AWS Big Data Blog
Accelerate Amazon Redshift secure data use with Satori – Part 2
This post is co-written by Adam Gaulding, Solution Architect at Satori.
In this post, we continue from Accelerate Amazon Redshift secure data use with Satori – Part 1, and explain how Satori, an Amazon Redshift Ready partner, simplifies both the user experience of gaining access to data and the admin practice of granting and revoking access to data in Amazon Redshift. Satori enables both just-in-time and self-service access to data.
Solution overview
Satori creates a transparent layer providing visibility and control capabilities that is deployed in front of your existing Redshift data warehouse. When adding a new data store to Satori, a new, Satori-provided URL is generated for the data store, which data consumers use instead of connecting directly.
The following diagram illustrates the solution architecture.
Data consumers don’t have to change how they work with data, such as installing different database drivers, changing their queries, or compromising on features or functionality. Satori is not a data virtualization or database federation solution that abstracts your existing data stores.
Self-service access to data is fully automated. The admin is responsible for setting up the access rules. User access privileges can be preconfigured for automated dataset access. The user can see the datasets that are available to them in their personalized data portal. The user then selects the dataset they want to use and Satori automatically applies the appropriate security, privacy, and compliance requirements.
Just-in-time access to data is also flexible but requires approval from an admin. From the user’s personalized data portal, they can see the available datasets—the only datasets they have self-service access to are already included in their My Data folder. If they see a dataset that they need but don’t have access to, they can request access to this data on-demand. The request is sent to the admin and, based on the user’s credentials, the admin can choose to approve or deny access.
The ability to facilitate and automate access to data provides the following benefits:
- Satori improves the user experience by providing quick access to data. This increases the time-to-value of data and drives innovative decision-making.
- Admins benefit from automating the process, significantly reducing the amount of time spent on granting and revoking access to data.
Prerequisites
Follow the steps outlined in Accelerate Amazon Redshift secure data use with Satori – Part 1 to complete the following prerequisite steps:
- Prepare the data.
- Connect to Amazon Redshift.
- Create a dataset and give Satori control over access to the dataset.
- Optionally, create security policies and revisit the concepts related to secure data access and masking policies.
After you complete the prerequisites, you’re ready to explore self-service and just-in-time access to data.
Self-service access
The following steps explain how to create self-service rules from admin and user perspectives.
Create access request and self-service rules (admin perspective)
After the admin gives Satori control over access to the dataset, they need to first preconfigure the user access rules. Complete the following steps:
- Navigate to the Datasets page and choose User Access Requests.
- In the Self-Service Access section, choose Self-Service Rule.
- Specify the required level of access.
The admin has several options when configuring the access rules. You can set the level of access by user or group, define when it expires, and set revocation rules.
The following screenshot shows the configuration rule for data access requests we created. In this example, the self-service user group has read-only access during the next 30 days that is set to revoke within 7 days if it’s not used.
The following figure shows an example configuration rule to add a user.
The newly created access rule and details are displayed in the list of self-service rules.
The next steps outline the data user view and steps to gain self-service access to data.
Create access request and self-service rules (user perspective)
As a user, complete the following steps:
- Enter the Satori personalized data portal using the Data Portal option on the options menu (three vertical dots).
The data portal will display all available datasets. Any datasets that the user already has self-service access to will appear under My Data, as shown in the following screenshot. All other datasets appear under Available Datasets.
- Choose the desired dataset (in this case,
CustomerDataset
) and request immediate access to this dataset by choosing Ask for Access to Dataset.
- For Access Request, choose Self Service.
- For Request Message, enter a reason for the request.
- Choose Request.
Based on the user’s identity, preconfigured access rules match the user to their respective qualifications and authorizations. In this case, the user is automatically granted access to CustomerDataset
using the preconfigured self-service rules. The requested dataset appears with Status – Access Granted under My Data.
The preconfigured access rules are applied so that when this user runs their queries, certain sensitive data is redacted.
Now that access is granted, query the data using a SQL editor of your choice. In this post, we use DBeaver to connect to a Redshift cluster using the Satori hostname on the data stores tab.
When you query the data, you will see the security policies applied to the result set at runtime. In the following example, the customer table is displayed with redacted field values based on security policies.
In the following example, the credit_cards
table is displayed with masking policies applied to the result values.
Just-in-time access
Just-in-time access is similar to self-service access; the only difference is that it includes an additional step of requesting access from the admin.
Create access request and self-service rules (user perspective)
The user enters the Satori personalized data portal with the same view as shown in the self-service access to data.
If the data that you need isn’t included under My Data but shows under Available Datasets, you can request access to this dataset. For this example, we consider a new user John Doe trying to access CustomerDataset
from the available datasets. The process consists of the following steps:
- User John Doe logs in to the Satori portal and finds the Available Datasets section in their data portal.
- The user submits a request for
CustomerDataset
.
The request from user John Doe for CustomerDataset
stays in Pending Approval status until approved from the admin.
- The admin receives the request from user John Doe through email and portal notifications for dataset requests.
The admin can approve or deny the request and might also designate the level of access and when that access expires.
The following screenshot shows an example email notification.
- The admin can choose View Request in the email and then approve or deny the request on the Satori portal.
- The admin can choose the pencil icon to edit the request before approval and modify the approval conditions.
In this example, the admin modifies a couple of criteria as shown and then approves the request.
Create access request rules (admin perspective)
Users can request access to datasets and the admin can approve or reject those requests, but the admin can also preconfigure the user access rules. Complete the following steps as the admin:
- On the Datasets page, choose User Access Requests.
- Fill out the access request rule.
- Choose Add.
The access request rule creation will be treated as an approval workflow when dataset requests are placed from the data portal.
Dataset requests from users will follow the course of action configured by the admin during access request rules creation. The preconfigured access rules specific to that user are applied so that when this user runs their queries, security policies and masking conditions are applied, and sensitive data is redacted or masked as applicable. The access control is maintained according to the admin settings for both just-in-time access and self-service access.
Clean up
To avoid unintended costs, clean up the resources provisioned as part of Accelerate Amazon Redshift secure data use with Satori – Part 1 or provisioned for this post. Make sure to delete the following resources:
- Redshift cluster or serverless endpoint
- Security group to allow inbound traffic from Satori
- Configurations within your Satori account
Summary
In this post, we described how Satori can help automate secure data access for both data users and admins. The ability to automate this process increases the time-to-value of data for users and reduces the time and resources admins need to allocate for granting and revoking data access.
Satori is available on the AWS Marketplace. To learn more, start a free trial or request a demo meeting.
Amazon Redshift provides comprehensive security and governance features to protect your data, and continues to expand its out-of-the-box capabilities. For the latest features and updates, explore Amazon Redshift What’s New.
About the Authors
Rohit Vashishtha is a Senior Analytics Specialist Solutions Architect at AWS based in Dallas, Texas. He has over 17 years of experience architecting, building, leading, and maintaining big data platforms. Rohit helps customers modernize their analytic workloads using the breadth of AWS services and ensures that customers get the best price/performance with utmost security and data governance.
Jagadish Kumar (Jag) is a Senior Specialist Solutions Architect at AWS focused on Amazon OpenSearch Service. He is deeply passionate about Data Architecture and helps customers build analytics solutions at scale on AWS.
Adam Gaulding is a Solution Architect at Satori. At Satori, Adam is helping customers implement data security controls on databases, data lakes and data warehouses. Adam has been in and around the data space throughout his 20+ year career. He’s worked with companies large and small and prides himself in building creative solutions for technical problems.