AWS athena high security documentation change
Summary
Clarified spill bucket encryption configuration options and default behavior.
Security assessment
Added documentation about spill encryption defaults (AES-GCM) and KMS key integration, which are security controls. The 'disable_spill_encryption' parameter warning highlights security implications of disabling encryption.
Diff
diff --git a/athena/latest/ug/connectors-redshift.md b/athena/latest/ug/connectors-redshift.md index 246c10ba9..10b1e2f76 100644 --- a//athena/latest/ug/connectors-redshift.md +++ b//athena/latest/ug/connectors-redshift.md @@ -63,0 +64,13 @@ Use the parameters in this section to configure the Redshift connector. +We recommend that you configure a Redshift connector by using a Glue connections object. To do this, set the `glue_connection` environment variable of the Amazon Redshift connector Lambda to the name of the Glue connection to use. + +**Glue connections properties** + +Use the following command to get the schema for a Glue connection object. This schema contains all the parameters that you can use to control your connection. + + + aws glue describe-connection-type --connection-type REDSHIFT + +**Lambda environment properties** + +glue_connection – Specifies the name of the Glue connection associated with the federated connector. + @@ -66 +79 @@ Use the parameters in this section to configure the Redshift connector. -Athena data source connectors created on December 3, 2024 and later use AWS Glue connections. + * All connectors that use Glue connections must use AWS Secrets Manager to store credentials. @@ -68 +81 @@ Athena data source connectors created on December 3, 2024 and later use AWS Glue -### Glue connections (recommended) + * The Redshift connector created using Glue connections does not support the use of a multiplexing handler. @@ -70 +83 @@ Athena data source connectors created on December 3, 2024 and later use AWS Glue -We recommended that you configure a Redshift connector by using a Glue connections object. + * The Redshift connector created using Glue connections only supports `ConnectionSchemaVersion` 2. @@ -72 +84,0 @@ We recommended that you configure a Redshift connector by using a Glue connectio -To do this, set the `glue_connection` environment variable of the Redshift connector Lambda to the name of the Glue connection to use. @@ -74 +85,0 @@ To do this, set the `glue_connection` environment variable of the Redshift conne -Use the following command to get the schema for a Glue connection object. This schema contains all the parameters that you can use to control your connection. @@ -77 +88 @@ Use the following command to get the schema for a Glue connection object. This s - aws glue describe-connection-type --connection-type REDSHIFT +###### Note @@ -79 +90 @@ Use the following command to get the schema for a Glue connection object. This s -### Legacy connections +Athena data source connectors created on December 3, 2024 and later use AWS Glue connections. @@ -82,0 +94,19 @@ The parameter names and definitions listed below are for Athena data source conn +**Lambda environment properties** + + * spill_bucket – Specifies the Amazon S3 bucket for data that exceeds Lambda function limits. + + * spill_prefix – (Optional) Defaults to a subfolder in the specified `spill_bucket` called `athena-federation-spill`. We recommend that you configure an Amazon S3 [storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) on this location to delete spills older than a predetermined number of days or hours. + + * spill_put_request_headers – (Optional) A JSON encoded map of request headers and values for the Amazon S3 `putObject` request that is used for spilling (for example, `{"x-amz-server-side-encryption" : "AES256"}`). For other possible headers, see [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) in the _Amazon Simple Storage Service API Reference_. + + * kms_key_id – (Optional) By default, any data that is spilled to Amazon S3 is encrypted using the AES-GCM authenticated encryption mode and a randomly generated key. To have your Lambda function use stronger encryption keys generated by KMS like `a7e63k4b-8loc-40db-a2a1-4d0en2cd8331`, you can specify a KMS key ID. + + * disable_spill_encryption – (Optional) When set to `True`, disables spill encryption. Defaults to `False` so that data that is spilled to S3 is encrypted using AES-GCM – either using a randomly generated key or KMS to generate keys. Disabling spill encryption can improve performance, especially if your spill location uses [server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html). + + * disable_glue – (Optional) If present and set to true, the connector does not attempt to retrieve supplemental metadata from AWS Glue. + + * glue_catalog – (Optional) Use this option to specify a [cross-account AWS Glue catalog](./data-sources-glue-cross-account.html). By default, the connector attempts to get metadata from its own AWS Glue account. + + + + @@ -150,10 +179,0 @@ Currently, the Redshift connector recognizes the `user` and `password` JDBC prop -#### Spill parameters - -The Lambda SDK can spill data to Amazon S3. All database instances accessed by the same Lambda function spill to the same location. - -Parameter | Description ----|--- -`spill_bucket` | Required. Spill bucket name. -`spill_prefix` | Required. Spill bucket key prefix. -`spill_put_request_headers` | (Optional) A JSON encoded map of request headers and values for the Amazon S3 `putObject` request that is used for spilling (for example, `{"x-amz-server-side-encryption" : "AES256"}`). For other possible headers, see [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) in the _Amazon Simple Storage Service API Reference_. -