

 Amazon Redshift will no longer support the use of Python UDFs after June 30, 2026. We will start enforcing it in phases. For more information on the details of Python end of life and migration options, see the [ blog post ](https://amazonaws-china.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/) that was published on June 30, 2025. 

# Infrastructure security in Amazon Redshift
<a name="security-network-isolation"></a>

As a managed service, Amazon Redshift is protected by Amazon global network security. For information about Amazon security services and how Amazon protects infrastructure, see [Amazon Cloud Security](https://www.amazonaws.cn/security/). To design your Amazon environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.amazonaws.cn/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar Amazon Well‐Architected Framework*.

You use Amazon published API calls to access Amazon Redshift through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

## Network isolation
<a name="network-isolation"></a>

A virtual private cloud (VPC) based on the Amazon VPC service is your private, logically isolated network in the Amazon Cloud. You can deploy an Amazon Redshift cluster or Redshift Serverless workgroup within a VPC by taking the following steps:
+ Create a VPC in an Amazon Region. For more information, see [What is Amazon VPC?](https://docs.amazonaws.cn/vpc/latest/userguide/what-is-amazon-vpc.html) in the *Amazon VPC User Guide.* 
+ Create two or more private VPC subnets. For more information, see [VPCs and subnets](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon VPC User Guide.*
+ Deploy an Amazon Redshift cluster or a Redshift Serverless workgroup. For more information, see [Subnets for Redshift resources](working-with-cluster-subnet-groups.md) or [Workgroups and namespaces](serverless-workgroup-namespace.md).

An Amazon Redshift cluster is locked down by default upon provisioning. To allow inbound network traffic from Amazon Redshift clients, associate a VPC security group with an Amazon Redshift cluster. For more information, see [Subnets for Redshift resources](working-with-cluster-subnet-groups.md). 

To allow traffic only to or from specific IP address ranges, update the security groups with your VPC. An example is allowing traffic only from or to your corporate network.

While configuring network access control lists associated with the subnet(s) your Amazon Redshift cluster is tagged with, ensure that the respective Amazon Region's S3 CIDR ranges are added to the allowlist for both ingress and egress rules. Doing so lets you execute S3-based operations such as Redshift Spectrum, COPY, and UNLOAD without any disruptions.

The following example command parses the JSON response for all IPv4 addresses used in Amazon S3 in the us-east-1 Region.

```
curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="S3") | .ip_prefix'

54.231.0.0/17

52.92.16.0/20

52.216.0.0/15
```

For instructions on how to get S3 IP ranges for a particular region, see [Amazon IP address ranges](https://docs.amazonaws.cn/general/latest/gr/aws-ip-ranges.html).

Amazon Redshift supports deploying clusters into dedicated tenancy VPCs. For more information, see [Dedicated instances](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/dedicated-instance.html) in the *Amazon EC2 User Guide.*

## Amazon Redshift security groups
<a name="working-with-security-groups"></a>

When you provision an Amazon Redshift cluster, it is locked down by default so nobody has access to it. To grant other users inbound access to an Amazon Redshift cluster, you associate the cluster with a security group. If you are on the EC2-VPC platform, you can either use an existing Amazon VPC security group or define a new one and then associate it with a cluster. For more information on managing a cluster on the EC2-VPC platform, see [Redshift resources in a VPC](managing-clusters-vpc.md).

## Interface VPC endpoints
<a name="security-private-link"></a>

You can connect directly to the Amazon Redshift and Amazon Redshift Serverless API services using an interface VPC endpoint (Amazon PrivateLink) in your virtual private cloud (VPC) instead of connecting over the internet. For information about Amazon Redshift API actions, see [Actions](https://docs.amazonaws.cn/redshift/latest/APIReference/API_Operations.html) in the *Amazon Redshift API Reference*. For information about Redshift Serverless API actions, see [Actions](https://docs.amazonaws.cn/redshift-serverless/latest/APIReference/API_Operations.html) in the *Amazon Redshift Serverless API Reference*. For more information about Amazon PrivateLink, see [Interface VPC endpoints (Amazon PrivateLink)](https://docs.amazonaws.cn/vpc/latest/userguide/vpce-interface.html) in the *Amazon VPC User Guide*. Note that JDBC/ODBC connection to the cluster or workspace is not part of Amazon Redshift API service.

When you use an interface VPC endpoint, communication between your VPC and Amazon Redshift or Redshift Serverless is conducted entirely within the Amazon network, which can provide greater security. Each VPC endpoint is represented by one or more elastic network interfaces with private IP addresses in your VPC subnets. For more information on elastic network interfaces, see [Elastic network interfaces](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/using-eni.html) in the *Amazon EC2 User Guide.* 

An interface VPC endpoint connects your VPC directly to Amazon Redshift. It doesn't use an internet gateway, network address translation (NAT) device, virtual private network (VPN) connection, or Amazon Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon Redshift API. 

