AWS redshift documentation change
Summary
Expanded GRANT syntax to include dynamic data masking policies alongside row-level security policies. Added documentation for EXPLAIN MASKING permissions and policy type distinctions.
Security assessment
The changes explicitly document permissions related to security policies (row-level security and dynamic data masking), but there is no evidence of addressing a specific vulnerability. This update enhances documentation of existing security controls rather than patching an issue.
Diff
diff --git a/redshift/latest/dg/r_GRANT.md b/redshift/latest/dg/r_GRANT.md index 1e295ccc8..6aac783a0 100644 --- a//redshift/latest/dg/r_GRANT.md +++ b//redshift/latest/dg/r_GRANT.md @@ -236 +236 @@ The following is the syntax for granting system permissions to roles on Amazon R -The following is the syntax for granting permissions to explain the row-level security policy filters of a query in the EXPLAIN plan. You can revoke the privilege using the REVOKE statement. +The following is the syntax for granting permissions to explain the security policy filters of a query in the EXPLAIN plan. Possible security policies include row-level security policies and dynamic data masking policies. @@ -239 +239 @@ The following is the syntax for granting permissions to explain the row-level se - GRANT EXPLAIN RLS TO ROLE _rolename_ + GRANT EXPLAIN { RLS | MASKING } TO ROLE _rolename_ @@ -241 +241 @@ The following is the syntax for granting permissions to explain the row-level se -The following is the syntax for granting permissions to bypass row-level security policies for a query. +The following is the syntax for granting permissions to bypass row-level security policies for a query. This syntax doesn't apply to dynamic data masking policies. @@ -246 +246 @@ The following is the syntax for granting permissions to bypass row-level securit -The following is the syntax for granting permissions to the specified row-level security policy. +The following is the syntax for granting lookup table permissions to the specified security policy. Possible security policies include row-level security policies and dynamic data masking policies. @@ -250 +250 @@ The following is the syntax for granting permissions to the specified row-level - TO RLS POLICY _policy_name_ [, ...] + TO { RLS | MASKING } POLICY _policy_name_ [, ...] @@ -557 +557 @@ The WITH ADMIN OPTION clause provides the administration options for all the gra -EXPLAIN RLS TO ROLE _rolename_ +EXPLAIN { RLS | MASKING } TO ROLE _rolename_ @@ -560 +560 @@ EXPLAIN RLS TO ROLE _rolename_ -Grants the permission to explain the row-level security policy filters of a query in the EXPLAIN plan to a role. +Grants the permission to explain the security policy filters of a query in the EXPLAIN plan to a role. RLS grants permission to explain row-level security policy filters. MASKING grants permission to explain dynamic data masking policy filters. @@ -566,0 +567,5 @@ Grants the permission to bypass row-level security policies for a query to a rol +TO { RLS | MASKING } POLICY _policy_name_ + + +Indicates the security policy receiving the permissions. TO RLS POLICY indicates a row-level security policy. TO MASKING POLICY indicates a dynamic data masking policy. +