Restricting an IAM role to an Amazon Region
You can restrict an IAM role to only be accessible in a certain Amazon Region. By default, IAM roles for Amazon Redshift are not restricted to any single region.
To restrict use of an IAM role by region, take the following steps.
To identify permitted regions for an IAM role
-
Open the IAM console
at https://console.amazonaws.cn/ . -
In the navigation pane, choose Roles.
-
Choose the role that you want to modify with specific regions.
-
Choose the Trust Relationships tab and then choose Edit Trust Relationship. A new IAM role that allows Amazon Redshift to access other Amazon services on your behalf has a trust relationship as follows:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Modify the
Service
list for thePrincipal
with the list of the specific regions that you want to permit use of the role for. Each region in theService
list must be in the following format:redshift.
.region
.amazonaws.comFor example, the following edited trust relationship permits the use of the IAM role in the
us-east-1
andus-west-2
regions only.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "redshift.us-east-1.amazonaws.com", "redshift.us-west-2.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
-
Choose Update Trust Policy