AWS Security ChangesHomeSearch

AWS aurora-dsql medium security documentation change

Service: aurora-dsql · 2025-05-19 · Security-related medium

File: aurora-dsql/latest/userguide/SECTION-tutorials-lambda.md

Summary

Updated Lambda integration tutorial to use DsqlSigner SDK package instead of manual signature v4 implementation, simplified code samples, added data validation assertions, and improved SSL configuration documentation

Security assessment

The change replaces a custom AWS Signature V4 implementation with the official DsqlSigner SDK, reducing potential authentication errors. It explicitly documents SSL enforcement (ssl: true) and retains TLS certificate validation (rejectUnauthorized remains true by default). The removal of manual cryptographic implementation reduces attack surface for potential signature errors.

Diff

diff --git a/aurora-dsql/latest/userguide/SECTION-tutorials-lambda.md b/aurora-dsql/latest/userguide/SECTION-tutorials-lambda.md
index 7a82bb7e9..dd638a944 100644
--- a//aurora-dsql/latest/userguide/SECTION-tutorials-lambda.md
+++ b//aurora-dsql/latest/userguide/SECTION-tutorials-lambda.md
@@ -9 +9 @@ Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas a
-The following sections describe how to use Lambda with Aurora DSQL 
+The following tutorial describes how to use Lambda with Aurora DSQL 
@@ -76,5 +76,3 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-        "@aws-sdk/core": "^3.587.0",
-        "@aws-sdk/credential-providers": "^3.587.0",
-        "@smithy/protocol-http": "^4.0.0",
-        "@smithy/signature-v4": "^3.0.0",
-        "pg": "^8.11.5"
+        "@aws-sdk/dsql-signer": "^3.705.0",
+        "assert": "2.1.0",
+        "pg": "^8.13.1"
@@ -86,7 +84 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-        import { formatUrl } from "@aws-sdk/util-format-url";
-    import { HttpRequest } from "@smithy/protocol-http";
-    import { SignatureV4 } from "@smithy/signature-v4";
-    import { fromNodeProviderChain } from "@aws-sdk/credential-providers";
-    import { NODE_REGION_CONFIG_FILE_OPTIONS, NODE_REGION_CONFIG_OPTIONS } from "@smithy/config-resolver";
-    import { Hash } from "@smithy/hash-node";
-    import { loadConfig } from "@smithy/node-config-provider";
+        import { DsqlSigner } from "@aws-sdk/dsql-signer";
@@ -93,0 +86 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
+    import assert from "node:assert";
@@ -96,45 +88,0 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-    export const getRuntimeConfig = (config) => {
-      return {
-        runtime: "node",
-        sha256: config?.sha256 ?? Hash.bind(null, "sha256"),
-        credentials: config?.credentials ?? fromNodeProviderChain(),
-        region: config?.region ?? loadConfig(NODE_REGION_CONFIG_OPTIONS, NODE_REGION_CONFIG_FILE_OPTIONS),
-        ...config,
-      };
-    };
-    
-    // Aurora DSQL requires IAM authentication
-    // This class generates auth tokens signed using AWS Signature Version 4
-    export class Signer {
-      constructor(hostname) {
-        const runtimeConfiguration = getRuntimeConfig({});
-    
-        this.credentials = runtimeConfiguration.credentials;
-        this.hostname = hostname;
-        this.region = runtimeConfiguration.region;
-    
-        this.sha256 = runtimeConfiguration.sha256;
-        this.service = "dsql";
-        this.protocol = "https:";
-      }
-      
-      async getAuthToken() {
-        const signer = new SignatureV4({
-          service: this.service,
-          region: this.region,
-          credentials: this.credentials,
-          sha256: this.sha256,
-        });
-    
-        // To connect with a custom database role, set Action as "DbConnect"
-        const request = new HttpRequest({
-          method: "GET",
-          protocol: this.protocol,
-          hostname: this.hostname,
-          query: {
-            Action: "DbConnectAdmin",
-          },
-          headers: {
-            host: this.hostname,
-          },
-        });
@@ -142,2 +90,7 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-        const presigned = await signer.presign(request, {
-          expiresIn: 3600,
+    async function dsql_sample(clusterEndpoint, region) {
+      let client;
+      try {
+        // The token expiration time is optional, and the default value 900 seconds
+        const signer = new DsqlSigner({
+          hostname: clusterEndpoint,
+          region,
@@ -145,10 +98,9 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-    
-        // RDS requires the scheme to be removed
-        // https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.html
-        return formatUrl(presigned).replace(`${this.protocol}//`, "");
-      }
-    }
-    
-    // To connect with a custom database role, set user as the database role name
-    async function dsql_sample(token, endpoint) {
-      const client = new Client({
+        const token = await signer.getDbConnectAdminAuthToken();
+        // <https://node-postgres.com/apis/client>
+        // By default `rejectUnauthorized` is true in TLS options
+        // <https://nodejs.org/api/tls.html#tls_tls_connect_options_callback>
+        // The config does not offer any specific parameter to set sslmode to verify-full
+        // Settings are controlled either via connection string or by setting
+        // rejectUnauthorized to false in ssl options
+        client = new Client({
+          host: clusterEndpoint,
@@ -156,2 +107,0 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-        database: "postgres",
-        host: endpoint,
@@ -159 +109,4 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-        ssl: { 
+          database: "postgres",
+          port: 5432,
+          // <https://node-postgres.com/announcements> for version 8.0
+          ssl: true,
@@ -161 +113,0 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-        },
@@ -163,0 +116 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
+        // Connect
@@ -165 +117,0 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-      console.log("[dsql_sample] connected to Aurora DSQL!");
@@ -167,8 +119,23 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-      try {
-        console.log("[dsql_sample] attempting transaction.");
-        await client.query("BEGIN; SELECT txid_current_if_assigned(); COMMIT;");
-        return 200;
-      } catch (err) {
-        console.log("[dsql_sample] transaction attempt failed!");
-        console.error(err);
-        return 500;
+        // Create a new table
+        await client.query(`CREATE TABLE IF NOT EXISTS owner (
+          id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+          name VARCHAR(30) NOT NULL,
+          city VARCHAR(80) NOT NULL,
+          telephone VARCHAR(20)
+        )`);
+    
+        // Insert some data
+        await client.query("INSERT INTO owner(name, city, telephone) VALUES($1, $2, $3)", 
+          ["John Doe", "Anytown", "555-555-1900"]
+        );
+    
+        // Check that data is inserted by reading it back
+        const result = await client.query("SELECT id, city FROM owner where name='John Doe'");
+        assert.deepEqual(result.rows[0].city, "Anytown")
+        assert.notEqual(result.rows[0].id, null)
+    
+        await client.query("DELETE FROM owner where name='John Doe'");
+    
+      } catch (error) {
+        console.error(error);
+        throw new Error("Failed to connect to the database");
@@ -176 +143 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-        await client.end();
+        client?.end();
@@ -177,0 +145 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
+      Promise.resolve();
@@ -183,3 +152,2 @@ We're using an admin role to minimize prerequisite steps to get started. You sho
-      const s = new Signer(endpoint);
-      const token = await s.getAuthToken();
-      const responseCode = await dsql_sample(token, endpoint);
+      const region = event.region;
+      const responseCode = await dsql_sample(endpoint, region);
@@ -237 +205 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Utilities, tutorials, and sample code
+Tutorials 
@@ -239 +207 @@ Utilities, tutorials, and sample code
-Security
+Setting up Aurora DSQL clusters