AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2025-03-10 · Documentation low

File: AmazonRDS/latest/AuroraUserGuide/rds-proxy-creating.md

Summary

Restructured and expanded documentation for creating RDS Proxy with improved organization using tables, added context about security/scalability benefits, clarified configuration options (TLS enforcement, IAM roles, Secrets Manager integration), and enhanced logging guidance.

Security assessment

The changes add documentation about security features like TLS enforcement, IAM authentication, Secrets Manager integration, and security group configuration. However, there is no evidence of addressing a specific security vulnerability or incident - these are standard security best practice explanations.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/rds-proxy-creating.md
index 43495c20c..7acce7205 100644
--- a/AmazonRDS/latest/AuroraUserGuide/rds-proxy-creating.md
+++ b/AmazonRDS/latest/AuroraUserGuide/rds-proxy-creating.md
@@ -5 +5 @@
-# Creating an RDS proxy
+# Creating a proxy for Amazon Aurora
@@ -7 +7,3 @@
-To manage connections for a DB cluster, create a proxy. You can associate a proxy with an Aurora MySQL or Aurora PostgreSQL DB cluster. 
+You can use Amazon RDS Proxy to improve the scalability, availability, and security of your database applications by pooling connections and managing database failovers more efficiently. This topic walks you through creating a proxy. Before you start, make sure your database meets the necessary prerequisites, including IAM permissions and VPC configuration.
+
+You can associate a proxy with an Aurora MySQL or Aurora PostgreSQL DB cluster. 
@@ -17,26 +19,11 @@ To manage connections for a DB cluster, create a proxy. You can associate a prox
-  4. Choose all the settings for your proxy. 
-
-For **Proxy configuration** , provide information for the following: 
-
-     * **Engine family**. This setting determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, choose **MariaDB and MySQL**. For Aurora PostgreSQL, choose **PostgreSQL**. 
-
-     * **Proxy identifier**. Specify a name of that is unique within your AWS account ID and current AWS Region. 
-
-     * **Idle client connection timeout**. Choose a time period that a client connection can be idle before the proxy closes it. The default is 1,800 seconds (30 minutes). A client connection is considered idle when the application doesn't submit a new request within the specified time after the previous request completed. The underlying database connection stays open and is returned to the connection pool. Thus, it's available to be reused for new client connections. 
-
-To have the proxy proactively remove stale connections, lower the idle client connection timeout. When the workload is spiking, to save the cost of establishing connections, increase the idle client connection timeout."
-
-For **Target group configuration** , provide information for the following: 
-
-     * **Database**. Choose one Aurora DB cluster to access through this proxy. The list only includes DB instances and clusters with compatible database engines, engine versions, and other settings. If the list is empty, create a new DB instance or cluster that's compatible with RDS Proxy. To do so, follow the procedure in [Creating an Amazon Aurora DB cluster](./Aurora.CreateInstance.html). Then try creating the proxy again. 
-
-     * **Connection pool maximum connections**. Specify a value from 1 through 100. This setting represents the percentage of the `max_connections` value that RDS Proxy can use for its connections. If you only intend to use one proxy with this DB instance or cluster, you can set this value to 100. For details about how RDS Proxy uses this setting, see [MaxConnectionsPercent](./rds-proxy-connections.html#rds-proxy-connection-pooling-tuning.maxconnectionspercent). 
-
-     * **Session pinning filters**. (Optional) This option allows you to force RDS Proxy to not pin for certain types of detected session states. This circumvents the default safety measures for multiplexing database connections across client connections. Currently, the setting isn't supported for PostgreSQL. The only choice is `EXCLUDE_VARIABLE_SETS`. 
-
-Enabling this setting can cause session variables of one connection to impact other connections. This can cause errors or correctness issues if your queries depend on session variable values set outside of the current transaction. Consider using this option after verifying it is safe for your applications to share database connections across client connections.
-
-The following patterns can be considered safe:
-
-       * `SET` statements where there is no change to the effective session variable value, i.e., there is no change to the session variable.
-
+  4. Configure the following settings for your proxy.
+
+Setting | Description  
+---|---  
+**Engine family** | The database network protocol the proxy recognizes when it interprets network traffic to and from the database.   
+**Proxy identifier** | A name that is unique within your AWS account ID and current AWS Region.   
+**Idle client connection timeout** |  The proxy closes a client connection if it remains idle for a set period. By default, this is 1,800 seconds (30 minutes). A connection is idle when the application doesn’t submit a new request within the specified time after completing the previous request. The proxy keeps the underlying database connection open and returns it to the connection pool, making it available for new client connections. To proactively remove stale connections, reduce the idle client connection timeout. To minimize connection costs during workload spikes, increase the timeout.  
