AWS Security ChangesHomeSearch

AWS aurora-dsql documentation change

Service: aurora-dsql · 2025-05-16 · Documentation low

File: aurora-dsql/latest/userguide/working-with-connections.md

Summary

Updated documentation structure and terminology regarding connections/sessions, simplified authentication library references, and clarified session lifetime/transaction limits

Security assessment

Changes focus on terminology clarification (e.g., 'Connections and sessions' instead of 'How connections work') and editorial improvements. While security mechanisms like IAM re-authentication are mentioned, these were already documented. The change from 'can't' to 'aren't' in revoked credentials context is grammatical rather than security-substantive. No new security features or vulnerability mitigations are introduced.

Diff

diff --git a/aurora-dsql/latest/userguide/working-with-connections.md b/aurora-dsql/latest/userguide/working-with-connections.md
index c74c30dcc..4e07a4b41 100644
--- a//aurora-dsql/latest/userguide/working-with-connections.md
+++ b//aurora-dsql/latest/userguide/working-with-connections.md
@@ -5 +5 @@
-How connections workConnection limits
+Connections and sessionsConnection limits
@@ -9 +9 @@ Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas a
-# Aurora DSQL connections
+#  Connections in Aurora DSQL
@@ -13 +13 @@ A _connection_ in Aurora DSQL is a single, active, TLS-encrypted TCP session bet
-## How connections work
+## Connections and sessions
@@ -21 +21 @@ To connect to Aurora DSQL, use a standard PostgreSQL-compatible driver configure
-  * An authentication token generated using Aurora DSQL-provided libraries supported by AWS
+  * An authentication token generated using libraries provided by Aurora DSQL
@@ -26 +26 @@ To connect to Aurora DSQL, use a standard PostgreSQL-compatible driver configure
-After you establish a connection, it maps to exactly one session. A session can't exist without a connection. Aurora DSQL authenticates each session with a state, such as prepared statements or an active query. Aurora DSQL re-authenticates users at the start of every transaction against its IAM trust tables. This mechanism ensures that revoked credentials can't be reused in ongoing sessions. 
+A connection maps to exactly one session. A session can't exist without a connection. 
@@ -28 +28,3 @@ After you establish a connection, it maps to exactly one session. A session can'
-Each session lasts up to 1 hour. Individual transactions within the session are limited to 5 minutes. If a transaction begins at the end of the session lifetime (that is, at the 60th minute), Aurora DSQL allows the transaction to run for the full 5-minute transaction window before closing the session. If Aurora DSQL can't establish a session—for example, due to authentication failure or internal resource exhaustion—the connection attempt is rejected.
+Aurora DSQL authenticates each session with a state, such as prepared statements or an active query. Aurora DSQL re-authenticates users at the start of every transaction against its IAM trust tables. This mechanism ensures that revoked credentials aren't reused in ongoing sessions. 
+
+Each session lasts up to 1 hour. Individual transactions within a session are limited to 5 minutes. If a transaction begins at the end of the session lifetime (that is, at the 60th minute), Aurora DSQL allows the transaction to run for 5 minutes before closing the session. If Aurora DSQL can't establish a session—for example, because authentication fails or internal resources are exhausted—the connection attempt is rejected.