AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2025-04-25 · Documentation low

File: AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md

Summary

Added guidance for Region-specific service principals in IAM role trust policies for Kerberos authentication

Security assessment

Documentation update improves security configuration guidance for Kerberos authentication but does not address a specific security vulnerability. Enhances security best practices without evidence of patching an existing issue.

Diff

diff --git a/AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md b/AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md
index 77aedcb9f..6020db04b 100644
--- a//AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md
+++ b//AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.md
@@ -228,0 +229,31 @@ The role must also have the following IAM role policy.
+For opt-in AWS Regions, use Region-specific service principals in IAM role trust policies. When you create a trust policy for services in these Regions, specify the Region code in the service principal.
+
+The following example shows a trust policy that includes Region-specific service principals:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": [
+              "directoryservice.rds.REGION-CODE.amazonaws.com",
+              "rds.REGION-CODE.amazonaws.com"
+            ]
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+    
+
+Replace REGION-CODE with the code for your specific Region. For example, use the following service principals for the Asia Pacific (Melbourne) Region:
+    
+    
+    "Service": [
+      "directoryservice.rds.ap-southeast-4.amazonaws.com",
+      "rds.ap-southeast-4.amazonaws.com"
+    ]
+    
+