使用IAM身份中心集成安全訪問，可視化和分析Amazon RedShift數據

在當今數據驅動的世界中，安全訪問，可視化和分析數據對於做出明智的業務決策至關重要。

In today’s data-driven world, securely accessing, visualizing, and analyzing data is essential for making informed business decisions. Tens of thousands of customers use Amazon Redshift for modern data analytics at scale, delivering up to three times better price-performance and seven times better throughput than other cloud data warehouses.

在當今數據驅動的世界中，安全訪問，可視化和分析數據對於做出明智的業務決策至關重要。成千上萬的客戶使用亞馬遜紅移進行大規模的現代數據分析，最多比其他雲數據倉庫高達三倍的價格表現和吞吐量的七倍。

The Amazon Redshift Data API simplifies access to your Amazon Redshift data warehouse by removing the need to manage database drivers, connections, network configurations, data buffering, and more.

Amazon Redshift數據API通過刪除需要管理數據庫驅動程序，連接，網絡配置，數據緩衝等的需要來簡化對您亞馬遜紅移數據倉庫的訪問。

With the newly released feature of Amazon Redshift Data API support for single sign-on and trusted identity propagation, you can build data visualization applications that integrate single sign-on (SSO) and role-based access control (RBAC), simplifying user management while enforcing appropriate access to sensitive information.

借助Amazon Redshift Data API的新功能，為單簽名和受信任的身份傳播提供了支持，您可以構建數據可視化應用程序，該應用程序集成了單個登錄（SSO）和基於角色的訪問控制（RBAC），並簡化了用戶管理，同時強制執行適當的訪問敏感信息。

For instance, a global sports gear company selling products across multiple regions needs to visualize its sales data, which includes country-level details. To maintain the right level of access, the company wants to restrict data visibility based on the user’s role and region. Regional sales managers should only see sales data for their specific region, such as North America or Europe. Conversely, the global sales executives require full access to the entire dataset, covering all countries.

例如，一家全球運動裝備公司在多個地區銷售產品需要可視化其銷售數據，其中包括國家 /地區的詳細信息。為了保持正確的訪問級別，公司希望根據用戶的角色和區域限制數據可見性。區域銷售經理只能看到其特定地區的銷售數據，例如北美或歐洲。相反，全球銷售主管需要完全訪問整個數據集，涵蓋所有國家 /地區。

In this post, we dive into the newly released feature of Amazon Redshift Data API support for SSO, Amazon Redshift RBAC for row-level security (RLS) and column-level security (CLS), and trusted identity propagation with AWS Identity and Access Management Identity Center to let corporate identities connect to AWS services more easily and securely. We demonstrate how to integrate these services to create a data visualization application using Streamlit, providing secure, role-based access that simplifies user management while making sure that your organization can make data-driven decisions with enhanced security and ease.

在這篇文章中，我們深入研究了針對SSO的Amazon RedShift數據API支持，為SSO，Amazon RedShift RBAC用於行級安全性（RLS）和列級安全性（CLS）（CLS），以及具有AWS身份身份和訪問管理身份的可信身份傳播，以使公司身份更輕鬆地連接到AWS服務。我們演示瞭如何集成這些服務，以使用簡化創建數據可視化應用程序，提供安全的，基於角色的訪問，從而簡化用戶管理，同時確保您的組織可以以增強的安全性和輕鬆的方式做出數據驅動的決策。

We use multiple AWS services and open source tools to build a simple data visualization application with SSO to access data in Amazon Redshift with RBAC. The key components that power the solution are as follows:

我們使用多個AWS服務和開源工具來構建使用SSO的簡單數據可視化應用程序，以使用RBAC訪問Amazon Redshift的數據。為解決方案提供動力的關鍵組件如下：

The following diagram illustrates the solution architecture for SSO with the Redshift Data API using Identity and Access Management Identity Center.

下圖使用身份和訪問管理身份中心使用紅移數據API說明了SSO的解決方案體系結構。

The user workflow for the data visualization application consists of the following steps:

數據可視化應用程序的用戶工作流程包括以下步驟：

The setup consists of two main steps:

該設置包括兩個主要步驟：

You should have the following prerequisites:

您應該有以下先決條件：

In this section, we walk through the steps to provision the resources for Identity and Access Management Identity Center, Amazon Redshift, and Okta.

