AWS aurora-dsql medium security documentation change
Summary
Updated data protection documentation by removing preview notice, simplifying AWS references, restructuring encryption details, removing FIPS 140-3 guidance, and consolidating sections.
Security assessment
The removal of FIPS 140-3 endpoint guidance (previously recommending FIPS-validated modules for compliance) directly impacts security documentation for regulated workloads. This change removes explicit guidance about using validated cryptographic modules, which is critical for compliance with government standards like FIPS.
Diff
diff --git a/aurora-dsql/latest/userguide/data-protection.md b/aurora-dsql/latest/userguide/data-protection.md index fd70770c4..00d600a8e 100644 --- a//aurora-dsql/latest/userguide/data-protection.md +++ b//aurora-dsql/latest/userguide/data-protection.md @@ -7,2 +6,0 @@ Data encryption -Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas and Previews ](https://aws.amazon.com/service-terms/) in the AWS Service Terms. - @@ -11 +9 @@ Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas a -The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Aurora DSQL. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the _AWS Security Blog_. +The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in . As described in this model, is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [ Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the _Security Blog_. @@ -13 +11 @@ The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-r -For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: +For data protection purposes, we recommend that you protect credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management. That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: @@ -17 +15 @@ For data protection purposes, we recommend that you protect AWS account credenti - * Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. + * Use SSL/TLS to communicate with resources. We require TLS 1.2 and recommend TLS 1.3. @@ -19 +17 @@ For data protection purposes, we recommend that you protect AWS account credenti - * Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the _AWS CloudTrail User Guide_. + * Set up API and user activity logging with AWS CloudTrail. For information about using trails to capture activities, see [Working with trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the _User Guide_. @@ -21 +19 @@ For data protection purposes, we recommend that you protect AWS account credenti - * Use AWS encryption solutions, along with all default security controls within AWS services. + * Use encryption solutions, along with all default security controls within AWS services. @@ -25,2 +22,0 @@ For data protection purposes, we recommend that you protect AWS account credenti - * If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). - @@ -30 +26 @@ For data protection purposes, we recommend that you protect AWS account credenti -We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Aurora DSQL or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. +We strongly recommend that you never put confidential or sensitive information, such as your customers email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with or other using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. @@ -34,15 +30 @@ We strongly recommend that you never put confidential or sensitive information, -Amazon Aurora DSQL provides a highly durable storage infrastructure designed for mission-critical and primary data storage. Data is redundantly stored on multiple devices across multiple facilities in a Aurora DSQL Region. - -### Encryption at rest - -By default, Aurora DSQL configures encryption at rest for you. - -#### Aurora DSQL owned keys - -Aurora DSQL owned keys are not stored in your AWS account. They are part of a collection of KMS keys that Aurora DSQL owns and manages for encrypting data in your clusters. Aurora DSQL uses envelop encryption to encrypt data. These keys are rotated every year (approximately 365 days). - -You are not charged a monthly fee or a usage fee for use of AWS owned keys, and they do not count against AWS KMS quotas for your account. - -#### Customer managed keys - -Aurora DSQL doesn't support customer-managed keys for encrypting data in your clusters. +Amazon Aurora DSQL provides a highly durable storage infrastructure designed for mission-critical and primary data storage. Data is redundantly stored on multiple devices across multiple facilities in an Aurora DSQL Region. @@ -64,0 +47,2 @@ Encryption and signing of data in transit between AWS CLI, SDK, or API clients a +For encryption at rest, see [Encryption at rest in Aurora DSQL](./data-encryption.html#encryption-at-rest). + @@ -95 +79 @@ AWS managed policies -Identity and access management +Data encryption