AWS redshift high security documentation change
Summary
Removed client-side encryption references, updated ENCRYPTED parameter documentation, and deleted MASTER_SYMMETRIC_KEY support
Security assessment
Explicit removal of client-side encryption functionality and parameters (e.g., MASTER_SYMMETRIC_KEY) indicates addressing potential security concerns with this method. The documentation now enforces server-side encryption, which reduces exposure to client-side key management risks.
Diff
diff --git a/redshift/latest/dg/r_UNLOAD.md b/redshift/latest/dg/r_UNLOAD.md index 61f5ab1cc..5c7e5b0cd 100644 --- a//redshift/latest/dg/r_UNLOAD.md +++ b//redshift/latest/dg/r_UNLOAD.md @@ -9 +9,4 @@ Required privileges and permissionsSyntaxParametersUsage notesExamples -Unloads the result of a query to one or more text, JSON, or Apache Parquet files on Amazon S3, using Amazon S3 server-side encryption (SSE-S3). You can also specify server-side encryption with an AWS Key Management Service key (SSE-KMS) or client-side encryption with a customer managed key. +_**Client-side encryption for COPY and UNLOAD commands will no longer be open to new customers starting April 30, 2025. If you used client-side encryption with COPY and UNLOAD commands in the 12 months before April 30, 2025, you can continue to use client side encryption with COPY or UNLOAD commands until April 30, 2026. After April 30, 2026, you won't be able to use client-side encryption for COPY and UNLOAD. We recommend that you switch to using server-side encryption for COPY and UNLOAD as soon as possible. If you're already using server-side encryption for COPY and UNLOAD, there's no change and you can continue to use it without altering your queries. For more information on encryption for COPY and UNLOAD, see the ENCRYPTED parameter below.**_ +--- + +Unloads the result of a query to one or more text, JSON, or Apache Parquet files on Amazon S3, using Amazon S3 server-side encryption (SSE-S3). You can also specify server-side encryption with an AWS Key Management Service key (SSE-KMS). @@ -105,2 +107,0 @@ UNLOAD automatically creates encrypted files using Amazon S3 server-side encrypt -To use Amazon S3 client-side encryption, specify the ENCRYPTED option. - @@ -192 +193 @@ ENCRYPTED [AUTO] -Specifies that the output files on Amazon S3 are encrypted using Amazon S3 server-side encryption or client-side encryption. If MANIFEST is specified, the manifest file is also encrypted. For more information, see [Unloading encrypted data files](./t_unloading_encrypted_files.html). If you don't specify the ENCRYPTED parameter, UNLOAD automatically creates encrypted files using Amazon S3 server-side encryption with AWS-managed encryption keys (SSE-S3). +Specifies that the output files on Amazon S3 are encrypted using Amazon S3 server-side encryption. If MANIFEST is specified, the manifest file is also encrypted. For more information, see [Unloading encrypted data files](./t_unloading_encrypted_files.html). If you don't specify the ENCRYPTED parameter, UNLOAD automatically creates encrypted files using Amazon S3 server-side encryption with AWS-managed encryption keys (SSE-S3). @@ -196,4 +196,0 @@ For ENCRYPTED, you might want to unload to Amazon S3 using server-side encryptio -To unload to Amazon S3 using client-side encryption with a customer-supplied symmetric key, provide the key in one of two ways. To provide the key, use the MASTER_SYMMETRIC_KEY parameter or the `master_symmetric_key` portion of a [Using the CREDENTIALS parameter](./copy-parameters-authorization.html#copy-credentials) credential string. If you unload data using a root symmetric key, make sure that you supply the same key when you perform a COPY operation for the encrypted data. - -UNLOAD doesn't support Amazon S3 server-side encryption with a customer-supplied key (SSE-C). - @@ -207,5 +203,0 @@ Specifies the key ID for an AWS Key Management Service (AWS KMS) key to be used -MASTER_SYMMETRIC_KEY '_root_key_ ' - - -Specifies the root symmetric key to be used to encrypt data files on Amazon S3. If you specify MASTER_SYMMETRIC_KEY, you must specify the ENCRYPTED parameter also. You can't use MASTER_SYMMETRIC_KEY with the CREDENTIALS parameter. For more information, see [Loading encrypted data files from Amazon S3](./c_loading-encrypted-files.html). -