AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-11-22 · Documentation low

File: cli/latest/reference/redshift-data/execute-statement.md

Summary

Updated AWS CLI command reference for Redshift Data API's execute-statement, including parameter reordering, added secret ARN and database authentication details, event notifications, output field changes, and pattern constraint updates.

Security assessment

The changes clarify authentication methods (Secrets Manager, temporary credentials) and document security-related parameters like --secret-arn and DbGroups output. However, there is no evidence these changes address a specific security vulnerability or incident.

Diff

diff --git a/cli/latest/reference/redshift-data/execute-statement.md b/cli/latest/reference/redshift-data/execute-statement.md
index 0b4dde856..0389ce8a1 100644
--- a//cli/latest/reference/redshift-data/execute-statement.md
+++ b//cli/latest/reference/redshift-data/execute-statement.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.39 Command Reference](../../index.html) »
+  * [AWS CLI 2.32.3 Command Reference](../../index.html) »
@@ -77 +77 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
-    [--client-token <value>]
+    --sql <value>
@@ -79 +79 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
-    [--database <value>]
+    [--secret-arn <value>]
@@ -80,0 +81,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
+    [--database <value>]
+    [--with-event | --no-with-event]
+    [--statement-name <value>]
@@ -81,0 +85,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
+    [--workgroup-name <value>]
+    [--client-token <value>]
@@ -83,2 +87,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
-    [--secret-arn <value>]
-    [--session-id <value>]
@@ -86,4 +89 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
-    --sql <value>
-    [--statement-name <value>]
-    [--with-event | --no-with-event]
-    [--workgroup-name <value>]
+    [--session-id <value>]
@@ -114,9 +114 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
-`--client-token` (string)
-
-> A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
-> 
-> Constraints:
-> 
->   * min: `1`
->   * max: `64`
-> 
+`--sql` (string) [required]
@@ -123,0 +116 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
+> The SQL statement text to run.
@@ -132,0 +126 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
+>   * pattern: `[a-z][a-z0-9]*(-[a-z0-9]+)*`
@@ -136 +130 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
-`--database` (string)
+`--secret-arn` (string)
@@ -138 +132 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
-> The name of the database. This parameter is required when authenticating using either Secrets Manager or temporary credentials.
+> The name or ARN of the secret that enables access to the database. This parameter is required when authenticating using Secrets Manager.
@@ -143,0 +138,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
+`--database` (string)
+
+> The name of the database. This parameter is required when authenticating using either Secrets Manager or temporary credentials.
+
+`--with-event` | `--no-with-event` (boolean)
+
+> A value that indicates whether to send an event to the Amazon EventBridge event bus after the SQL statement runs.
+
+`--statement-name` (string)
+
+> The name of the SQL statement. You can name the SQL statement when you create it to identify the query.
+> 
+> Constraints:
+> 
+>   * min: `0`
+>   * max: `2048`
+> 
+
+
@@ -164 +177 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/redshi
->>>   * pattern: `^[0-9a-zA-Z_]+$`
+>>>   * pattern: `[0-9a-zA-Z_]+`
@@ -196 +209 @@ JSON Syntax:
-`--result-format` (string)
+`--workgroup-name` (string)
@@ -198 +211 @@ JSON Syntax:
-> The data format of the result of the SQL statement. If no format is specified, the default is JSON.
+> The serverless workgroup name or Amazon Resource Name (ARN). This parameter is required when connecting to a serverless workgroup and authenticating using either Secrets Manager or temporary credentials.
@@ -200 +213 @@ JSON Syntax:
-> Possible values:
+> Constraints:
@@ -202,2 +215,3 @@ JSON Syntax:
->   * `JSON`
->   * `CSV`
+>   * min: `3`
+>   * max: `128`
+>   * pattern: `.*((^[a-z0-9-]{3,63}$)|^(arn:(aws(-[a-z]+)*):redshift-serverless:[a-z]{2}(-gov|(-iso[a-z]?))?-[a-z]+-\d{1}:\d{12}:workgroup/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}))`
@@ -207,5 +221 @@ JSON Syntax:
-`--secret-arn` (string)
-
-> The name or ARN of the secret that enables access to the database. This parameter is required when authenticating using Secrets Manager.
-
-`--session-id` (string)
