search

Redshift

hashtag
Requirements

Name
Description

Teleskope Role

Attach Redshift read and/or write permissions to the Teleskope IAM role you created

Database Admin User

Create a read and/or write database user for each Redshift cluster you'd like us to scan

Network Access

If your Redshift clusters are in private subnets and you do not want to peer VPCs, create a bastion host for us to use to access your Redshift clusters.

1

hashtag
Grant Teleskope IAM Access to Redshift

Attach the AmazonRedshiftDataFullAccess and AmazonRedshiftReadOnlyAccess to the Teleskope role you created.

hashtag
Terraform

resource "aws_iam_role_policy_attachment" "redshift_read_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "redshift_data_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftDataFullAccess"
}

# Optional: required if using Redshift IAM database authentication (no stored password).
data "aws_caller_identity" "current" {}

resource "aws_iam_policy" "redshift_iam_auth" {
  name = "teleskope-redshift-iam-auth"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "RedshiftIamAuth"
        Effect = "Allow"
        Action = [
          "redshift:GetClusterCredentials",
          "redshift:GetClusterCredentialsWithIAM"
        ]
        Resource = [
          "arn:aws:redshift:${var.aws_region}:${data.aws_caller_identity.current.account_id}:cluster:${var.redshift_cluster_identifier}",
          "arn:aws:redshift:${var.aws_region}:${data.aws_caller_identity.current.account_id}:dbuser:${var.redshift_cluster_identifier}/teleskope"
        ]
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "redshift_iam_auth" {
  role       = "TeleskopeRole"
  policy_arn = aws_iam_policy.redshift_iam_auth.arn
}
2

hashtag
Teleskope Database User

For each Redshift cluster you would like to scan using Teleskope, you will need to create a database user, and grant that user read permissions.

hashtag
Create Database User

If using username and password:

CREATE USER teleskope WITH PASSWORD  '****PASSWORD****'

If using IAM Authentication:

CREATE USER teleskope WITH SYSLOG ACCESS UNRESTRICTED;

  • Then associate the IAM role to the Redshift cluster using:

    aws redshift associate-iam-roles \
  --cluster-identifier my-redshift-cluster \
  --iam-role-arn arn:aws:iam::<account-id>:role/TeleskopeRole

hashtag
Grant Read Access

GRANT SELECT ON svv_all_schemas TO teleskope_ro;
GRANT SELECT ON svv_table_info TO teleskope_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog


-- Grant select to each Redshift schema
GRANT USAGE ON SCHEMA {schema} TO teleskope;
GRANT SELECT ON ALL TABLES IN SCHEMA {schema} TO teleskope;

hashtag
Grant Write Access

For each redshift schema:

GRANT UPDATE, DELETE ON ALL TABLES IN SCHEMA {schema} TO teleskope;
3

hashtag
Enroll in Teleskope UI

To enroll your Redshift cluster:

  1. Navigate to Settings-> Connector Settings -> AWS -> Redshift

  2. Click the radial button next to each cluster, Edit, and enter:

    1. If using username/password, the username and password of the cluster

    2. If using IAM Auth, the username (leave password field blank)

hashtag
SSH Tunnel (Optional)

  1. Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.

    1. The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.

    2. Place the public key in ~/.ssh/authorized_keys . 

      echo "<TELESKOPE_PUBLIC_KEY>" >> ~/.ssh/authorized_keys

    3. Update the permissions on the file and directory. 

      chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

    4. Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.

    5. Assign an Elastic IP (EIP) to the bastion host.

  2. Adjust route tables and security groups as needed to provide access to the Redshift cluster through the bastion host.

  3. Provide Teleskope with the bastion username, and the bastion elastic IP.

PreviousDynamoDBNextS3

Last updated

Was this helpful?