AWS AmazonRDS documentation change
Summary
Added guidance for Region-specific service principals in IAM role trust policies for Kerberos authentication
Security assessment
Documentation update improves security configuration guidance for Kerberos authentication but does not address a specific security vulnerability. Enhances security best practices without evidence of patching an existing issue.
Diff
diff --git a/AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md b/AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md index 77aedcb9f..6020db04b 100644 --- a//AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md +++ b//AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md @@ -228,0 +229,31 @@ The role must also have the following IAM role policy. +For opt-in AWS Regions, use Region-specific service principals in IAM role trust policies. When you create a trust policy for services in these Regions, specify the Region code in the service principal. + +The following example shows a trust policy that includes Region-specific service principals: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "directoryservice.rds.REGION-CODE.amazonaws.com", + "rds.REGION-CODE.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] + } + + +Replace REGION-CODE with the code for your specific Region. For example, use the following service principals for the Asia Pacific (Melbourne) Region: + + + "Service": [ + "directoryservice.rds.ap-southeast-4.amazonaws.com", + "rds.ap-southeast-4.amazonaws.com" + ] + +