AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2025-04-11 · Documentation low

File: AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md

Summary

Updated permissions documentation with new supported roles (db_owner, db_datareader, db_datawriter, db_accessadmin, dbcreator, securityadmin), clarified limitations, and added GRANT syntax changes

Security assessment

Changes focus on documenting security-related database roles and access control mechanisms, but there's no evidence of addressing a specific vulnerability. The updates clarify permission management capabilities and limitations.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md b/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md
index 35e4b5444..2d96a5666 100644
--- a//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md
+++ b//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md
@@ -18 +18 @@ Allow login to do SELECTs/DMLs/DDLs in any database  |  Add login to sysadmin se
-Allow login to do SELECTs/DMLs/DDLs in a database  |  Make login the owner of the database  |  ALTER AUTHORIZATION ON DATABASE::`database` TO `login` |  A database can have only one owner   
+Allow login to do SELECTs/DMLs/DDLs in a database  |  Make login the owner of the database  |  ALTER AUTHORIZATION ON DATABASE::`database` TO `login` |  A database can have only one owner.   
@@ -20,2 +20,8 @@ Allow database user to do SELECTs/DMLs on a schema  |  Grant permission to datab
-Allow database user to do SELECTs/DMLs on a schema  |  Make database user owner of schema at schema creation time  |  CREATE SCHEMA `schema` AUTHORIZATION `user` |  Changing schema ownership after creation isn't currently supported   
-Allow database user to do SELECTs/DMLs on an object  |  Grant permission to database user on object  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON SCHEMA::`object` TO `user` |  None   
+Allow database user to do SELECTs/DMLs on a schema  |  Make database user owner of schema at schema creation time  |  CREATE SCHEMA `schema` AUTHORIZATION `user` |  Changing schema ownership after creation isn't currently supported.   
+Allow database user to do SELECTs/DMLs on an object  |  Grant permission to database user on object  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT::`object` TO `user` |  None   
+Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database  |  Add user to db_owner fixed database role  |  ALTER ROLE db_owner ADD MEMBER `user` |  Only users can be added db_owner fixed database role. Adding roles to db_owner role is not yet supported.   
+Allow user or members of a custom database role to do only SELECTs in a database  |  Add user or role to db_datareader fixed database role  |  ALTER ROLE db_datareader ADD MEMBER `user` / `role` |  None   
+Allow user or members of a custom database role to do only DMLs in a database  |  Add user or role to db_datawriter fixed database role  |  ALTER ROLE db_datawriter ADD MEMBER `user` / `role` |  None   
+Allow user or members of a custom database role to do only DDLs in a database  |  Add user or role to db_accessadmin fixed database role  |  ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` |  None   
+Allow login to only CREATE/DROP/ALTER any database  |  Add login to dbcreator fixed server role  |  ALTER SERVER ROLE dbcreator ADD MEMBER `login` |  Only those databases can be alterred on which dbcreator login has access.   
+Allow login to only CREATE/ALTER/DROP any login  |  Add login to securityadmin fixed server role  |  ALTER SERVER ROLE securityadmin ADD MEMBER `login` |  None   
@@ -29,3 +35,2 @@ Use case  |  Action  |  SQL commands  |  Comments
-Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database  |  Make login owner of database  |  ALTER AUTHORIZATION ON DATABASE `database` TO `login` |  Adding database users/roles to db_owner role isn't currently supported   
-Allow database user to do only SELECTs in a database  |  Grant SELECT to database user on all schemas in database  |  GRANT SELECT ON SCHEMA::`schema` TO `user` |  Database role `db_datareader` isn't currently supported   
-Allow database user to do DML on all objects in a database  |  Grant INSERT, UPDATE, DELETE to database user on all schemas in database  |  GRANT INSERT, UPDATE, DELETE ON SCHEMA::`schema` TO `user` |  Database role `db_datawriter` isn't currently supported   
+Allow user to do SELECTs/DMLs on an object/schema along with option to GRANT these permissions to other users  |  GRANT the permissions to all the other users directly  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT/SCHEMA::`object`/`schema` TO `user` |  GRANT ... WITH GRANT OPTION isn't currently supported.   
+Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database  |  Add members of role to db_owner fixed database role  |  ALTER ROLE db_owner ADD MEMBER `user` |  Adding roles to db_owner role isn't currently supported.   
@@ -39,7 +44,4 @@ Use case  |  Comments
-Allow database user to do only DDLs in a database  |  Database role `db_ddladmin` isn't currently supported   
-Allow database user to only CREATE/ALTER/DROP any database role  |  Database role `db_securityadmin` isn't currently supported   
-Allow database user to only GRANT/REVOKE permissions on objects in a database  |  Database role `db_securityadmin` isn't currently supported   
-Allow database user to only CREATE/ALTER/DROP any user  |  Database role `db_accessadmin` isn't currently supported   
-Allow database user to only grant and revoke database access and alias user accounts to logins  |  Database role `db_accessadmin` isn't currently supported   
-Allow login to only CREATE/DROP any database  |  Server role `dbcreator` isn't currently supported   
-Allow login to only ALTER any login  |  Server role `securityadmin` isn't currently supported   
+Deny user or members of a custom database role to do SELECTs in a database  |  db_denydatareader fixed database role is not yet supported   
+Deny user or members of a custom database role to do DMLs in a database  |  db_denydatawriter fixed database role isn't currently supported.   
+Allow login to only KILL any database connection  |  processadmin fixed server role isn't currently supported.   
+Allow login to only add or remove linked servers  |  setupadmin fixed server role isn't currently supported.