AWS Security ChangesHomeSearch

AWS redshift high security documentation change

Service: redshift · 2025-04-11 · Security-related high

File: redshift/latest/mgmt/spectrum-enhanced-vpc.md

Summary

Updated S3 bucket policy example by removing Redshift Spectrum UserAgent condition, expanding S3 actions/resources, and removing cluster role policy example

Security assessment

Removes dependency on 'aws:UserAgent' condition which is insecure (spoofable) for authorization. Deletes example using this weak security control, indicating improved security guidance

Diff

diff --git a/redshift/latest/mgmt/spectrum-enhanced-vpc.md b/redshift/latest/mgmt/spectrum-enhanced-vpc.md
index 182bb3fcb..974b01453 100644
--- a//redshift/latest/mgmt/spectrum-enhanced-vpc.md
+++ b//redshift/latest/mgmt/spectrum-enhanced-vpc.md
@@ -48 +48 @@ To use Redshift Spectrum, no IAM policies blocking the use of Amazon S3 presigne
-The following example bucket policy permits access to the specified bucket only from traffic originated by Redshift Spectrum owned by AWS account `123456789012`. 
+The following example bucket policy permits access to the specified bucket owned by AWS account `123456789012`. 
@@ -53 +53,2 @@ The following example bucket policy permits access to the specified bucket only
-    	"Statement": [{
+        "Statement": [
+            {
@@ -59,6 +60,9 @@ The following example bucket policy permits access to the specified bucket only
-    		"Action": ["s3:GetObject", "s3:List*"],
-    		"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket/*"],
-    		"Condition": {
-    			"StringEquals": {
-    				"aws:UserAgent": "AWS Redshift/Spectrum"
-    			}
+                "Action": [
+                    "s3:GetObject",
+                    "s3:ListBucketVersions",
+                    "s3:ListBucket"
+                ],
+                "Resource": [
+                    "arn:aws:s3:::amzn-s3-demo-bucket",
+                    "arn:aws:s3:::amzn-s3-demo-bucket/*"
+                ]
@@ -66 +70 @@ The following example bucket policy permits access to the specified bucket only
-    	}]
+        ]
@@ -88,13 +90,0 @@ The role attached to your cluster should have a trust relationship that permits
-You can add a policy to the cluster role that prevents COPY and UNLOAD access to a specific bucket. The following policy permits traffic to the specified bucket only from Redshift Spectrum. 
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [{
-            "Effect": "Allow",
-            "Action": ["s3:Get*", "s3:List*"],
-            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
-                    "Condition": {"StringEquals": {"aws:UserAgent": "AWS Redshift/Spectrum"}}
-        }]
-    }
-