AWS Security ChangesHomeSearch

AWS redshift documentation change

Service: redshift · 2025-04-28 · Documentation low

File: redshift/latest/dg/r_UNLOAD.md

Summary

Updated parameter reference links to use more descriptive text (e.g., 'Using the CREDENTIALS parameter' instead of 'CREDENTIALS') and maintained consistency in parameter documentation formatting.

Security assessment

The changes clarify proper usage of encryption parameters (KMS_KEY_ID) and authentication methods (IAM_ROLE, ACCESS_KEY_ID) when unloading encrypted data. While these updates improve security documentation accuracy, there is no evidence they address a specific vulnerability. The modifications help prevent misconfigurations by emphasizing parameter incompatibilities (e.g., CREDENTIALS cannot be used with KMS_KEY_ID), which indirectly supports secure practices.

Diff

diff --git a/redshift/latest/dg/r_UNLOAD.md b/redshift/latest/dg/r_UNLOAD.md
index 0b3ec6396..61f5ab1cc 100644
--- a//redshift/latest/dg/r_UNLOAD.md
+++ b//redshift/latest/dg/r_UNLOAD.md
@@ -194 +194 @@ Specifies that the output files on Amazon S3 are encrypted using Amazon S3 serve
-For ENCRYPTED, you might want to unload to Amazon S3 using server-side encryption with an AWS KMS key (SSE-KMS). If so, use the KMS_KEY_ID parameter to provide the key ID. You can't use the [CREDENTIALS](./copy-parameters-authorization.html#copy-credentials) parameter with the KMS_KEY_ID parameter. If you run an UNLOAD command for data using KMS_KEY_ID, you can then do a COPY operation for the same data without specifying a key. 
+For ENCRYPTED, you might want to unload to Amazon S3 using server-side encryption with an AWS KMS key (SSE-KMS). If so, use the KMS_KEY_ID parameter to provide the key ID. You can't use the [Using the CREDENTIALS parameter](./copy-parameters-authorization.html#copy-credentials) parameter with the KMS_KEY_ID parameter. If you run an UNLOAD command for data using KMS_KEY_ID, you can then do a COPY operation for the same data without specifying a key. 
@@ -196 +196 @@ For ENCRYPTED, you might want to unload to Amazon S3 using server-side encryptio
-To unload to Amazon S3 using client-side encryption with a customer-supplied symmetric key, provide the key in one of two ways. To provide the key, use the MASTER_SYMMETRIC_KEY parameter or the `master_symmetric_key` portion of a [CREDENTIALS](./copy-parameters-authorization.html#copy-credentials) credential string. If you unload data using a root symmetric key, make sure that you supply the same key when you perform a COPY operation for the encrypted data. 
+To unload to Amazon S3 using client-side encryption with a customer-supplied symmetric key, provide the key in one of two ways. To provide the key, use the MASTER_SYMMETRIC_KEY parameter or the `master_symmetric_key` portion of a [Using the CREDENTIALS parameter](./copy-parameters-authorization.html#copy-credentials) credential string. If you unload data using a root symmetric key, make sure that you supply the same key when you perform a COPY operation for the encrypted data. 
@@ -205 +205 @@ KMS_KEY_ID '_key-id_ '
-Specifies the key ID for an AWS Key Management Service (AWS KMS) key to be used to encrypt data files on Amazon S3. For more information, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) If you specify KMS_KEY_ID, you must specify the ENCRYPTED parameter also. If you specify KMS_KEY_ID, you can't authenticate using the CREDENTIALS parameter. Instead, use either [IAM_ROLE](./copy-parameters-authorization.html#copy-iam-role) or [ACCESS_KEY_ID and SECRET_ACCESS_KEY](./copy-parameters-authorization.html#copy-access-key-id). 
+Specifies the key ID for an AWS Key Management Service (AWS KMS) key to be used to encrypt data files on Amazon S3. For more information, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) If you specify KMS_KEY_ID, you must specify the ENCRYPTED parameter also. If you specify KMS_KEY_ID, you can't authenticate using the CREDENTIALS parameter. Instead, use either [Using the IAM_ROLE parameter](./copy-parameters-authorization.html#copy-iam-role) or [Using the ACCESS_KEY_ID and SECRET_ACCESS_KEY parameters](./copy-parameters-authorization.html#copy-access-key-id).