+**Database** | The Aurora DB cluster to access through this proxy. The list only includes DB instances and clusters with compatible database engines, engine versions, and other settings. If the list is empty, create a new DB instance or cluster that's compatible with RDS Proxy. To do so, follow the procedure in [Creating an Amazon Aurora DB cluster](./Aurora.CreateInstance.html). Then, try creating the proxy again.   
+**Connection pool maximum connections** | A value between 1 and 100 to define the percentage of the `max_connections` limit that RDS Proxy can use. If you only intend to use one proxy with this DB instance or cluster, set this value to 100\. For more information about how RDS Proxy uses this setting, see [MaxConnectionsPercent](./rds-proxy-connections.html#rds-proxy-connection-pooling-tuning.maxconnectionspercent).  
+**Session pinning filters** |  Prevents RDS Proxy from pinning certain detected session states, which bypasses default safety measures for multiplexing connections. Currently, PostgreSQL doesn't support this setting, and the only available option is `EXCLUDE_VARIABLE_SETS`. Enabling it might cause session variables from one connection to affect others, leading to errors or correctness issues if queries rely on session variables set outside the current transaction. Use this option only after confirming that your applications can safely share database connections. The following patterns are considered safe:
+     * `SET` statements where there is no change to the effective session variable value. In other words, there is no change to the session variable.
@@ -46,4 +32,2 @@ For more information, see [Avoiding pinning an RDS Proxy](./rds-proxy-pinning.ht
-
-     * **Connection borrow timeout**. In some cases, you might expect the proxy to sometimes use all available database connections. In such cases, you can specify how long the proxy waits for a database connection to become available before returning a timeout error. You can specify a period up to a maximum of five minutes. This setting only applies when the proxy has the maximum number of connections open and all connections are already in use.
-
-     * **Initialization query**. (Optional) Add an initialization query, or modify the current one. You can specify one or more SQL statements for the proxy to run when opening each new database connection. The setting is typically used with `SET` statements to make sure that each connection has identical settings. Make sure that the query you add is valid. To include multiple variables in a single `SET` statement, use comma separators. For example:
+**Connection borrow timeout** | If you expect the proxy to use all available database connections, set the wait time before it returns a timeout error. You can specify up to five minutes. This setting applies only when the proxy has reached the maximum number of connections and all are in use.  
+**Initialization query** | Add or modify an initialization query by specifying one or more SQL statements for the proxy to run when it opens a new database connection. This setting is typically used with `SET` statements to ensure consistent connection settings. Make sure the query is valid, and use commas to separate multiple variables within a `SET` statement. For example:
@@ -53,21 +37,8 @@ For more information, see [Avoiding pinning an RDS Proxy](./rds-proxy-pinning.ht
-For multiple statements, use semicolons as the separator.
-
-For **Authentication** , provide information for the following:
-
-     * **IAM role**. Choose an IAM role that has permission to access the Secrets Manager secrets that you chose earlier. Or, you can create a new IAM role from the AWS Management Console. 
-
-     * **Secrets Manager secrets**. Choose at least one Secrets Manager secret that contains database user credentials that allow the proxy to access the Aurora DB cluster.
-
-     * **Client authentication type**. Choose the type of authentication the proxy uses for connections from clients. Your choice applies to all Secrets Manager secrets that you associate with this proxy. If you need to specify a different client authentication type for each secret, then create your proxy by using the AWS CLI or the API instead.
-
-     * **IAM authentication**. Choose whether to require or disallow IAM authentication for connections to your proxy. Your choice applies to all Secrets Manager secrets that you associate with this proxy. If you need to specify a different IAM authentication for each secret, create your proxy by using the AWS CLI or the API instead. 
-
-For **Connectivity** , provide information for the following:
-
-     * **Require Transport Layer Security**. Choose this setting if you want the proxy to enforce TLS/SSL for all client connections. For an encrypted or unencrypted connection to a proxy, the proxy uses the same encryption setting when it makes a connection to the underlying database.
-
-     * **Subnets**. This field is prepopulated with all the subnets associated with your VPC. You can remove any subnets that you don't need for this proxy. You must leave at least two subnets. 
-
-Provide additional connectivity configuration: 
-
-     * **VPC security group**. Choose an existing VPC security group. Or, you can create a new security group from the AWS Management Console. You must configure the **Inbound rules** to allow your applications to access the proxy. You must also configure the **Outbound rules** to allow traffic from your DB targets. 
+For multiple statements, separate them with semicolons.  
+**AWS Identity and Access Management (IAM) role** |  An IAM role with permission to access the Secrets Manager secrets, which represent the credentials for database user accounts that the proxy can use. Alternatively, you can create a new IAM role from the AWS Management Console.  
