AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2025-05-22 · Documentation low

File: AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md

Summary

Added Babelfish version compatibility column to supported/unsupported use case tables, updated role descriptions, and clarified version-specific constraints for permissions management.

Security assessment

The changes document security-related permissions management features (e.g., roles like db_securityadmin, db_accessadmin) and their version availability. While this clarifies security controls, there is no evidence of addressing a specific vulnerability. The updates improve documentation of existing security features rather than patching issues.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md b/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md
index 2d96a5666..af9aeb52d 100644
--- a//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md
+++ b//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md
@@ -15,13 +15,15 @@ The following table explains the use cases that are supported in Babelfish. For
-Use case  |  Action  |  SQL commands  |  Comments   
----|---|---|---  
-Allow login to do SELECTs/DMLs/DDLs in any database  |  Add login to sysadmin server role  |  ALTER SERVER ROLE sysadmin ADD MEMBER `login` |  None   
-Allow login to do SELECTs/DMLs/DDLs in a database  |  Make login the owner of the database  |  ALTER AUTHORIZATION ON DATABASE::`database` TO `login` |  A database can have only one owner.   
-Allow database user to do SELECTs/DMLs on a schema  |  Grant permission to database user on schema  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON SCHEMA::`schema` TO `user` |  None   
-Allow database user to do SELECTs/DMLs on a schema  |  Make database user owner of schema at schema creation time  |  CREATE SCHEMA `schema` AUTHORIZATION `user` |  Changing schema ownership after creation isn't currently supported.   
-Allow database user to do SELECTs/DMLs on an object  |  Grant permission to database user on object  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT::`object` TO `user` |  None   
-Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database  |  Add user to db_owner fixed database role  |  ALTER ROLE db_owner ADD MEMBER `user` |  Only users can be added db_owner fixed database role. Adding roles to db_owner role is not yet supported.   
-Allow user or members of a custom database role to do only SELECTs in a database  |  Add user or role to db_datareader fixed database role  |  ALTER ROLE db_datareader ADD MEMBER `user` / `role` |  None   
-Allow user or members of a custom database role to do only DMLs in a database  |  Add user or role to db_datawriter fixed database role  |  ALTER ROLE db_datawriter ADD MEMBER `user` / `role` |  None   
-Allow user or members of a custom database role to do only DDLs in a database  |  Add user or role to db_accessadmin fixed database role  |  ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` |  None   
-Allow login to only CREATE/DROP/ALTER any database  |  Add login to dbcreator fixed server role  |  ALTER SERVER ROLE dbcreator ADD MEMBER `login` |  Only those databases can be alterred on which dbcreator login has access.   
-Allow login to only CREATE/ALTER/DROP any login  |  Add login to securityadmin fixed server role  |  ALTER SERVER ROLE securityadmin ADD MEMBER `login` |  None   
+Use case  |  Action  |  SQL commands  |  Comments  |  Babelfish version compatibility   
+---|---|---|---|---  
+Allow login to do SELECTs/DMLs/DDLs in any database  |  Add login to sysadmin server role  |  ALTER SERVER ROLE sysadmin ADD MEMBER `login` |  None  |  All versions   
+Allow login to do SELECTs/DMLs/DDLs in a database  |  Make login the owner of the database  |  ALTER AUTHORIZATION ON DATABASE::`database` TO `login` |  A database can have only one owner.  |  Version 3.4 and higher   
+Allow database user to do SELECTs/DMLs on a schema  |  Grant permission to database user on schema  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON SCHEMA::`schema` TO `user` |  None  |  Version 3.6 and higher, 4.2 and higher   
+Allow database user to do SELECTs/DMLs on a schema  |  Make database user owner of schema at schema creation time  |  CREATE SCHEMA `schema` AUTHORIZATION `user` |  Changing schema ownership after creation isn't currently supported.  |  Version 1.2 and higher   
+Allow database user to do SELECTs/DMLs on an object  |  Grant permission to database user on object  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT::`object` TO `user` |  None  |  All versions   
+Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database  |  Add user to db_owner fixed database role  |  ALTER ROLE db_owner ADD MEMBER `user` |  Only users can be added db_owner fixed database role. Adding roles to db_owner role is not yet supported.  |  Version 4.5 and higher, 5.1 and higher   
+Allow user or members of a custom database role to do only SELECTs in a database  |  Add user or role to db_datareader fixed database role  |  ALTER ROLE db_datareader ADD MEMBER `user` / `role` |  None  |  Version 4.5 and higher, 5.1 and higher   
+Allow user or members of a custom database role to do only DMLs in a database  |  Add user or role to db_datawriter fixed database role  |  ALTER ROLE db_datawriter ADD MEMBER `user` / `role` |  None  |  Version 4.5 and higher, 5.1 and higher   
+Allow user or members of a custom database role to do only DDLs in a database  |  Add user or role to db_accessadmin fixed database role  |  ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` |  None  |  Version 4.5 and higher, 5.1 and higher   
+Allow user or members of a custom database role to only CREATE/ALTER/DROP custom roles, GRANT/REVOKE permissions on objects in a database and/or CREATE SCHEMA in a database  |  Add user or role to db_securityadmin fixed database role  |  ALTER ROLE db_securityadmin ADD MEMBER `user` / `role` |  None  |  Version 4.5 and higher, 5.1 and higher   
+Allow user or members of a custom database role to only CREATE/ALTER/DROP any user, grant and revoke database access and map user accounts to logins and/or CREATE SCHEMA in a database  |  Add user or role to db_accessadmin fixed database role  |  ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` |  None  |  Version 4.5 and higher, 5.1 and higher   
+Allow login to only CREATE/DROP/ALTER any database  |  Add login to dbcreator fixed server role  |  ALTER SERVER ROLE dbcreator ADD MEMBER `login` |  Only those databases can be altered on which dbcreator login has access.  |  Version 4.5 and higher, 5.1 and higher   
+Allow login to only CREATE/ALTER/DROP any login  |  Add login to securityadmin fixed server role  |  ALTER SERVER ROLE securityadmin ADD MEMBER `login` |  None  |  Version 4.5 and higher, 5.1 and higher   
@@ -33,4 +35,4 @@ The following table explains the use cases that aren't supported in Babelfish, b
-Use case  |  Action  |  SQL commands  |  Comments   
----|---|---|---  
-Allow user to do SELECTs/DMLs on an object/schema along with option to GRANT these permissions to other users  |  GRANT the permissions to all the other users directly  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT/SCHEMA::`object`/`schema` TO `user` |  GRANT ... WITH GRANT OPTION isn't currently supported.   
-Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database  |  Add members of role to db_owner fixed database role  |  ALTER ROLE db_owner ADD MEMBER `user` |  Adding roles to db_owner role isn't currently supported.   
+Use case  |  Action  |  SQL commands  |  Comments  |  Babelfish version compatibility for workarounds   
+---|---|---|---|---  
+Allow user to do SELECTs/DMLs on an object/schema along with option to GRANT these permissions to other users  |  GRANT the permissions to all the other users directly  |  GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT/SCHEMA::`object`/`schema` TO `user` |  GRANT ... WITH GRANT OPTION isn't currently supported.  |  Version 3.6 and higher, 4.2 and higher   
+Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database  |  Add members of role to db_owner fixed database role  |  ALTER ROLE db_owner ADD MEMBER `user` |  Adding roles to db_owner role isn't currently supported.  |  Version 4.5 and higher, 5.1 and higher