AWS AmazonRDS medium security documentation change
Summary
Added guidance for using Region-specific service principals in IAM role trust policies for opt-in Regions
Security assessment
The change improves security documentation by enforcing least-privilege through Region-specific service principals, reducing the attack surface for IAM roles.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md b/AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md index c77da304e..073340225 100644 --- a//AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md +++ b//AmazonRDS/latest/AuroraUserGuide/postgresql-kerberos-setting-up.md @@ -241,0 +242,31 @@ The role must also have the following IAM role policy. +For opt-in AWS Regions, use Region-specific service principals in IAM role trust policies. When you create a trust policy for services in these Regions, specify the Region code in the service principal. + +The following example shows a trust policy that includes Region-specific service principals: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "directoryservice.rds.REGION-CODE.amazonaws.com", + "rds.REGION-CODE.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] + } + + +Replace REGION-CODE with the code for your specific Region. For example, use the following service principals for the Asia Pacific (Melbourne) Region: + + + "Service": [ + "directoryservice.rds.ap-southeast-4.amazonaws.com", + "rds.ap-southeast-4.amazonaws.com" + ] + +