AWS Security ChangesHomeSearch

AWS redshift documentation change

Service: redshift · 2025-04-28 · Documentation medium

File: redshift/latest/dg/copy-parameters-authorization.md

Summary

Restructured authorization parameters documentation with added examples and section headers

Security assessment

The changes improve documentation for authentication methods (IAM roles, access keys, credentials) but do not address specific vulnerabilities. Added examples show proper credential usage patterns, which enhances security awareness.

Diff

diff --git a/redshift/latest/dg/copy-parameters-authorization.md b/redshift/latest/dg/copy-parameters-authorization.md
index 867dd27c8..a4053b760 100644
--- a//redshift/latest/dg/copy-parameters-authorization.md
+++ b//redshift/latest/dg/copy-parameters-authorization.md
@@ -4,0 +5,2 @@
+Using IAM_ROLEUsing ACCESS_KEY_ID and SECRET_ACCESS_KEYUsing CREDENTIALS
+
@@ -22 +24 @@ Use one of the following to provide authorization for the COPY command:
-  * IAM_ROLE parameter
+  * Using the IAM_ROLE parameter parameter
@@ -24 +26 @@ Use one of the following to provide authorization for the COPY command:
-  * ACCESS_KEY_ID and SECRET_ACCESS_KEY parameters
+  * Using the ACCESS_KEY_ID and SECRET_ACCESS_KEY parameters parameters
@@ -26 +28 @@ Use one of the following to provide authorization for the COPY command:
-  * CREDENTIALS clause
+  * Using the CREDENTIALS parameter clause
@@ -31 +33 @@ Use one of the following to provide authorization for the COPY command:
-IAM_ROLE { default | 'arn:aws:iam::`<AWS account-id>`:role/`<role-name>`' }
+## Using the IAM_ROLE parameter
@@ -32,0 +35 @@ IAM_ROLE { default | 'arn:aws:iam::`<AWS account-id>`:role/`<role-name>`' }
+### IAM_ROLE
@@ -45 +48 @@ For more information, see [Role-based access control](./copy-usage_notes-access-
-ACCESS_KEY_ID '_access-key-id_ ' SECRET_ACCESS_KEY '_secret-access-key_ '
+## Using the ACCESS_KEY_ID and SECRET_ACCESS_KEY parameters
@@ -46,0 +50 @@ ACCESS_KEY_ID '_access-key-id_ ' SECRET_ACCESS_KEY '_secret-access-key_ '
+### ACCESS_KEY_ID, SECRET_ACCESS_KEY
@@ -54,2 +58 @@ Instead of providing access credentials as plain text, we strongly recommend usi
-SESSION_TOKEN '_temporary-token_ '
-    
+### SESSION_TOKEN
@@ -72 +75 @@ If you specify SESSION_TOKEN you can't use CREDENTIALS or IAM_ROLE.
-[WITH] CREDENTIALS [AS] '_credentials-args_ '
+## Using the CREDENTIALS parameter
@@ -73,0 +77 @@ If you specify SESSION_TOKEN you can't use CREDENTIALS or IAM_ROLE.
+### CREDENTIALS
@@ -76,0 +81,5 @@ A clause that indicates the method your cluster will use when accessing other AW
+The following shows the syntax for the CREDENTIALS parameter.
+    
+    
+    [WITH] CREDENTIALS [AS] 'credentials-args'
+
@@ -103,0 +113,7 @@ To use temporary token credentials, you must provide the temporary access key ID
+A COPY command using role-based access control with temporary credentials would resemble the following sample statement: 
+    
+    
+    COPY customer FROM 's3://amzn-s3-demo-bucket/mydata' 
+    CREDENTIALS
+    'aws_access_key_id=<temporary-access-key-id>;aws_secret_access_key=<temporary-secret-access-key-id>;token=<temporary-token>'
+
@@ -112 +128 @@ If the [ENCRYPTED](./copy-parameters-data-source-s3.html#copy-encrypted) paramet
-For example, the following COPY command uses role-based access control with an encryption key.
+A COPY command using role-based access control with an encryption key would resemble the following sample statement:
@@ -115,2 +131,2 @@ For example, the following COPY command uses role-based access control with an e
-    copy customer from 's3://amzn-s3-demo-bucket/mydata' 
-    credentials 
+    COPY customer FROM 's3://amzn-s3-demo-bucket/mydata' 
+    CREDENTIALS 
@@ -119,7 +134,0 @@ For example, the following COPY command uses role-based access control with an e
-The following COPY command shows role-based access control with an encryption key.
-    
-    
-    copy customer from 's3://amzn-s3-demo-bucket/mydata' 
-    credentials 
-    'aws_iam_role=arn:aws:iam::<aws-account-id>:role/<role-name>;master_symmetric_key=<root-key>'
-