To use Amazon Redshift or Redshift Serverless through your VPC, you have two options. One is to connect from an instance that is inside your VPC. The other is to connect your private network to your VPC by using an Amazon VPN option or Amazon Direct Connect. For more information about Amazon VPN options, see [VPN connections](https://docs.amazonaws.cn/vpc/latest/userguide/vpn-connections.html) in the *Amazon VPC User Guide*. For information about Amazon Direct Connect, see [Creating a Connection](https://docs.amazonaws.cn/directconnect/latest/UserGuide/create-connection.html) in the *Amazon Direct Connect User Guide*. 

You can create an interface VPC endpoint to connect to Amazon Redshift using the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI) commands. For more information, see [Creating an Interface Endpoint](https://docs.amazonaws.cn/AmazonVPC/latest/UserGuide/vpce-interface.html#create-interface-endpoint).

After you create an interface VPC endpoint, you can enable private DNS host names for the endpoint. When you do, the default endpoint is as follows:
+ **Amazon Redshift provisioned**: `https://redshift.{{Region}}.amazonaws.com`
+ **Amazon Redshift Serverless**: `https://redshift-serverless.{{Region}}.amazonaws.com`

If you don't enable private DNS host names, Amazon VPC provides a DNS endpoint name that you can use in the following format.
+ **Amazon Redshift provisioned**: `{{VPC_endpoint_ID}}.redshift.{{Region}}.vpce.amazonaws.com`
+ **Amazon Redshift Serverless**: `{{VPC_endpoint_ID}}.redshift-serverless.{{Region}}.vpce.amazonaws.com`

For more information, see [Interface VPC endpoints (Amazon PrivateLink)](https://docs.amazonaws.cn/vpc/latest/userguide/vpce-interface.html) in the *Amazon VPC User Guide*.

Amazon Redshift and Redshift Serverless support making calls to all of the [Amazon Redshift API operations](https://docs.amazonaws.cn/redshift/latest/APIReference/API_Operations.html) and [Redshift Serverless API operations](https://docs.amazonaws.cn/redshift-serverless/latest/APIReference/API_Operations.html) inside your VPC. 

You can attach VPC endpoint policies to a VPC endpoint to control access for Amazon Identity and Access Management (IAM) principals. You can also associate security groups with a VPC endpoint to control inbound and outbound access based on the origin and destination of network traffic. An example is a range of IP addresses. For more information, see [Controlling Access to Services with VPC Endpoints](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*. 

### VPC endpoint policies for Amazon Redshift
<a name="security-private-link-vpc_endpoint-policy"></a>

You can create a policy for VPC endpoints for Amazon Redshift to specify the following:
+ The principal that can or can't perform actions
+ The actions that can be performed
+ The resources on which actions can be performed

For more information, see [Controlling access to services with VPC endpoints](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*. 

Following, you can find examples of VPC endpoint policies.

#### Amazon Redshift Provisioned Endpoint Policy Examples
<a name="security-private-link-examples-provisioned"></a>

Following, you can find examples of VPC endpoint policies for Amazon Redshift Provisioned.

##### Example: VPC endpoint policy to deny all access from a specified Amazon account
<a name="security-private-link-example-1"></a>

The following VPC endpoint policy denies the Amazon account `{{123456789012}}` all access to resources using this endpoint.

```
{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        },
        {
            "Action": "*",
            "Effect": "Deny",
            "Resource": "*",
            "Principal": {
                "AWS": [
                    "123456789012"
                ]
            }
        }
    ]
}
```

##### Example: VPC endpoint policy to allow VPC access only to a specified IAM role
<a name="security-private-link-example-1.1"></a>

The following VPC endpoint policy allows full access only to the IAM role {{`redshiftrole`}} in Amazon account {{123456789012}}. All other IAM principals are denied access using the endpoint.

```
   {
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/redshiftrole"
                ]
            }
        }]
}
```

This is only a sample. In most use cases we recommend attaching permissions for specific actions to narrow the scope of permissions.

##### Example: VPC endpoint policy to allow VPC access only to a specified IAM principal (user)
<a name="security-private-link-example-2"></a>

The following VPC endpoint policy allows full access only to the IAM user {{`redshiftadmin`}} in Amazon account {{123456789012}}. All other IAM principals are denied access using the endpoint.

```
   {
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:user/redshiftadmin"
                ]
            }
        }]
}
```

This is only a sample. In most use cases we recommend attaching permissions to a role before assigning to a user. Additionally, we recommend using specific actions to narrow the scope of permissions.

##### Example: VPC endpoint policy to allow read-only Amazon Redshift operations
<a name="security-private-link-example-3"></a>

The following VPC endpoint policy allows only Amazon account {{`123456789012`}} to perform the specified Amazon Redshift actions. 

