AWS aurora-dsql documentation change
Summary
Added IAM permissions note and policy example for service-linked role creation
Security assessment
Documents required permissions for service-linked roles but doesn't address specific vulnerabilities
Diff
diff --git a/aurora-dsql/latest/userguide/working-with-service-linked-roles.md index 35a6dd41b..1bba727bf 100644 --- a/aurora-dsql/latest/userguide/working-with-service-linked-roles.md +++ b/aurora-dsql/latest/userguide/working-with-service-linked-roles.md @@ -22,0 +23,19 @@ Aurora DSQL uses the service-linked role named `AWSServiceRoleForAuroraDsql` – +###### Note + +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. You might encounter the following error message: `You don't have the permissions to create an Amazon Aurora DSQL service-linked role`. If you see this message, make sure that you have the following permissions enabled: + + + { + "Sid" : "CreateDsqlServiceLinkedRole", + "Effect" : "Allow", + "Action" : "iam:CreateServiceLinkedRole", + "Resource" : "*", + "Condition" : { + "StringEquals" : { + "iam:AWSServiceName" : "dsql.amazonaws.com" + } + } + } + +For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html#service-linked-role-permissions.html). +