AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2025-02-27 · Documentation low

File: AmazonRDS/latest/UserGuide/rds-proxy-secrets-arns.md

Summary

Updated documentation for RDS Proxy secrets management, including clearer instructions for creating secrets in Secrets Manager, added step-by-step guidance, and improved CLI command examples

Security assessment

The changes enhance documentation about securely managing database credentials using Secrets Manager with RDS Proxy, but there is no evidence of addressing a specific security vulnerability or incident

Diff

diff --git a/AmazonRDS/latest/UserGuide/rds-proxy-secrets-arns.md
index 18bbf118f..814b6f6bd 100644
--- a/AmazonRDS/latest/UserGuide/rds-proxy-secrets-arns.md
+++ b/AmazonRDS/latest/UserGuide/rds-proxy-secrets-arns.md
@@ -4,0 +5,2 @@
+Creating secrets to use with RDS Proxy
+
@@ -7 +9,14 @@
-For each proxy that you create, you first use the Secrets Manager service to store sets of user name and password credentials. You create a separate Secrets Manager secret for each database user account that the proxy connects to on the RDS DB instance. 
+RDS Proxy in Amazon RDS uses AWS Secrets Manager to store and manage database credentials securely. Instead of embedding credentials in your application, you associate a proxy with a Secrets Manager secret that contains the necessary authentication details. You create a separate Secrets Manager secret for each database user account that the proxy connects to on the RDS DB instance.
+
+###### Topics
+
+  * Creating secrets to use with RDS Proxy
+
+
+
+
+## Creating secrets to use with RDS Proxy
+
+Before you create a proxy, you must first create at least one secret that stores your database credentials.
+
+###### To create a secret
@@ -9 +24 @@ For each proxy that you create, you first use the Secrets Manager service to sto
-In Secrets Manager console, you create these secrets with values for the `username` and `password` fields. Doing so allows the proxy to connect to the corresponding database users on a RDS DB instance that you associate with the proxy. To do this, you can use the setting **Credentials for other database** , **Credentials for RDS database** , or **Other type of secrets**. Fill in the appropriate values for the **User name** and **Password** fields, and values for any other required fields. The proxy ignores other fields such as **Host** and **Port** if they're present in the secret. Those details are automatically supplied by the proxy. 
+  1. Open the Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
@@ -11 +26 @@ In Secrets Manager console, you create these secrets with values for the `userna
-You can also choose **Other type of secrets**. In this case, you create the secret with keys named `username` and `password`. 
+  2. Choose **Store a new secret**.
@@ -13 +28,5 @@ You can also choose **Other type of secrets**. In this case, you create the secr
-To connect through the proxy as a specific database user, make sure that the password associated with a secret matches the database password for that user. If there's a mismatch, you can update the associated secret in Secrets Manager. In this case, you can still connect to other accounts where the secret credentials and the database passwords do match. 
+  3. Choose **Credentials for Amazon RDS database**.
+
+  4. Enter a user name and password. The credentials that you enter must match the credentials of a database user that exists in the associated RDS database. RDS Proxy uses these credentials to authenticate and establish connections to the database on behalf of applications.
+
+If there's a mismatch, you can update the secret to match the database password. Until you update the secret, attempts to connect through the proxy using that secret fail, but connections using other valid secrets still work.
@@ -17 +36 @@ To connect through the proxy as a specific database user, make sure that the pas
-For RDS for SQL Server, RDS Proxy needs a secret in Secrets Manager that is case sensitive to application code irrespective of the DB instance collation settings. For example, if your application can use both usernames "Admin" or "admin", then configure the proxy with secrets for both "Admin" and "admin". RDS Proxy does not accommodate username case-insensitivity in the authentication process between the client and proxy.
+For RDS for SQL Server, RDS Proxy requires a case-sensitive secret in Secrets Manager, regardless of the DB instance collation settings. If your application allows usernames with different capitalizations, such as "Admin" and "admin," you must create separate secrets for each. RDS Proxy doesn't support case-insensitive username authentication between the client and proxy.
@@ -21 +40,4 @@ For more information about collation in SQL Server, see the [ Microsoft SQL Serv
-When you create a proxy through the AWS CLI or RDS API, you specify the Amazon Resource Names (ARNs) of the corresponding secrets. You do so for all the DB user accounts that the proxy can access. In the AWS Management Console, you choose the secrets by their descriptive names. 
