AWS Security ChangesHomeSearch

AWS athena high security documentation change

Service: athena · 2025-08-13 · Security-related high

File: athena/latest/ug/connectors-redshift.md

Summary

Clarified spill bucket encryption configuration options and default behavior.

Security assessment

Added documentation about spill encryption defaults (AES-GCM) and KMS key integration, which are security controls. The 'disable_spill_encryption' parameter warning highlights security implications of disabling encryption.

Diff

diff --git a/athena/latest/ug/connectors-redshift.md b/athena/latest/ug/connectors-redshift.md
index 246c10ba9..10b1e2f76 100644
--- a//athena/latest/ug/connectors-redshift.md
+++ b//athena/latest/ug/connectors-redshift.md
@@ -63,0 +64,13 @@ Use the parameters in this section to configure the Redshift connector.
+We recommend that you configure a Redshift connector by using a Glue connections object. To do this, set the `glue_connection` environment variable of the Amazon Redshift connector Lambda to the name of the Glue connection to use.
+
+**Glue connections properties**
+
+Use the following command to get the schema for a Glue connection object. This schema contains all the parameters that you can use to control your connection.
+    
+    
+    aws glue describe-connection-type --connection-type REDSHIFT
+
+**Lambda environment properties**
+
+glue_connection – Specifies the name of the Glue connection associated with the federated connector. 
+
@@ -66 +79 @@ Use the parameters in this section to configure the Redshift connector.
-Athena data source connectors created on December 3, 2024 and later use AWS Glue connections.
+  * All connectors that use Glue connections must use AWS Secrets Manager to store credentials.
@@ -68 +81 @@ Athena data source connectors created on December 3, 2024 and later use AWS Glue
-### Glue connections (recommended)
+  * The Redshift connector created using Glue connections does not support the use of a multiplexing handler.
@@ -70 +83 @@ Athena data source connectors created on December 3, 2024 and later use AWS Glue
-We recommended that you configure a Redshift connector by using a Glue connections object. 
+  * The Redshift connector created using Glue connections only supports `ConnectionSchemaVersion` 2.
@@ -72 +84,0 @@ We recommended that you configure a Redshift connector by using a Glue connectio
-To do this, set the `glue_connection` environment variable of the Redshift connector Lambda to the name of the Glue connection to use.
@@ -74 +85,0 @@ To do this, set the `glue_connection` environment variable of the Redshift conne
-Use the following command to get the schema for a Glue connection object. This schema contains all the parameters that you can use to control your connection.
@@ -77 +88 @@ Use the following command to get the schema for a Glue connection object. This s
-    aws glue describe-connection-type --connection-type REDSHIFT
+###### Note
@@ -79 +90 @@ Use the following command to get the schema for a Glue connection object. This s
-### Legacy connections
+Athena data source connectors created on December 3, 2024 and later use AWS Glue connections.
@@ -82,0 +94,19 @@ The parameter names and definitions listed below are for Athena data source conn
+**Lambda environment properties**
+
+  * spill_bucket – Specifies the Amazon S3 bucket for data that exceeds Lambda function limits.
+
+  * spill_prefix – (Optional) Defaults to a subfolder in the specified `spill_bucket` called `athena-federation-spill`. We recommend that you configure an Amazon S3 [storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) on this location to delete spills older than a predetermined number of days or hours.
+
+  * spill_put_request_headers – (Optional) A JSON encoded map of request headers and values for the Amazon S3 `putObject` request that is used for spilling (for example, `{"x-amz-server-side-encryption" : "AES256"}`). For other possible headers, see [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) in the _Amazon Simple Storage Service API Reference_.
+
+  * kms_key_id – (Optional) By default, any data that is spilled to Amazon S3 is encrypted using the AES-GCM authenticated encryption mode and a randomly generated key. To have your Lambda function use stronger encryption keys generated by KMS like `a7e63k4b-8loc-40db-a2a1-4d0en2cd8331`, you can specify a KMS key ID.
+
+  * disable_spill_encryption – (Optional) When set to `True`, disables spill encryption. Defaults to `False` so that data that is spilled to S3 is encrypted using AES-GCM – either using a randomly generated key or KMS to generate keys. Disabling spill encryption can improve performance, especially if your spill location uses [server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).
+
+  * disable_glue – (Optional) If present and set to true, the connector does not attempt to retrieve supplemental metadata from AWS Glue.
+
+  * glue_catalog – (Optional) Use this option to specify a [cross-account AWS Glue catalog](./data-sources-glue-cross-account.html). By default, the connector attempts to get metadata from its own AWS Glue account.
+
+
+
+
@@ -150,10 +179,0 @@ Currently, the Redshift connector recognizes the `user` and `password` JDBC prop
-#### Spill parameters
-
-The Lambda SDK can spill data to Amazon S3. All database instances accessed by the same Lambda function spill to the same location.
-
-Parameter | Description  
----|---  
-`spill_bucket` | Required. Spill bucket name.  
-`spill_prefix` | Required. Spill bucket key prefix.  
-`spill_put_request_headers` | (Optional) A JSON encoded map of request headers and values for the Amazon S3 `putObject` request that is used for spilling (for example, `{"x-amz-server-side-encryption" : "AES256"}`). For other possible headers, see [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) in the _Amazon Simple Storage Service API Reference_.  
-