+**Secrets Manager secrets** | Choose at least one Secrets Manager secret that contains database user credentials that allow the proxy to access the Aurora DB cluster.  
+**Client authentication type** | The type of authentication the proxy uses for connections from clients. Your choice applies to all Secrets Manager secrets that you associate with this proxy. If you need to specify a different client authentication type for each secret, create your proxy by using the AWS CLI or the API instead.  
+**IAM authentication** | Whether to require or disallow IAM authentication for connections to your proxy. Your choice applies to all Secrets Manager secrets that you associate with this proxy. If you need to specify a different IAM authentication for each secret, create your proxy by using the AWS CLI or the API instead.   
+**Require Transport Layer Security** |  Enforces TLS/SSL for all client connections. The proxy uses the same encryption setting for its connection to the underlying database, whether the client connection is encrypted or unencrypted.  
+**Subnets** |  This field is prepopulated with all subnets associated with your VPC. You can remove any subnets not needed for the proxy, but you must leave at least two subnets.  
+**VPC security group** |  Choose an existing VPC security group or create a new one from the AWS Management Console. Configure the inbound rules to allow your applications to access the proxy and the outbound rules to permit traffic from your database targets.
@@ -77,13 +48,2 @@ Provide additional connectivity configuration:
-This security group must allow connections from the proxy to the database. The same security group is used for ingress from your applications to the proxy, and for egress from the proxy to the database. For example, suppose that you use the same security group for your database and your proxy. In this case, make sure that you specify that resources in that security group can communicate with other resources in the same security group.
-
-When using a shared VPC, you can't use the default security group for the VPC, or one that belongs to another account. Choose a security group that belongs to your account. If one doesn't exist, create one. For more information about this limitation, see [ Work with shared VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations). 
-
-RDS deploys a proxy over multiple Availability Zones to ensure high availability. To enable cross-AZ communication for such a proxy, the network access control list (ACL) for your proxy subnet must allow engine port specific egress and all ports to ingress. For more information about network ACLs, see [Control traffic to subnets using network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html). If the network ACL for your proxy and target are identical, you must add a **TCP** protocol ingress rule where the **Source** is set to the VPC CIDR. You must also add an engine port specific **TCP** protocol egress rule where the **Destination** is set to the VPC CIDR.
-
-(Optional) Provide advanced configuration: 
-
-     * **Enable enhanced logging**. You can enable this setting to troubleshoot proxy compatibility or performance issues. 
-
-When this setting is enabled, RDS Proxy includes detailed information about proxy performance in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. Thus, only enable this setting for debugging and when you have security measures in place to safeguard any sensitive information that appears in the logs.
-
-To minimize overhead associated with your proxy, RDS Proxy automatically turns this setting off 24 hours after you enable it. Enable it temporarily to troubleshoot a specific issue. 
+The security group must allow connections from the proxy to the database. It serves both for ingress from your applications to the proxy and egress from the proxy to the database. For example, if you use the same security group for both the database and the proxy, make sure that resources within that security group can communicate with each other.When you use a shared VPC, avoid using the default security group for the VPC or one associated with another account. Instead, select a security group that belongs to your account. If none exists, create one. For more information, see [ Work with shared VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations).  RDS deploys a proxy across multiple Availability Zones to ensure high availability. To enable cross-AZ communication, the network access control list (ACL) for your proxy subnet must allow egress on the engine port and ingress on all ports. For more information about network ACLs, see [Control traffic to subnets using network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html). If the network ACL for your proxy and target are identical, you must add a **TCP** protocol ingress rule where the **Source** is set to the VPC CIDR. You must also add an engine port specific **TCP** protocol egress rule where the **Destination** is set to the VPC CIDR.  
+**Activate enhanced logging** |  Enable this setting to troubleshoot proxy compatibility or performance issues. When enabled, RDS Proxy logs detailed performance information to help you debug SQL behavior or proxy connection performance and scalability.  Only enable this setting for debugging and ensure proper security measures are in place to protect sensitive information in the logs. To minimize overhead, RDS Proxy automatically disables this setting 24 hours after activation. Use it temporarily to troubleshoot specific issues.  
@@ -91 +51 @@ To minimize overhead associated with your proxy, RDS Proxy automatically turns t
-  5. Choose **Create Proxy**. 
+  5. Choose **Create proxy**.