+  5. For **Database** , select the Amazon RDS database that the secret will access.
+
+  6. Fill in other settings for the secret, then choose **Store**. For comprehensive instructions, see [Creating an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the _AWS Secrets Manager User Guide_. 
+
@@ -23 +44,0 @@ When you create a proxy through the AWS CLI or RDS API, you specify the Amazon R
-For instructions about creating secrets in Secrets Manager, see the [Creating a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) page in the Secrets Manager documentation. Use one of the following techniques: 
@@ -25 +45,0 @@ For instructions about creating secrets in Secrets Manager, see the [Creating a
-  * Use [Secrets Manager](https://aws.amazon.com/secrets-manager/) in the console. 
@@ -27 +47 @@ For instructions about creating secrets in Secrets Manager, see the [Creating a
-  * To use the CLI to create a Secrets Manager secret for use with RDS Proxy, use a command such as the following. 
+When you create a proxy through the AWS CLI, you specify the Amazon Resource Names (ARNs) of the corresponding secrets. You do so for all the DB user accounts that the proxy can access. In the AWS Management Console, you choose the secrets by their descriptive names.
@@ -29,4 +49,6 @@ For instructions about creating secrets in Secrets Manager, see the [Creating a
-        aws secretsmanager create-secret
-      --name "secret_name"
-      --description "secret_description"
-      --region region_name
+  * To create a Secrets Manager secret for use with RDS Proxy, use the [create-secret](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/create-secret.html) command:
+    
+        aws secretsmanager create-secret \
+      --name "secret_name" \
+      --description "secret_description" \
+      --region region_name \
@@ -37,3 +59,2 @@ For instructions about creating secrets in Secrets Manager, see the [Creating a
-        PREFIX=my_identifier
-    aws kms create-key --description "$PREFIX-test-key" --policy '{
-      "Id":"$PREFIX-kms-policy",
+        aws kms create-key --description "test-key" --policy '{
+      "Id":"kms-policy",
@@ -105 +126 @@ To create these secrets encrypted with your custom AWS KMS key, use the followin
-      --secret-string '{"username":"admin","password":"choose_your_own_password"}'
+      --secret-string '{"username":"admin","password":"choose_your_own_password"}' \
@@ -110 +131 @@ To create these secrets encrypted with your custom AWS KMS key, use the followin
-      --secret-string '{"username":"app-user","password":"choose_your_own_password"}'
+      --secret-string '{"username":"app-user","password":"choose_your_own_password"}' \
@@ -113 +134 @@ To create these secrets encrypted with your custom AWS KMS key, use the followin
-To see the secrets owned by your AWS account, use a command such as the following.
+To see the secrets owned by your AWS account, use the [list-secrets](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/list-secrets.html) command:
@@ -118 +139 @@ To see the secrets owned by your AWS account, use a command such as the followin
-When you create a proxy using the CLI, you pass the Amazon Resource Names (ARNs) of one or more secrets to the `--auth` parameter. The following Linux example shows how to prepare a report with only the name and ARN of each secret owned by your AWS account. This example uses the `--output table` parameter that is available in AWS CLI version 2. If you are using AWS CLI version 1, use `--output text` instead. 
+When you create a proxy using the CLI, you pass the Amazon Resource Names (ARNs) of one or more secrets to the `--auth` parameter. The following example shows how to prepare a report with only the name and ARN of each secret owned by your AWS account. This example uses the `--output table` parameter that is available in AWS CLI version 2. If you are using AWS CLI version 1, use `--output text` instead. 
@@ -123 +144 @@ When you create a proxy using the CLI, you pass the Amazon Resource Names (ARNs)
-To verify that you stored the correct credentials and in the right format in a secret, use a command such as the following. Substitute the short name or the ARN of the secret for ``your_secret_name``. 
+To confirm that the secret contains the correct credentials in the proper format, use the [get-secret-value](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-secret-value.html) command. Replace ``your_secret_name`` with the secret’s short name or ARN.
@@ -128 +149 @@ To verify that you stored the correct credentials and in the right format in a s
-The output should include a line displaying a JSON-encoded value like the following. 
+The output contains a line with a JSON-encoded value similar to the following:
@@ -130,0 +152 @@ The output should include a line displaying a JSON-encoded value like the follow
+    ...
@@ -131,0 +154 @@ The output should include a line displaying a JSON-encoded value like the follow
+    ...