AWS AmazonRDS documentation change
Summary
Updated credential rotation documentation with new secret naming formats and examples
Security assessment
Improves instructions for credential rotation procedures and secret identification, but no evidence of patching a security issue. Strengthens security documentation.
Diff
diff --git a/AmazonRDS/latest/UserGuide/custom-security.cred-rotation.md b/AmazonRDS/latest/UserGuide/custom-security.cred-rotation.md index 22a12bb75..6e734260a 100644 --- a//AmazonRDS/latest/UserGuide/custom-security.cred-rotation.md +++ b//AmazonRDS/latest/UserGuide/custom-security.cred-rotation.md @@ -73 +73 @@ If your database is in any of the preceding categories, you must rotate your use - 5. In the search box, enter your DB Resource ID and find the secret in the following form: + 5. In the search box, enter the resource ID of your database and search for a secret using either of the following naming conventions: @@ -75 +75,2 @@ If your database is in any of the preceding categories, you must rotate your use - do-not-delete-rds-custom-db-resource-id-numeric-string + do-not-delete-rds-custom-resource_id-uuid + rds-custom!oracle-do-not-delete-resource_id-uuid @@ -77 +78 @@ If your database is in any of the preceding categories, you must rotate your use -This secret stores the password for `RDSADMIN`, `SYS`, and `SYSTEM`. The following sample key is for the DB instance with the DB resource ID `db-ABCDEFG12HIJKLNMNOPQRS3TUVWX`: +This secret stores the password for `RDSADMIN`, `SYS`, and `SYSTEM`. The following sample keys are for the DB instance with the resource ID `db-ABCDEFG12HIJKLNMNOPQRS3TUVWX` and UUID `123456`: @@ -79,0 +81 @@ This secret stores the password for `RDSADMIN`, `SYS`, and `SYSTEM`. The followi + rds-custom!oracle-do-not-delete-db-ABCDEFG12HIJKLNMNOPQRS3TUVWX-123456 @@ -83 +85 @@ This secret stores the password for `RDSADMIN`, `SYS`, and `SYSTEM`. The followi -If your DB instance is a read replica and uses the `custom-oracle-ee-cdb` engine, two secrets exist with the suffix ``db-resource-id`-`numeric-string``, one for the master user and the other for `RDSADMIN`, `SYS`, and `SYSTEM`. To find the correct secret, run the following command on the host: +If your DB instance is a read replica and uses the `custom-oracle-ee-cdb` engine, two secrets exist with the suffix ``db-resource_id`-`uuid``, one for the master user and the other for `RDSADMIN`, `SYS`, and `SYSTEM`. To find the correct secret, run the following command on the host: @@ -89 +91 @@ The `dbMonitoringUserPassword` attribute indicates the secret for `RDSADMIN`, `S - 6. If your DB instance exists in an Oracle Data Guard configuration, find the secret in the following form: + 6. If your DB instance exists in an Oracle Data Guard configuration, search for a secret using either of the following naming conventions: @@ -91 +93,2 @@ The `dbMonitoringUserPassword` attribute indicates the secret for `RDSADMIN`, `S - do-not-delete-rds-custom-db-resource-id-numeric-string-dg + do-not-delete-rds-custom-resource_id-uuid-dg + rds-custom!oracle-do-not-delete-resource_id-uuid-dg @@ -93 +96 @@ The `dbMonitoringUserPassword` attribute indicates the secret for `RDSADMIN`, `S -This secret stores the password for `RDS_DATAGUARD`. The following sample key is for the DB instance with the DB resource ID `db-ABCDEFG12HIJKLNMNOPQRS3TUVWX`: +This secret stores the password for `RDS_DATAGUARD`. The following sample keys are for the DB instance with the DB resource ID `db-ABCDEFG12HIJKLNMNOPQRS3TUVWX` and UUID **789012** : @@ -95,0 +99 @@ This secret stores the password for `RDS_DATAGUARD`. The following sample key is + rds-custom!oracle-do-not-delete-db-ABCDEFG12HIJKLNMNOPQRS3TUVWX-789012-dg