand new namespace and supply an acceptable title
  4. Within the Database title and password part, choose Customise admin consumer and credentials.
  5. Present an admin consumer title.
  6. Within the Admin password part, choose Handle admin credentials in AWS Secrets and techniques Supervisor.
  7. You may also customise the encryption settings with your personal AWS buyer managed KMS key by making a key or selecting an current one. That is the important thing that’s used to encrypt the key in Secrets and techniques Supervisor. In the event you don’t choose Customise encryption settings, an AWS managed key shall be used as default.
  8. Present the knowledge within the Permissions and Encryption and safety sections as applicable and select Subsequent.
  9. Evaluation the chosen choices and select Create.
  10. When the standing of the newly created workgroup and namespace is Obtainable, select the namespace.
  11. You could find the Secrets and techniques Supervisor ARN with admin credentials beneath Normal data.

Allow Secrets and techniques Supervisor for an current Redshift cluster

On this part, we offer steps to allow Secrets and techniques Supervisor for an current Redshift provisioned cluster or a Redshift Serverless namespace.

Configure an current Redshift provisioned cluster

To allow Secrets and techniques Supervisor for an current Redshift cluster, observe these steps:

  1. On the Amazon Redshift console, select the cluster that you simply need to modify.
  2. On the Properties tab, select Edit admin credentials.
  3. Choose Handle admin credentials in AWS Secrets and techniques Supervisor.
  4. To make use of AWS KMS to encrypt the information, choose Customise encryption choices and both select an current KMS key or select Create an AWS KMS key.
  5. Select Save modifications.
  6. When the cluster is accessible, you’ll be able to examine the ARN of the key containing the admin password on the Properties tab of the cluster within the Database configurations part.

Configure an current Redshift Serverless namespace

To allow Secrets and techniques Supervisor on an current Amazon Redshift Serverless namespace, observe these steps:

  1. On the Amazon Redshift Serverless Dashboard, select the namespace that you simply need to modify.
  2. On the Actions menu, select Edit admin credentials.
  3. Choose Customise admin consumer credentials.
  4. Choose Handle admin credentials in AWS Secrets and techniques Supervisor.
  5. To make use of AWS KMS to encrypt the information, choose Customise encryption settings and both select an current AWS KMS key or select Create an AWS KMS key.
  6. Select Save modifications.
  7. When the namespace standing is Obtainable, you’ll be able to see the Secrets and techniques Supervisor ARN beneath Admin password ARN within the Normal data part.

Handle secrets and techniques in Secrets and techniques Supervisor

To handle the admin credentials in Secrets and techniques Supervisor, observe these steps:

  1. On the Secrets and techniques Supervisor console, select the key that you simply need to modify.

Amazon Redshift creates the key with rotation enabled by default and a rotation schedule of each 30 days.

  1. To view the admin credentials, select Retrieve secret worth.
  2. To alter the key rotation, select Edit rotation.
  3. Outline the brand new rotation frequency and select Save.
  4. To rotate the key instantly, select Rotate secret instantly and select Rotate.

Secrets and techniques Supervisor might be built-in along with your utility through the AWS SDK, which is accessible in Java, JavaScript, C#, Python3, Ruby, and Go. The supported language code snippet is accessible within the Pattern code part.

  1. Select the tab to your most well-liked language and use the code snippet supplied in your utility.

Restore a snapshot

New warehouses might be launched from each serverless and provisioned snapshots. You’ve got the selection to configure the restored cluster to make use of Secrets and techniques Supervisor credentials, even when the supply cluster didn’t use Secrets and techniques Supervisor, by following these steps:

  1. Navigate to both the Redshift snapshot dashboard for snapshots of provisioned clusters or the Redshift knowledge backup dashboard for snapshots of serverless workgroups and select the snapshot you’d like to revive from.
    On the provisioned snapshot dashboard, on the Restore snapshot menu, select Restore to provisioned cluster or Restore to serverless namespace.

    On the serverless snapshot dashboard, on the Actions menu, beneath Restore serverless snapshot, select Restore to provisioned cluster or Restore to serverless namespace.

    In the event you’re restoring to a serverless endpoint from both possibility, you have to to have the goal serverless namespace configured upfront.
  1. In the event you’re restoring to a warehouse utilizing a snapshot that doesn’t have Secrets and techniques Supervisor credentials configured, you’ll be able to allow it within the Database configuration part of the snapshot restoration web page by choosing Handle admin credentials in AWS Secrets and techniques Supervisor.
  2. You may also customise the encryption settings with your personal AWS buyer managed KMS key by making a key or selecting an current one. In the event you don’t choose Customise encryption settings, an AWS managed key shall be used as default.
  3. If the snapshot was taken from a cluster that was utilizing Secrets and techniques Supervisor to handle its admin credentials and also you’re restoring to a provisioned cluster, you’ll be able to optionally select to replace the important thing used to encrypt credentials in Secrets and techniques Supervisor. In any other case, if you happen to’d like to make use of the identical configuration because the supply snapshot, you’ll be able to select the identical key as earlier than.
  4. After you configure all the required particulars, select Restore cluster from snapshot/Save modifications to launch your provisioned cluster, or select Restore to write down the snapshot knowledge to the namespace.

Hook up with Amazon Redshift through Question Editor v2 utilizing Secrets and techniques Supervisor

To hook up with Amazon Redshift utilizing Question Editor v2, full the next steps:

  1. On the Amazon Redshift console, select the cluster that you simply need to connect with.
  2. On the Properties tab, find the admin consumer and admin password ARN.
  3. Make a remark of the ARN for use within the later steps.
  4. On the high of the cluster particulars web page, on the Question knowledge menu, select Question in question editor v2.
  5. Find the Redshift cluster or Redshift Serverless workgroup you need to connect with and select the choices menu (three dots) subsequent to its title, then select Create connection.
  6. Within the connection window, choose AWS Secrets and techniques Supervisor.
  7. For Secret, select the suitable secret to your cluster.
  8. Select Create connection.

Be aware that entry to the secrets and techniques might be managed by AWS Identification and Entry Administration (IAM) permissions.

The connection ought to be established to your cluster now and it is possible for you to to see the database objects in your cluster in addition to run queries towards your cluster

Conclusion

On this submit, we demonstrated how the Secrets and techniques Supervisor integration with Amazon Redshift has simplified storing admin credentials. It’s a simple-to-use characteristic that’s obtainable instantly and automates the vital process of sustaining admin credentials and rotating them to your Redshift knowledge warehouse. Attempt it out in the present day and depart a remark you probably have any questions or solutions.


In regards to the Authors

Tahir Aziz is an Analytics Answer Architect at AWS. He has labored with constructing knowledge warehouses and massive knowledge options for over 15 years. He loves to assist clients design end-to-end analytics options on AWS. Exterior of labor, he enjoys touring and cooking.

Julia Beck is an Analytics Specialist Options Architect at AWS. She helps clients in validating analytics options by architecting proof of idea workloads designed to fulfill their particular wants.

Ekta Ahuja is a Senior Analytics Specialist Options Architect at AWS. She is keen about serving to clients construct scalable and strong knowledge and analytics options. Earlier than AWS, she labored in a number of totally different knowledge engineering and analytics roles. Exterior of labor, she enjoys baking, touring, and board video games.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments