AWS Security ChangesHomeSearch

AWS redshift documentation change

Service: redshift · 2025-09-28 · Documentation low

File: redshift/latest/dg/r_GRANT.md

Summary

Expanded GRANT syntax to include dynamic data masking policies alongside row-level security policies. Added documentation for EXPLAIN MASKING permissions and policy type distinctions.

Security assessment

The changes explicitly document permissions related to security policies (row-level security and dynamic data masking), but there is no evidence of addressing a specific vulnerability. This update enhances documentation of existing security controls rather than patching an issue.

Diff

diff --git a/redshift/latest/dg/r_GRANT.md b/redshift/latest/dg/r_GRANT.md
index 1e295ccc8..6aac783a0 100644
--- a//redshift/latest/dg/r_GRANT.md
+++ b//redshift/latest/dg/r_GRANT.md
@@ -236 +236 @@ The following is the syntax for granting system permissions to roles on Amazon R
-The following is the syntax for granting permissions to explain the row-level security policy filters of a query in the EXPLAIN plan. You can revoke the privilege using the REVOKE statement.
+The following is the syntax for granting permissions to explain the security policy filters of a query in the EXPLAIN plan. Possible security policies include row-level security policies and dynamic data masking policies.
@@ -239 +239 @@ The following is the syntax for granting permissions to explain the row-level se
-    GRANT EXPLAIN RLS TO ROLE _rolename_ 
+    GRANT EXPLAIN { RLS | MASKING } TO ROLE _rolename_ 
@@ -241 +241 @@ The following is the syntax for granting permissions to explain the row-level se
-The following is the syntax for granting permissions to bypass row-level security policies for a query. 
+The following is the syntax for granting permissions to bypass row-level security policies for a query. This syntax doesn't apply to dynamic data masking policies.
@@ -246 +246 @@ The following is the syntax for granting permissions to bypass row-level securit
-The following is the syntax for granting permissions to the specified row-level security policy.
+The following is the syntax for granting lookup table permissions to the specified security policy. Possible security policies include row-level security policies and dynamic data masking policies.
@@ -250 +250 @@ The following is the syntax for granting permissions to the specified row-level
-    TO RLS POLICY _policy_name_ [, ...]
+    TO { RLS | MASKING } POLICY _policy_name_ [, ...]
@@ -557 +557 @@ The WITH ADMIN OPTION clause provides the administration options for all the gra
-EXPLAIN RLS TO ROLE _rolename_
+EXPLAIN { RLS | MASKING } TO ROLE _rolename_
@@ -560 +560 @@ EXPLAIN RLS TO ROLE _rolename_
-Grants the permission to explain the row-level security policy filters of a query in the EXPLAIN plan to a role.
+Grants the permission to explain the security policy filters of a query in the EXPLAIN plan to a role. RLS grants permission to explain row-level security policy filters. MASKING grants permission to explain dynamic data masking policy filters.
@@ -566,0 +567,5 @@ Grants the permission to bypass row-level security policies for a query to a rol
+TO { RLS | MASKING } POLICY _policy_name_
+    
+
+Indicates the security policy receiving the permissions. TO RLS POLICY indicates a row-level security policy. TO MASKING POLICY indicates a dynamic data masking policy.
+