AWS Security ChangesHomeSearch

AWS aurora-dsql medium security documentation change

Service: aurora-dsql · 2025-05-10 · Security-related medium

File: aurora-dsql/latest/userguide/working-with-connections.md

Summary

Updated documentation to clarify connection mechanics, session management, authentication methods, and connection limits. Added details about TLS encryption, session re-authentication at transaction start, and explicit connection rate limits.

Security assessment

The change explicitly states that Aurora DSQL re-authenticates users at the start of every transaction against IAM trust tables, which prevents revoked credentials from being reused. This addresses a potential security gap in session persistence after credential revocation. TLS encryption and connection rate limits (burst capacity/refill rate) also contribute to security posture by enforcing secure communication and mitigating resource exhaustion risks.

Diff

diff --git a/aurora-dsql/latest/userguide/working-with-connections.md b/aurora-dsql/latest/userguide/working-with-connections.md
index 9d5c30897..c74c30dcc 100644
--- a//aurora-dsql/latest/userguide/working-with-connections.md
+++ b//aurora-dsql/latest/userguide/working-with-connections.md
@@ -4,0 +5,2 @@
+How connections workConnection limits
+
@@ -7 +9,16 @@ Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas a
-# Understanding connections in Aurora DSQL
+# Aurora DSQL connections
+
+A _connection_ in Aurora DSQL is a single, active, TLS-encrypted TCP session between a client and the Aurora DSQL query engine. With a connection, a client can send SQL statements and receive results. Each connection is tightly coupled with exactly one _session_ , which maintains state information such as transactions, prepared statements, and query context.
+
+## How connections work
+
+To connect to Aurora DSQL, use a standard PostgreSQL-compatible driver configured for TLS. You authenticate using: 
+
+  * A PostgreSQL role (as the username)
+
+  * A password
+
+  * An authentication token generated using Aurora DSQL-provided libraries supported by AWS
+
+
+
@@ -9 +26 @@ Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas a
-To connect to Aurora DSQL, use a standard Postgres driver configured with TLS. To connect, you specify a Postgres role as the user, a password, and an authentication token. Aurora DSQL provides libraries for you to generate authentication tokens in most AWS supported languages. Once you're connected, you can use your session to run transaction for up to 1 hour with a transaction timeout of 5 minutes each. If you start a transaction in the 60th minute, Aurora DSQL still runs the transaction until you reach the limit of five minutes before it closes the session.
+After you establish a connection, it maps to exactly one session. A session can't exist without a connection. Aurora DSQL authenticates each session with a state, such as prepared statements or an active query. Aurora DSQL re-authenticates users at the start of every transaction against its IAM trust tables. This mechanism ensures that revoked credentials can't be reused in ongoing sessions. 
@@ -11 +28 @@ To connect to Aurora DSQL, use a standard Postgres driver configured with TLS. T
-Aurora DSQL authenticates each session with a state, such as prepared statements or an active query. A **connection** is a TLS-wrapped TCP connection that might get rejected if Aurora DSQL can't turn it into a session for any reason. Each session maps to exactly one connection. With a connection, a client can't have a session, and a connection can only have one session in Aurora DSQL.
+Each session lasts up to 1 hour. Individual transactions within the session are limited to 5 minutes. If a transaction begins at the end of the session lifetime (that is, at the 60th minute), Aurora DSQL allows the transaction to run for the full 5-minute transaction window before closing the session. If Aurora DSQL can't establish a session—for example, due to authentication failure or internal resource exhaustion—the connection attempt is rejected.
@@ -13 +30 @@ Aurora DSQL authenticates each session with a state, such as prepared statements
-To make sure that a user with revoked Postgres credentials can't connect to a cluster on an existing session, we authenticate the user against Aurora DSQL's IAM trust tables at the beginning of each transaction.
+## Connection limits
@@ -15 +32 @@ To make sure that a user with revoked Postgres credentials can't connect to a cl
-**Connection limits**
+Aurora DSQL enforces the following connection limits to maintain service stability.
@@ -17 +34,6 @@ To make sure that a user with revoked Postgres credentials can't connect to a cl
-By default, you can create up to [ 10000 connections per cluster ](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/CHAP_quotas.html#SECTION_cluster-quotas)at 100 connections per second with a burst of 1000. For example, if one connection is one token in a token bucket, you begin with 1000 available tokens in the bucket. If you create 1000 tokens, you have zero remaining tokens and have to wait for a second before you can create more connections. The refill rate is 100 tokens per second. To increase these limits, contact AWS support.
+Type of limit | Limit  
+---|---  
+Cluster-wide connection limit | [10,000 connections per cluster](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/CHAP_quotas.html#SECTION_cluster-quotas)  
+Connection creation rate | 100 connections per second  
+Burst capacity | 1,000 connections  
+Refill rate when no tokens remain | 100 tokens per second