AWS aurora-dsql medium security documentation change
Summary
Clarified IAM role authorization duration and removed redundant links to connections documentation
Security assessment
Explicitly states that revoked IAM permissions don't terminate active connections immediately, highlighting a security-relevant behavior about session persistence. This clarifies a security consideration for access control management.
Diff
diff --git a/aurora-dsql/latest/userguide/authentication-authorization.md b/aurora-dsql/latest/userguide/authentication-authorization.md index ad1d08f3a..667aa9a51 100644 --- a//aurora-dsql/latest/userguide/authentication-authorization.md +++ b//aurora-dsql/latest/userguide/authentication-authorization.md @@ -69 +69 @@ Grant the following IAM policy actions to the IAM identity you’re using to est -After you establish a connection, your role is authorized up to one hour for the connection. To learn more, see [ Connections in Aurora DSQL](./working-with-connections.html). +After you establish a connection, your role is authorized up to one hour for the connection. @@ -163 +163 @@ To revoke authorization to connect to your cluster with the `admin` role, revoke -After revoking connection authorization from the IAM identity, Aurora DSQL rejects all new connection attempts from that IAM identity. Any active connections using the IAM identity might stay authorized for the connection’s duration. You can find connection duration in [ Quotas and limits](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/CHAP_quotas.html). To learn more about connections, see [ Connections in Aurora DSQL](./working-with-connections.html). +After revoking connection authorization from the IAM identity, Aurora DSQL rejects all new connection attempts from that IAM identity. Any active connections using the IAM identity might stay authorized for the connection’s duration. You can find connection duration in [ Quotas and limits](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/CHAP_quotas.html).