Hey everyone! Is anyone using dbt with Redshift? I'm trying to figure out the best way to securely give developers access to our production Redshift instance, specifically to a _DEV schema. We have a separate AWS dev account, but that's not a viable option for us at the moment. I can use a VPN for access, but I'm curious about what solutions others might be using that minimize friction and have a smaller security blast radius. Also, restrictions at the security group level won't work since the developers' IPs are dynamic and change frequently. Any suggestions?
3 Answers
Have you considered setting up an SSH tunnel through a jump station? It could add a layer of security without too much hassle.
Another option is using Cloudflare Zero Trust. You just need to host a cloudflared Docker container within your Redshift VPC to facilitate tunneling to RDS.
One option is to use the SSM Session Manager. You can connect to an EC2 instance that's in the same private subnet as your Redshift cluster. This keeps your access secure without exposing your cluster directly. Check out this article for more info: [how to access Redshift from a local machine](https://repost.aws/articles/AR_6F1CF0dRMCwDkC-2cNJUQ/access-a-private-amazon-redshift-from-a-local-machine-via-a-private-ec2-instance).
Yeah, that or using a VPN client seems perfectly reasonable for managing access.
Just keep in mind that exposing your VPC on port 22 of a publicly hosted instance is generally a bad security practice.