AWS athena high security documentation change
Summary
Added Glue connection configuration guidance, enforced Secrets Manager for credentials, and updated authentication syntax for OpenSearch endpoint secrets
Security assessment
Explicitly mandates AWS Secrets Manager for credential storage (security best practice) and corrects secret format to prevent credential exposure. The change enforces secure credential handling mechanisms.
Diff
diff --git a/athena/latest/ug/connectors-opensearch.md b/athena/latest/ug/connectors-opensearch.md index 2aa30d5f1..257e36ca7 100644 --- a//athena/latest/ug/connectors-opensearch.md +++ b//athena/latest/ug/connectors-opensearch.md @@ -60,0 +61,27 @@ The parameter names and definitions listed below are for Athena data source conn +We recommend that you configure a OpenSearch connector by using a Glue connections object. To do this, set the `glue_connection` environment variable of the OpenSearch connector Lambda to the name of the Glue connection to use. + +**Glue connections properties** + +Use the following command to get the schema for a Glue connection object. This schema contains all the parameters that you can use to control your connection. + + + aws glue describe-connection-type --connection-type OPENSEARCH + +**Lambda environment properties** + + * glue_connection – Specifies the name of the Glue connection associated with the federated connector. + + + + +###### Note + + * All connectors that use Glue connections must use AWS Secrets Manager to store credentials. + + * The OpenSearch connector created using Glue connections does not support the use of a multiplexing handler. + + * The OpenSearch connector created using Glue connections only supports `ConnectionSchemaVersion` 2. + + + + @@ -83 +110,5 @@ The parameter names and definitions listed below are for Athena data source conn -For the purpose of authenticating to an OpenSearch endpoint, the connector supports substitution strings injected using the format `${SecretName}:` with user name and password retrieved from AWS Secrets Manager. The colon (:) at the end of the expression serves as a separator from the rest of the endpoint. +For the purpose of authenticating to an OpenSearch endpoint, the connector supports substitution strings injected using the format `${SecretName}` with user name and password retrieved from AWS Secrets Manager. The secret should be stored in the following JSON format: + + { "username": "your_username", "password": "your_password" } + +The connector will automatically parse this JSON structure to retrieve the credentials.