AWS aurora-dsql documentation change
Summary
Updated documentation for IAM authentication token usage and policy details. Changes include clarifying temporary token usage, adding connection duration limits in policy examples, and improving revocation behavior explanations.
Security assessment
The changes emphasize temporary authentication tokens and explicit 1-hour authorization limits, which are security best practices for credential lifecycle management. However, there is no evidence of addressing a specific vulnerability. The updates improve clarity around security controls but don't indicate a newly discovered security issue.
Diff
diff --git a/aurora-dsql/latest/userguide/authentication-authorization.md b/aurora-dsql/latest/userguide/authentication-authorization.md index 667aa9a51..8bc1abde7 100644 --- a//aurora-dsql/latest/userguide/authentication-authorization.md +++ b//aurora-dsql/latest/userguide/authentication-authorization.md @@ -7,2 +6,0 @@ Managing your clusterConnecting to your clusterPostgreSQL and IAM rolesUsing IAM -Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas and Previews ](https://aws.amazon.com/service-terms/) in the AWS Service Terms. - @@ -43 +41 @@ To connect to your cluster, use IAM for authentication and authorization: -Generate an authentication token using an IAM identity with authorization to connect. When you connect to your database, provide a temporary authentication token instead of a credential. To learn more, see [Generating an authentication token in Amazon Aurora DSQL](./SECTION_authentication-token.html). +Generate a temporary authentication token using an IAM identity with authorization to connect to your cluster. To learn more, see [Generating an authentication token in Amazon Aurora DSQL](./SECTION_authentication-token.html). @@ -58 +56 @@ Grant the following IAM policy actions to the IAM identity you’re using to est - * Use `dsql:DbConnect` if you're using a custom database role. You create and manage this role by using SQL commands in your database. The following sample IAM policy action permits a custom database role to connect to `my-cluster`. + * Use `dsql:DbConnect` if you're using a custom database role. You create and manage this role by using SQL commands in your database. The following sample IAM policy action permits a custom database role to connect to `my-cluster` for up to one hour. @@ -69 +67 @@ Grant the following IAM policy actions to the IAM identity you’re using to est -After you establish a connection, your role is authorized up to one hour for the connection. +After you establish a connection, your role is authorized for up to one hour for the connection. @@ -143,2 +140,0 @@ The following example policy shows all available IAM policy actions for managing - "dsql:CreateMultiRegionClusters", - "dsql:DeleteMultiRegionClusters", @@ -163 +159 @@ To revoke authorization to connect to your cluster with the `admin` role, revoke -After revoking connection authorization from the IAM identity, Aurora DSQL rejects all new connection attempts from that IAM identity. Any active connections using the IAM identity might stay authorized for the connection’s duration. You can find connection duration in [ Quotas and limits](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/CHAP_quotas.html). +After revoking connection authorization from the IAM identity, Aurora DSQL rejects all new connection attempts from that IAM identity. Any active connections that use the IAM identity might stay authorized for the duration of the connection. For more information on connection durations, see [Quotas and limits](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/CHAP_quotas.html).