AWS aurora-dsql high security documentation change
Summary
Removed preview notice and deleted entire section about security best practices including IAM role usage, permission policies, and resource tagging recommendations
Security assessment
The change removes critical security guidance about credential management (avoiding stored credentials), IAM policies for authorization, and security tagging practices. These deletions eliminate documentation about existing security features and best practices, which could lead to insecure implementations if users don't have this information.
Diff
diff --git a/aurora-dsql/latest/userguide/best-practices-security.md b/aurora-dsql/latest/userguide/best-practices-security.md index e03439b52..86c6ea705 100644 --- a//aurora-dsql/latest/userguide/best-practices-security.md +++ b//aurora-dsql/latest/userguide/best-practices-security.md @@ -5,3 +5 @@ -Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas and Previews ](https://aws.amazon.com/service-terms/) in the AWS Service Terms. - -# Security best practices for Amazon Aurora DSQL +# Security best practices for Aurora DSQL @@ -11,31 +8,0 @@ Aurora DSQL provides a number of security features to consider as you develop an -**Use IAM roles to authenticate access to Aurora DSQL** - -Any users, applications, and other AWS services that access Aurora DSQL must include valid AWS credentials in AWS API and AWS CLI requests. You shouldn't store AWS credentials directly in the application or EC2 instances. These are long-term credentials that aren't automatically rotated. There is significant business impact if these credentials are compromised. An IAM role lets you obtain temporary access keys that you can use to access AWS services and resources. - -For more information, see [ Understanding authentication and authorization for Aurora DSQL](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/authentication-authorization.html). - -**Use IAM policies for Aurora DSQL base authorization** - -When you grant permissions, you decide who is getting them, which Aurora DSQL API operations they are getting permissions for, and the specific actions you want to allow on those resources. Implementing least privilege is key in reducing security risk and the impact that can result from errors or malicious intent. - -Attach permissions policies to IAM roles and grant permissions to perform operations on Aurora DSQL resources. Also available arepermissions boundaries for IAM entities, which let you set the maximum permissions that an identity-based policy can grant to an IAM entity. - -Similar to the [ root user best practices for your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html), don't use the admin role in Aurora DSQL to perform everyday operations. Instead, we recommend that you create custom database roles to manage and connect to your cluster. For more information, see [ Accessing Aurora DSQL](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/accessing.html) and [Understanding authentication and authorization for Aurora DSQL](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/accessing.html). - -**Tag your Aurora DSQL resources for identification and automation** - -You can assign metadata to your AWS resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and an optional value that can make it easier to manage, search for, and filter resources. - -Tagging allows for grouped controls to be implemented. Although there are no inherent types of tags, they let you categorize resources by purpose, owner, environment, or other criteria. The following are some examples. - - * Security – used to determine requirements such as encryption. - - * Confidentiality – an identifier for the specific data-confidentiality level a resource supports. - - * Environment – used to distinguish between development, test, and production infrastructure. - - - - -For more information, see [ Best Practices for Tagging AWS Resources](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html). -