AWS AmazonRDS documentation change
Summary
Added documentation for managing master user passwords of RDS for Oracle tenant databases with Secrets Manager, including new CLI commands, API operations, IAM policy updates, and encryption details.
Security assessment
The changes expand documentation about using Secrets Manager to securely manage credentials for Oracle tenant databases, including IAM policy enforcement and KMS encryption. While this improves security practices, there is no evidence of addressing a specific existing vulnerability.
Diff
diff --git a/AmazonRDS/latest/UserGuide/rds-secrets-manager.md b/AmazonRDS/latest/UserGuide/rds-secrets-manager.md index 48fc8bb14..8005ab3e2 100644 --- a//AmazonRDS/latest/UserGuide/rds-secrets-manager.md +++ b//AmazonRDS/latest/UserGuide/rds-secrets-manager.md @@ -5 +5 @@ -LimitationsOverviewBenefitsPermissions required for Secrets Manager integrationEnforcing RDS managementManaging the master user password for a DB instanceManaging the master user password for a Multi-AZ DB clusterRotating the master user password secret for a DB instanceRotating the master user password secret for a Multi-AZ DB clusterViewing the details about a secret for a DB instanceViewing the details about a secret for a Multi-AZ DB clusterRegion and version availability +LimitationsOverviewBenefitsPermissions required for Secrets Manager integrationEnforcing RDS managementManaging the master user password for a DB instanceManaging the master user password for a tenant databaseManaging the master user password for a Multi-AZ DB clusterRotating the master user password secret for a DB instanceRotating the master user password secret for a Multi-AZ DB clusterViewing the details about a secret for a DB instanceViewing the details about a secret for a Multi-AZ DB clusterRegion and version availability @@ -24,0 +25,2 @@ Amazon RDS integrates with Secrets Manager to manage master user passwords for y + * Managing the master user password for an RDS for Oracle tenant database with Secrets Manager + @@ -52,2 +53,0 @@ Managing master user passwords with Secrets Manager isn't supported for the foll - * RDS for Oracle with CDB - @@ -65 +65,7 @@ You can specify that RDS manages the master user password in Secrets Manager for - * Create the DB instance + * Create a DB instance + + * Create a Multi-AZ DB cluster + + * Create a tenant database in an RDS for Oracle CDB + + * Modify a DB instance @@ -67 +73 @@ You can specify that RDS manages the master user password in Secrets Manager for - * Create the Multi-AZ DB cluster + * Modify a Multi-AZ DB cluster @@ -69 +75 @@ You can specify that RDS manages the master user password in Secrets Manager for - * Modify the DB instance + * Modify a tenant database (RDS for Oracle only) @@ -71 +77 @@ You can specify that RDS manages the master user password in Secrets Manager for - * Modify the Multi-AZ DB cluster + * Restore a DB instance from Amazon S3 @@ -73 +79 @@ You can specify that RDS manages the master user password in Secrets Manager for - * Restore the DB instance from Amazon S3 + * Restore a DB instance from a snapshot or to a point in time (RDS for Oracle only) @@ -148 +154 @@ For modify operations, the user who rotates the master user password in Secrets -You can use IAM condition keys to enforce RDS management of the master user password in AWS Secrets Manager. The following policy doesn't allow users to create or restore DB instances or DB clusters unless the master user password is managed by RDS in Secrets Manager. +You can use IAM condition keys to enforce RDS management of the master user password in AWS Secrets Manager. The following policy doesn't allow users to create or restore DB instances or DB clusters or create or modify tenant databases unless the master user password is managed by RDS in Secrets Manager. @@ -156 +162,3 @@ You can use IAM condition keys to enforce RDS management of the master user pass - "Action": ["rds:CreateDBInstance", "rds:CreateDBCluster", "rds:RestoreDBInstanceFromS3", "rds:RestoreDBClusterFromS3"], + "Action": ["rds:CreateDBInstance", "rds:CreateDBCluster", "rds:RestoreDBInstanceFromS3", "rds:RestoreDBClusterFromS3", + "rds:RestoreDBInstanceFromDBSnapshot", "rds:RestoreDBInstanceToPointInTime", "rds:CreateTenantDatabase", + "rds:ModifyTenantDatabase"], @@ -184,0 +193 @@ You can configure RDS management of the master user password in Secrets Manager + * [Restoring to a DB instance](./USER_RestoreFromSnapshot.html) (RDS for Oracle only) @@ -185,0 +195 @@ You can configure RDS management of the master user password in Secrets Manager + * [Restoring a DB instance to a specified time for Amazon RDS](./USER_PIT.html) (RDS for Oracle only) @@ -188 +198,3 @@ You can configure RDS management of the master user password in Secrets Manager -You can use the RDS console, the AWS CLI, or the RDS API to perform these actions. + + +You can perform the preceding operations using the RDS console, the AWS CLI, or the RDS API. @@ -201 +213 @@ Follow the instructions for creating or modifying a DB instance with the RDS con -When you use the RDS console to perform one of these operations, you can specify that the master user password is managed by RDS in Secrets Manager. To do so when you are creating or restoring a DB instance, select **Manage master credentials in AWS Secrets Manager** in **Credential settings**. When you are modifying a DB instance, select **Manage master credentials in AWS Secrets Manager** in **Settings**. +When you use the RDS console to perform one of these operations, you can specify that the master user password is managed by RDS in Secrets Manager. When you're creating or restoring a DB instance, select **Manage master credentials in AWS Secrets Manager** in **Credential settings**. When you're modifying a DB instance, select **Manage master credentials in AWS Secrets Manager** in **Settings**. @@ -211 +223 @@ When you select this option, RDS generates the master user password and manages -You can choose to encrypt the secret with a KMS key that Secrets Manager provides or with a customer managed key that you create. After RDS is managing the database credentials for a DB instance, you can't change the KMS key that is used to encrypt the secret. +You can choose to encrypt the secret with a KMS key that Secrets Manager provides or with a customer managed key that you create. After RDS is managing the database credentials for a DB instance, you can't change the KMS key used to encrypt the secret. @@ -213 +225 @@ You can choose to encrypt the secret with a KMS key that Secrets Manager provide -You can choose other settings to meet your requirements. For more information about the available settings when you are creating a DB instance, see [Settings for DB instances](./USER_CreateDBInstance.Settings.html). For more information about the available settings when you are modifying a DB instance, see [Settings for DB instances](./USER_ModifyInstance.Settings.html). +You can choose other settings to meet your requirements. For more information about the available settings when you're creating a DB instance, see [Settings for DB instances](./USER_CreateDBInstance.Settings.html). For more information about the available settings when you're modifying a DB instance, see [Settings for DB instances](./USER_ModifyInstance.Settings.html). @@ -222,0 +235,4 @@ To manage the master user password with RDS in Secrets Manager, specify the `--m + * [restore-db-instance-from-db-snapshot](https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-instance-from-db-snapshot.html) (RDS for Oracle only) + + * [restore-db-instance-to-point-in-time](https://docs.aws.amazon.com/cli/latest/reference/rds/restore-db-instance-to-point-in-time.html) (RDS for Oracle only) + @@ -232 +248 @@ You can choose other settings to meet your requirements. For more information ab -This example creates a DB instance and specifies that RDS manages the master user password in Secrets Manager. The secret is encrypted using the KMS key that is provided by Secrets Manager. +The following example creates a DB instance and specifies that RDS manages the master user password in Secrets Manager. The secret is encrypted using the KMS key that is provided by Secrets Manager. @@ -265,0 +282,4 @@ To specify that RDS manages the master user password in Secrets Manager, set the + * [RestoreDBInstanceFromSnapshot](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromSnapshot.html) (RDS for Oracle only) + + * [RestoreDBInstanceToPointInTime](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceToPointInTime.html) (RDS for Oracle only) + @@ -271,0 +292,86 @@ To encrypt the secret, you can specify a customer managed key or use the default + +## Managing the master user password for an RDS for Oracle tenant database with Secrets Manager + +You can configure RDS management of the master user password in Secrets Manager when you perform the following actions: + + * [Adding an RDS for Oracle tenant database to your CDB instance](./oracle-cdb-configuring.adding.pdb.html) + + * [Modifying an RDS for Oracle tenant database](./oracle-cdb-configuring.modifying.pdb.html) + + + + +You can use the RDS console, the AWS CLI, or the RDS API to perform the preceding actions. + +Follow the instructions for creating or modifying an RDS for Oracle tenant database with the RDS console: + + * [Adding an RDS for Oracle tenant database to your CDB