AWS Security ChangesHomeSearch

AWS clean-rooms high security documentation change

Service: clean-rooms · 2025-07-18 · Security-related high

File: clean-rooms/latest/userguide/dp-limitations.md

Summary

Updated documentation about SQL constructs that break differential privacy guarantees, added detailed categorization of vulnerable functions across SQL engines, and emphasized monitoring for security-relevant error codes

Security assessment

The changes explicitly warn that overflow/cast errors can break differential privacy guarantees (a core security feature) and provide specific error codes ('CastError', 'OverflowError') to monitor for potential side-channel attacks. The documentation now clearly links these technical limitations to security implications and provides mitigation guidance through CloudWatch monitoring.

Diff

diff --git a/clean-rooms/latest/userguide/dp-limitations.md b/clean-rooms/latest/userguide/dp-limitations.md
index f02381776..3bdc72ee7 100644
--- a//clean-rooms/latest/userguide/dp-limitations.md
+++ b//clean-rooms/latest/userguide/dp-limitations.md
@@ -9 +9 @@ AWS Clean Rooms Differential Privacy doesn't address the following situations:
-  1. AWS Clean Rooms Differential Privacy only supports Amazon S3-backed AWS Glue tables. It does not support queries with Snowflake or Amazon Athena tables.
+  1. AWS Clean Rooms Differential Privacy only supports queries with Amazon S3-backed AWS Glue tables. It doesn't support queries with Snowflake or Amazon Athena tables.
@@ -13 +13 @@ AWS Clean Rooms Differential Privacy doesn't address the following situations:
-  3. AWS Clean Rooms Differential Privacy doesn't guarantee differential privacy when a SQL query can result in overflow or invalid cast errors at run time due to the use of certain SQL constructs. The following table is a list of some, but not all, SQL constructs that may produce run-time errors and should be verified in analysis templates. We recommend that you approve analysis templates that minimize the chances of such run-time errors and periodically review query logs to determine if the queries align with the collaboration agreement.
+  3. AWS Clean Rooms Differential Privacy doesn't guarantee differential privacy when a SQL query can result in overflow or invalid cast errors at run time due to the use of certain SQL constructs. 
@@ -15,5 +15 @@ AWS Clean Rooms Differential Privacy doesn't address the following situations:
-The following SQL constructs are vulnerable to overflow errors:
-
-     * Aggregate functions - AVG, LISTAVG, PERCENTILE_COUNT, PERCENTILE_DISC, SUM/SUM_DISTINCT
-
-     * Data type formatting functions - TO_TIMESTAMP, TO_DATE
+The following table is a list of some, but not all, SQL constructs that may produce run-time errors and should be verified in analysis templates. We recommend that you approve analysis templates that minimize the chances of such run-time errors and periodically review query logs to determine if the queries align with the collaboration agreement.
@@ -21,3 +17 @@ The following SQL constructs are vulnerable to overflow errors:
-     * Date and time functions - ADD_MONTHS, DATEADD, DATEDIFF
-
-     * Math functions - +, -, *, /, POWER
+The following SQL constructs are vulnerable to overflow errors:
@@ -25 +19,50 @@ The following SQL constructs are vulnerable to overflow errors:
-     * String functions - ||, CONCAT, REPEAT, REPLICATE
+Category | SQL constructs vulnerable to overflow errors in the Spark SQL analytics engine | SQL constructs vulnerable to overflow errors in the AWS Clean Rooms SQL analytics engine  
+---|---|---  
+Aggregate functions | 
+     * AVG
+     * SUM/SUM_DISTINCT
+| 
+     * AVG
+     * LISTAVG
+     * PERCENTILE_COUNT
+     * PERCENTILE_DISC
+     * SUM/SUM_DISTINCT  
+Data type formatting functions | 
+     * TO_TIMESTAMP
+     * TO_DATE
+| 
+     * TO_TIMESTAMP
+     * TO_DATE  
+Date and time functions | 
+     * ADD_MONTHS
+     * DATEADD
+     * DATEDIFF
+| 
+     * ADD_MONTHS
+     * DATEADD
+     * DATEDIFF  
+Math functions | 
+     * +, -, *, /
+     * POWER
+| 
+     * +, -, *, /
+     * POWER  
+String functions | 
+     * ||
+     * CONCAT
+     * REPEAT
+| 
+     * ||
+     * CONCAT
+     * REPEAT
+     * REPLICATE  
+Window functions | 
+     * AVG
+     * SUM
+| 
+     * AVG
+     * LISTAVG
+     * PERCENTILE_COUNT
+     * PERCENTILE_DISC
+     * RATIO_TO_REPORT
+     * SUM  
@@ -27 +70 @@ The following SQL constructs are vulnerable to overflow errors:
-     * Window functions - AVG, LISTAGG, PERCENTILE_COUNT, PERCENTILE_DISC, RATIO_TO_REPORT, SUM
+  4. The CAST data type formatting function is vulnerable to invalid cast errors.
@@ -29 +72 @@ The following SQL constructs are vulnerable to overflow errors:
-The CAST data type formatting function is vulnerable to invalid cast errors.
+You can configure [CloudWatch to create a metric filter for a log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) and then [create a CloudWatch alarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) on that metric filter to receive alerts if a potential overflow or cast error was encountered. 
@@ -31 +74 @@ The CAST data type formatting function is vulnerable to invalid cast errors.
-You can configure [CloudWatch to create a metric filter for a log group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) and then [create a CloudWatch alarm](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) on that metric filter to receive alerts if a potential overflow or cast error was encountered. Specifically, you should monitor for the error codes `CastError`, `OverflowError`, `ConversionError`. The presence of these error codes indicates a potential side-channel attack, but might indicate an erroneous SQL query.
+Specifically, you should monitor for the error codes `CastError`, `OverflowError`, `ConversionError`. The presence of these error codes indicates a potential side-channel attack, but might indicate an erroneous SQL query.