在本節中，我們將詳細介紹為身份和訪問管理身份中心，亞馬遜Redshift和Okta提供資源。

Complete the following steps to enable Identity and Access Management Identity Center and configure Okta as the IdP to manage user authentication and group provisioning:

完成以下步驟以啟用身份和訪問管理身份中心，並將OKTA配置為IDP，以管理用戶身份驗證和組提供：

The following screenshot shows the users synced in Identity and Access Management Identity Center using SCIM protocol.

以下屏幕截圖顯示了使用SCIM協議在身份和訪問管理身份中心同步的用戶。

Complete the following steps to create an Okta application to authenticate users accessing the Streamlit application:

完成以下步驟來創建OKTA應用程序，以身份驗證用戶訪問簡化應用程序：

Complete the following steps to create an Amazon Redshift Identity and Access Management Identity Center connection application to enable trusted identity propagation for secure authentication:

完成以下步驟，以創建亞馬遜紅移身份和訪問管理身份中心連接應用程序，以啟用可信賴的身份傳播以進行安全身份驗證：

We will enable trusted identity propagation and third-party IdP (Okta) on the customer managed application for the Redshift Data API in a later step instead of configuring it in the Amazon Redshift connection application.

我們將在稍後的一步中啟用可信賴的身份傳播和第三方IDP（OKTA），以便在Redshift Data API的客戶託管應用程序上，而不是在Amazon Redshift Connection應用程序中配置它。

The following screenshot shows the Identity and Access Management Identity Center connection application created on the Amazon Redshift console.

以下屏幕截圖顯示了在Amazon Redshift控制台上創建的身份和訪問管理身份中心連接應用程序。

The following screenshot shows groups assigned to the Amazon Redshift Identity and Access Management Identity Center connection for the managed application.

以下屏幕截圖顯示分配給Amazon Redshift身份和訪問管理身份中心連接的組。

Provision a Redshift Serverless workgroup. For more details, refer to Creating a workgroup with a namespace.

提供無服務的無服務器工作組。有關更多詳細信息，請參閱使用名稱空間創建工作組。

Wait until the workgroup is available before continuing to the next steps.

等到工作組可用，然後繼續下一步。

Next, you use the Amazon Redshift Query Editor V2 on the Amazon Redshift console to connect to the workgroup you just created. You create the tables and configure the Amazon Redshift roles corresponding to Okta groups for the groups in Identity and Access Management Identity Center and use the RBAC policy to grant users privileges to view data only for their regions. Complete the following steps:

接下來，您使用Amazon Redshift控制台上的Amazon Redshift查詢編輯器V2連接到您剛創建的工作組。您可以創建表格並配置與身份和訪問管理身份中心組的Okta組相對應的Amazon Redshift角色，並使用RBAC策略授予用戶特權以僅查看其區域的數據。完成以下步驟：

Identity and Access Management will map the groups into the Redshift roles in the format of Namespace:IDCGroupName. For example, create the role name as AWSIDC:emea-sales and so on to match them with Okta group names synced in Identity and Access Management Identity Center. The users will be created automatically within the groups as they log in using SSO into Amazon Redshift.

身份和訪問管理將以命名空間格式的紅移角色映射到紅移角色：idcgroupname。例如，將角色名稱創建為AWSIDC：EMEA-SALES等，以與在身份和訪問管理身份中心同步的Okta組名稱匹配。用戶將在組中在使用SSO登錄到Amazon Redshift時自動創建。

In this section, we walk through the steps to download, configure, and run the Streamlit application.

在本節中，我們詳細介紹下載，配置並運行簡化應用程序的步驟。

In order to start a trusted identity propagation workflow and allow Amazon Redshift to make authorization decisions based on the users and groups from Identity and Access Management (provisioned from the external IdP), you need an identity-enhanced IAM role session.

為了啟動可信賴的身份傳播工作流程，並允許亞馬遜RedShift根據身份和訪問管理（從外部IDP提供）的用戶和組做出授權決策，您需要一個身份增強的IAM角色會話。

This requires a couple of IAM roles and a customer managed application in Identity and Access Management to handle the trust relationship between the external IdP and Identity and Access Management and control access for the Redshift Data API client, in this case, the Streamlit application.

這需要幾個IAM角色以及在身份和訪問管理中的客戶託管應用程序，以處理Redshift Data API客戶端的外部IDP與身份管理以及訪問訪問之間的信任關係，在這種情況下為簡化應用程序。

First, you create two IAM roles, then you create a customer managed application for the Streamlit application. Complete the following

首先，您創建兩個IAM角色，然後為簡化應用程序創建客戶託管應用程序。完成以下內容