The actions specified provide the equivalent of read-only access for Amazon Redshift. All other actions on the VPC are denied for the specified account. Also, all other accounts are denied any access. For a list of Amazon Redshift actions, see [Actions, Resources, and Condition Keys for Amazon Redshift](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonredshift.html) in the *IAM User Guide.*

```
  {
    "Statement": [
        {
            "Action": [
                "redshift:DescribeAccountAttributes",
                "redshift:DescribeClusterParameterGroups",
                "redshift:DescribeClusterParameters",
                "redshift:DescribeClusterSecurityGroups",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusterSubnetGroups",
                "redshift:DescribeClusterVersions",
                "redshift:DescribeDefaultClusterParameters",
                "redshift:DescribeEventCategories",
                "redshift:DescribeEventSubscriptions",
                "redshift:DescribeHsmClientCertificates",
                "redshift:DescribeHsmConfigurations",
                "redshift:DescribeLoggingStatus",
                "redshift:DescribeOrderableClusterOptions",
                "redshift:DescribeQuery",
                "redshift:DescribeReservedNodeOfferings",
                "redshift:DescribeReservedNodes",
                "redshift:DescribeResize",
                "redshift:DescribeSavedQueries",
                "redshift:DescribeScheduledActions",
                "redshift:DescribeSnapshotCopyGrants",
                "redshift:DescribeSnapshotSchedules",
                "redshift:DescribeStorage",
                "redshift:DescribeTable",
                "redshift:DescribeTableRestoreStatus",
                "redshift:DescribeTags",
                "redshift:FetchResults",
                "redshift:GetReservedNodeExchangeOfferings"            
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Principal": {
                "AWS": [
                    "123456789012"
                ]
            }
        }
    ]
}
```

##### Example: VPC endpoint policy denying access to a specified cluster
<a name="security-private-link-example-4"></a>

The following VPC endpoint policy allows full access for all accounts and principals. At the same time, it denies any access for Amazon account {{`123456789012`}} to actions performed on the Amazon Redshift cluster with cluster ID `{{my-redshift-cluster}}`. Other Amazon Redshift actions that don't support resource-level permissions for clusters are still allowed. For a list of Amazon Redshift actions and their corresponding resource type, see [Actions, Resources, and Condition Keys for Amazon Redshift](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonredshift.html) in the *IAM User Guide.* 

```
 {
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        },
        {
            "Action": "*",
            "Effect": "Deny",
            "Resource": "arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
            "Principal": {
                "AWS": [
                    "123456789012"
                ]
            }
        }
    ]
}
```

#### Amazon Redshift Serverless Endpoint Policy Examples
<a name="security-private-link-examples-serverless"></a>

Following, you can find examples of VPC endpoint policies for Redshift Serverless.

##### Example: VPC endpoint policy to allow read-only Redshift Serverless operations
<a name="security-private-link-serverless-example-1"></a>

The following VPC endpoint policy allows only Amazon account {{`123456789012`}} to perform the specified Redshift Serverless actions. 

The actions specified provide the equivalent of read-only access for Redshift Serverless. All other actions on the VPC are denied for the specified account. Also, all other accounts are denied any access. For a list of Redshift Serverless actions, see [Actions, Resources, and Condition Keys for Redshift Serverless](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonredshiftserverless.html) in the *IAM User Guide.*

```
  {
    "Statement": [
        {
            "Action": [
                "redshift-serverless:DescribeOneTimeCredit",
                "redshift-serverless:GetCustomDomainAssociation",
                "redshift-serverless:GetEndpointAccess",
                "redshift-serverless:GetNamespace",
                "redshift-serverless:GetRecoveryPoint",
                "redshift-serverless:GetResourcePolicy",
                "redshift-serverless:GetScheduledAction",
                "redshift-serverless:GetSnapshot",
                "redshift-serverless:GetTableRestoreStatus",
                "redshift-serverless:GetUsageLimit",
                "redshift-serverless:GetWorkgroup"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Principal": {
                "AWS": [
                    "123456789012"
                ]
            }
        }
    ]
}
```

##### Example: VPC endpoint policy denying access to a specified workgroup
<a name="security-private-link-serverless-example-2"></a>

The following VPC endpoint policy allows full access for all accounts and principals. At the same time, it denies any access for Amazon account {{`123456789012`}} to actions performed on the Amazon Redshift workgroup with workgroup ID `{{my-redshift-workgroup}}`. Other Amazon Redshift actions that don't support resource-level permissions for workgroups are still allowed. For a list of Redshift Serverless actions and their corresponding resource type, see [Actions, Resources, and Condition Keys for Redshift Serverless](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonredshiftserverless.html) in the *IAM User Guide.* 

```
 {
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        },
        {
            "Action": "*",
            "Effect": "Deny",
            "Resource": "arn:aws:redshift-serverless:us-east-1:123456789012:workgroup:my-redshift-workgroup",
            "Principal": {
                "AWS": [
                    "123456789012"
                ]
            }
        }
    ]
}
```