AWS Security ChangesHomeSearch

AWS AmazonRDS medium security documentation change

Service: AmazonRDS · 2025-04-25 · Security-related medium

File: AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md

Summary

Added guidance for using Region-specific service principals in IAM role trust policies for opt-in Regions

Security assessment

The change improves security documentation by enforcing least-privilege through Region-specific service principals, reducing the attack surface for IAM roles.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md b/AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md
index c77da304e..073340225 100644
--- a//AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md
+++ b//AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md
@@ -241,0 +242,31 @@ The role must also have the following IAM role policy.
+For opt-in AWS Regions, use Region-specific service principals in IAM role trust policies. When you create a trust policy for services in these Regions, specify the Region code in the service principal.
+
+The following example shows a trust policy that includes Region-specific service principals:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": [
+              "directoryservice.rds.REGION-CODE.amazonaws.com",
+              "rds.REGION-CODE.amazonaws.com"
+            ]
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+    
+
+Replace REGION-CODE with the code for your specific Region. For example, use the following service principals for the Asia Pacific (Melbourne) Region:
+    
+    
+    "Service": [
+      "directoryservice.rds.ap-southeast-4.amazonaws.com",
+      "rds.ap-southeast-4.amazonaws.com"
+    ]
+    
+