AWS clean-rooms high security documentation change
Summary
Updated documentation about SQL constructs that break differential privacy guarantees, added detailed categorization of vulnerable functions across SQL engines, and emphasized monitoring for security-relevant error codes
Security assessment
The changes explicitly warn that overflow/cast errors can break differential privacy guarantees (a core security feature) and provide specific error codes ('CastError', 'OverflowError') to monitor for potential side-channel attacks. The documentation now clearly links these technical limitations to security implications and provides mitigation guidance through CloudWatch monitoring.
Diff
diff --git a/clean-rooms/latest/userguide/dp-limitations.md b/clean-rooms/latest/userguide/dp-limitations.md index f02381776..3bdc72ee7 100644 --- a//clean-rooms/latest/userguide/dp-limitations.md +++ b//clean-rooms/latest/userguide/dp-limitations.md @@ -9 +9 @@ AWS Clean Rooms Differential Privacy doesn't address the following situations: - 1. AWS Clean Rooms Differential Privacy only supports Amazon S3-backed AWS Glue tables. It does not support queries with Snowflake or Amazon Athena tables. + 1. AWS Clean Rooms Differential Privacy only supports queries with Amazon S3-backed AWS Glue tables. It doesn't support queries with Snowflake or Amazon Athena tables. @@ -13 +13 @@ AWS Clean Rooms Differential Privacy doesn't address the following situations: - 3. AWS Clean Rooms Differential Privacy doesn't guarantee differential privacy when a SQL query can result in overflow or invalid cast errors at run time due to the use of certain SQL constructs. The following table is a list of some, but not all, SQL constructs that may produce run-time errors and should be verified in analysis templates. We recommend that you approve analysis templates that minimize the chances of such run-time errors and periodically review query logs to determine if the queries align with the collaboration agreement. + 3. AWS Clean Rooms Differential Privacy doesn't guarantee differential privacy when a SQL query can result in overflow or invalid cast errors at run time due to the use of certain SQL constructs. @@ -15,5 +15 @@ AWS Clean Rooms Differential Privacy doesn't address the following situations: -The following SQL constructs are vulnerable to overflow errors: - - * Aggregate functions - AVG, LISTAVG, PERCENTILE_COUNT, PERCENTILE_DISC, SUM/SUM_DISTINCT - - * Data type formatting functions - TO_TIMESTAMP, TO_DATE +The following table is a list of some, but not all, SQL constructs that may produce run-time errors and should be verified in analysis templates. We recommend that you approve analysis templates that minimize the chances of such run-time errors and periodically review query logs to determine if the queries align with the collaboration agreement. @@ -21,3 +17 @@ The following SQL constructs are vulnerable to overflow errors: - * Date and time functions - ADD_MONTHS, DATEADD, DATEDIFF - - * Math functions - +, -, *, /, POWER +The following SQL constructs are vulnerable to overflow errors: @@ -25 +19,50 @@ The following SQL constructs are vulnerable to overflow errors: - * String functions - ||, CONCAT, REPEAT, REPLICATE +Category | SQL constructs vulnerable to overflow errors in the Spark SQL analytics engine | SQL constructs vulnerable to overflow errors in the AWS Clean Rooms SQL analytics engine +---|---|--- +Aggregate functions | + * AVG + * SUM/SUM_DISTINCT +| + * AVG + * LISTAVG + * PERCENTILE_COUNT + * PERCENTILE_DISC + * SUM/SUM_DISTINCT +Data type formatting functions | + * TO_TIMESTAMP + * TO_DATE +| + * TO_TIMESTAMP + * TO_DATE +Date and time functions | + * ADD_MONTHS + * DATEADD + * DATEDIFF +| + * ADD_MONTHS + * DATEADD + * DATEDIFF +Math functions | + * +, -, *, / + * POWER +| + * +, -, *, / + * POWER +String functions | + * || + * CONCAT + * REPEAT +| + * || + * CONCAT + * REPEAT + * REPLICATE +Window functions | + * AVG + * SUM +| + * AVG + * LISTAVG + * PERCENTILE_COUNT + * PERCENTILE_DISC + * RATIO_TO_REPORT + * SUM @@ -27 +70 @@ The following SQL constructs are vulnerable to overflow errors: - * Window functions - AVG, LISTAGG, PERCENTILE_COUNT, PERCENTILE_DISC, RATIO_TO_REPORT, SUM + 4. The CAST data type formatting function is vulnerable to invalid cast errors. @@ -29 +72 @@ The following SQL constructs are vulnerable to overflow errors: -The CAST data type formatting function is vulnerable to invalid cast errors. +You can configure [CloudWatch to create a metric filter for a log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) and then [create a CloudWatch alarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) on that metric filter to receive alerts if a potential overflow or cast error was encountered. @@ -31 +74 @@ The CAST data type formatting function is vulnerable to invalid cast errors. -You can configure [CloudWatch to create a metric filter for a log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) and then [create a CloudWatch alarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) on that metric filter to receive alerts if a potential overflow or cast error was encountered. Specifically, you should monitor for the error codes `CastError`, `OverflowError`, `ConversionError`. The presence of these error codes indicates a potential side-channel attack, but might indicate an erroneous SQL query. +Specifically, you should monitor for the error codes `CastError`, `OverflowError`, `ConversionError`. The presence of these error codes indicates a potential side-channel attack, but might indicate an erroneous SQL query.