+`--client-token` (string)
@@ -213 +223 @@ JSON Syntax:
-> The session identifier of the query.
+> A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
@@ -217 +227,2 @@ JSON Syntax:
->   * pattern: `^[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(:\d+)?$`
+>   * min: `1`
+>   * max: `64`
@@ -221 +232 @@ JSON Syntax:
-`--session-keep-alive-seconds` (integer)
+`--result-format` (string)
@@ -223 +234 @@ JSON Syntax:
-> The number of seconds to keep the session alive after the query finishes. The maximum time a session can keep alive is 24 hours. After 24 hours, the session is forced closed and the query is terminated.
+> The data format of the result of the SQL statement. If no format is specified, the default is JSON.
@@ -225 +236 @@ JSON Syntax:
-> Constraints:
+> Possible values:
@@ -227,2 +238,2 @@ JSON Syntax:
->   * min: `0`
->   * max: `86400`
+>   * `JSON`
+>   * `CSV`
@@ -232,5 +243 @@ JSON Syntax:
-`--sql` (string) [required]
-
-> The SQL statement text to run.
-
-`--statement-name` (string)
+`--session-keep-alive-seconds` (integer)
@@ -238 +245 @@ JSON Syntax:
-> The name of the SQL statement. You can name the SQL statement when you create it to identify the query.
+> The number of seconds to keep the session alive after the query finishes. The maximum time a session can keep alive is 24 hours. After 24 hours, the session is forced closed and the query is terminated.
@@ -243 +250 @@ JSON Syntax:
->   * max: `500`
+>   * max: `86400`
@@ -247,5 +254 @@ JSON Syntax:
-`--with-event` | `--no-with-event` (boolean)
-
-> A value that indicates whether to send an event to the Amazon EventBridge event bus after the SQL statement runs.
-
-`--workgroup-name` (string)
+`--session-id` (string)
@@ -253 +256 @@ JSON Syntax:
-> The serverless workgroup name or Amazon Resource Name (ARN). This parameter is required when connecting to a serverless workgroup and authenticating using either Secrets Manager or temporary credentials.
+> The session identifier of the query.
@@ -257,3 +260 @@ JSON Syntax:
->   * min: `3`
->   * max: `128`
->   * pattern: `^(([a-z0-9-]+)|(arn:(aws(-[a-z]+)*):redshift-serverless:[a-z]{2}(-gov|(-iso[a-z]?))?-[a-z]+-\d{1}:\d{12}:workgroup/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}))$`
+>   * pattern: `[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(:\d{0,2})?`
@@ -362 +363 @@ Disable automatically prompt for CLI input parameters.
-ClusterIdentifier -> (string)
+Id -> (string)
@@ -364 +365 @@ ClusterIdentifier -> (string)
-> The cluster identifier. This element is not returned when connecting to a serverless workgroup.
+> The identifier of the SQL statement whose results are to be fetched. This value is a universally unique identifier (UUID) generated by Amazon Redshift Data API.
@@ -368,2 +369 @@ ClusterIdentifier -> (string)
->   * min: `1`
->   * max: `63`
+>   * pattern: `[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(:\d{0,2})?`
@@ -377,5 +377 @@ CreatedAt -> (timestamp)
-Database -> (string)
-
-> The name of the database.
-
-DbGroups -> (list)
+ClusterIdentifier -> (string)
@@ -383 +379 @@ DbGroups -> (list)
-> A list of colon (:) separated names of database groups.
+> The cluster identifier. This element is not returned when connecting to a serverless workgroup.
@@ -385 +381,7 @@ DbGroups -> (list)
-> (string)
+> Constraints:
+> 
+>   * min: `1`
+>   * max: `63`
+>   * pattern: `[a-z][a-z0-9]*(-[a-z0-9]+)*`
+> 
+
@@ -391 +393 @@ DbUser -> (string)
-Id -> (string)
+DbGroups -> (list)
@@ -393,5 +395 @@ Id -> (string)
-> The identifier of the SQL statement whose results are to be fetched. This value is a universally unique identifier (UUID) generated by Amazon Redshift Data API.
-> 
-> Constraints:
-> 
->   * pattern: `^[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(:\d+)?$`
+> A list of colon (:) separated names of database groups.
@@ -398,0 +397 @@ Id -> (string)
+> (string)
@@ -399,0 +399,3 @@ Id -> (string)
+Database -> (string)
+
+> The name of the database.
@@ -405 +407 @@ SecretArn -> (string)
-SessionId -> (string)
+WorkgroupName -> (string)
@@ -407 +409 @@ SessionId -> (string)
-> The session identifier of the query.
+> The serverless workgroup name or Amazon Resource Name (ARN). This element is not returned when connecting to a provisioned cluster.
@@ -411 +413,3 @@ SessionId -> (string)
->   * pattern: `^[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}(:\d+)?$`
+>   * min: `3`
+>   * max: `128`
+>   * pattern: `.*((^[a-z0-9-]{3,63}$)|^(arn:(aws(-[a-z]+)*):redshift-serverless:[a-z]{2}(-gov|(-iso[a-z]?))?-[a-z]+-\d{1}:\d{12}:workgroup/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}))`