instance](./oracle-cdb-configuring.adding.pdb.html) + + * [Modifying an RDS for Oracle tenant database](./oracle-cdb-configuring.modifying.pdb.html) + + + + +When you use the RDS console to perform one of the preceding operations, you can specify that RDS manage the master password in Secrets Manager. When you create a tenant database, select **Manage master credentials in AWS Secrets Manager** in **Credential settings**. When you modify a tenant database, select **Manage master credentials in AWS Secrets Manager** in **Settings**. + +The following image is an example of the **Manage master credentials in AWS Secrets Manager** setting when you are creating a tenant database. + + + +When you select this option, RDS generates the master user password and manages it throughout its lifecycle in Secrets Manager. + + + +You can choose to encrypt the secret with a KMS key that Secrets Manager provides or with a customer managed key that you create. After RDS is managing the database credentials for a tenant database, you can't change the KMS key that is used to encrypt the secret. + +You can choose other settings to meet your requirements. For more information about the available settings when you are creating a tenant database, see [Settings for DB instances](./USER_CreateDBInstance.Settings.html). For more information about the available settings when you are modifying a tenant database, see [Settings for DB instances](./USER_ModifyInstance.Settings.html). + +To manage the master user password with RDS in Secrets Manager, specify the `--manage-master-user-password` option in one of the following AWS CLI commands: + + * [create-tenant-database](https://docs.aws.amazon.com/cli/latest/reference/rds/create-tenant-database.html) + + * [modify-tenant-database](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-tenant-database.html) + + + + +When you specify the `--manage-master-user-password` option in the preceding commands, RDS generates the master user password and manages it throughout its lifecycle in Secrets Manager. + +To encrypt the secret, you can specify a customer managed key or use the default KMS key that is provided by Secrets Manager. Use the `--master-user-secret-kms-key-id` option to specify a customer managed key. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different AWS account, specify the key ARN or alias ARN. After RDS is managing the database credentials for a tenant database, you can't change the KMS key that is used to encrypt the secret. + +You can choose other settings to meet your requirements. For more information about the available settings when you are creating a tenant database, see [create-tenant-database](https://docs.aws.amazon.com/cli/latest/reference/rds/create-tenant-database.html). For more information about the available settings when you are modifying a tenant database, see [modify-tenant-database](https://docs.aws.amazon.com/cli/latest/reference/rds/modify-tenant-database.html). + +The following example creates an RDS for Oracle tenant database and specifies that RDS manages the master user password in Secrets Manager. The secret is encrypted using the KMS key that is provided by Secrets Manager. + +For Linux, macOS, or Unix: + + + aws rds create-tenant-database --region us-east-1 \ + --db-instance-identifier my-cdb-inst \ + --tenant-db-name mypdb2 \ + --master-username mypdb2-admin \ + --character-set-name UTF-16 \ + --manage-master-user-password + +For Windows: + + + aws rds create-tenant-database --region us-east-1 ^ + --db-instance-identifier my-cdb-inst ^ + --tenant-db-name mypdb2 ^ + --master-username mypdb2-admin ^ + --character-set-name UTF-16 ^ + --manage-master-user-password + +To specify that RDS manages the master user password in Secrets Manager, set the `ManageMasterUserPassword` parameter to `true` in one of the following RDS API operations: + + * [CreateTenantDatabase](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateTenantDatabase.html) + + * [ModifyTenantDatabase](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyTenantDatabase.html) + + + + +When you set the `ManageMasterUserPassword` parameter to `true` in one of these operations, RDS generates the master user password and manages it throughout its lifecycle in Secrets Manager. + +To encrypt the secret, you can specify a customer managed key or use the default KMS key that is provided by Secrets Manager. Use the `MasterUserSecretKmsKeyId` parameter to specify a customer managed key. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different AWS account, specify the key ARN or alias ARN. After RDS is managing the database credentials for a tenant database, you can't change the KMS key that is used to encrypt the secret.