AWS Security ChangesHomeSearch

AWS aurora-dsql documentation change

Service: aurora-dsql · 2025-05-28 · Documentation low

File: aurora-dsql/latest/userguide/security-iam-awsmanpol.md

Summary

Updated IAM policy documentation to add backup/restore operations permissions, KMS key management permissions, CloudShell access, and removed preview service notice

Security assessment

The changes add documentation about security-related capabilities including KMS key validation for cluster encryption and backup/restore job management. While these are security features, there is no evidence of addressing a specific vulnerability. The KMS permissions documentation improves clarity about encryption controls.

Diff

diff --git a/aurora-dsql/latest/userguide/security-iam-awsmanpol.md b/aurora-dsql/latest/userguide/security-iam-awsmanpol.md
index 5682cdec6..99886236e 100644
--- a//aurora-dsql/latest/userguide/security-iam-awsmanpol.md
+++ b//aurora-dsql/latest/userguide/security-iam-awsmanpol.md
@@ -7,2 +6,0 @@ AmazonAuroraDSQLFullAccessAmazonAuroraDSQLReadOnlyAccessAmazonAuroraDSQLConsoleF
-Amazon Aurora DSQL is provided as a Preview service. To learn more, see [Betas and Previews ](https://aws.amazon.com/service-terms/) in the AWS Service Terms. 
-
@@ -23 +21 @@ You can attach `AmazonAuroraDSQLFullAccess` to your users, groups, and roles.
-This policy grants permissions that allows full administrative access to Aurora DSQL. Principals with these permissions can create, delete, and update Aurora DSQL clusters, including multi-Region clusters. They can add and remove tags from clusters. They can list clusters and view information about individual clusters. They can see tags attached to Aurora DSQL clusters. They can connect to the database as any user, including admin. They can see any metrics from CloudWatch on your account. They also have permissions to create service-linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters. 
+This policy grants permissions that allows full administrative access to Aurora DSQL. Principals with these permissions can create, delete, and update Aurora DSQL clusters, including multi-Region clusters. They can add and remove tags from clusters. They can list clusters and view information about individual clusters. They can see tags attached to Aurora DSQL clusters. They can connect to the database as any user, including admin. They can perform backup and restore operations for Aurora DSQL clusters, including starting, stopping, and monitoring backup and restore jobs. The policy includes AWS KMS permissions that allow operations on customer-managed keys used for cluster encryption. They can see any metrics from CloudWatch on your account. They also have permissions to create service-linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters. 
@@ -29 +27,3 @@ This policy includes the following permissions.
-  * `dsql` – grants principals full access to Aurora DSQL.
+  * `dsql`—grants principals full access to Aurora DSQL.
+
+  * `cloudwatch`—grants permission to publish metric data points to Amazon CloudWatch.
@@ -31 +31 @@ This policy includes the following permissions.
-  * `cloudwatch` – grants permission to publish metric data points to Amazon CloudWatch.
+  * `iam`—grants permission to create a service-linked role.
@@ -33 +33,3 @@ This policy includes the following permissions.
-  * `iam` – grants permission to create a service-linked role.
+  * `backup and restore`—grants permissions to start, stop, and monitor backup and restore jobs for Aurora DSQL clusters. 
+
+  * `kms`—grants permissions required to validate access to customer-managed keys used for Aurora DSQL cluster encryption when creating, updating, or connecting to clusters. 
@@ -63 +65 @@ You can attach `AmazonAuroraDSQLConsoleFullAccess` to your users, groups, and ro
-Allows full administrative access to Amazon Aurora DSQL via the AWS Management Console. Principals with these permissions can create, delete, and update Aurora DSQL clusters, including multi-Region clusters, with the console. They can list clusters, view information about individual clusters. They can see tags on any resource on your account. They can connect to the database as any user, including the admin. They can see any metrics from CloudWatch on your account. They also have permissions to create service linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters. 
+Allows full administrative access to Amazon Aurora DSQL via the AWS Management Console. Principals with these permissions can create, delete, and update Aurora DSQL clusters, including multi-Region clusters, with the console. They can list clusters and view information about individual clusters. They can see tags on any resource on your account. They can connect to the database as any user, including the admin. They can perform backup and restore operations for Aurora DSQL clusters, including starting, stopping, and monitoring backup and restore jobs. The policy includes AWS KMS permissions that allow operations on customer-managed keys used for cluster encryption. They can launch AWS CloudShell from the AWS Management Console. They can see any metrics from CloudWatch on your account. They also have permissions to create service linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters. 
@@ -71 +73 @@ This policy includes the following permissions.
-  * `dsql` – grants full administrative permissions to all resources in Aurora DSQL via the AWS Management Console.
+  * `dsql`—grants full administrative permissions to all resources in Aurora DSQL via the AWS Management Console.
@@ -73 +75,9 @@ This policy includes the following permissions.
-  * `cloudwatch` – grants permission to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data 
+  * `cloudwatch`—grants permission to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data. 
+
+  * `tag`—grants permission to returns tag keys and values currently in use in the specified AWS Region for the calling account.
+
+  * `backup and restore`—grants permissions to start, stop, and monitor backup and restore jobs for Aurora DSQL clusters. 
+
+  * `kms`—grants permissions required to validate access to customer-managed keys used for Aurora DSQL cluster encryption when creating, updating, or connecting to clusters. 
+
+  * `cloudshell`—grants permissions to launch AWS CloudShell to interact with Aurora DSQL.
@@ -75 +85 @@ This policy includes the following permissions.
-  * `tag` – grants permission to returns tag keys and values currently in use in the specified AWS Region for the calling account
+  * `ec2`—grants permission to view Amazon VPC endpoint information needed for Aurora DSQL connections.
@@ -93,0 +104,2 @@ Change | Description | Date
+AmazonAuroraDSQLFullAccess update |  Adds the capability to perform backup and restore operations for Aurora DSQL clusters, including starting, stopping, and monitoring jobs. It also adds the capability to use customer-managed KMS keys for cluster encryption. For more information, see [AmazonAuroraDSQLFullAccess](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonAuroraDSQLFullAccess) and [Using service-linked roles in Aurora DSQL ](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/working-with-service-linked-roles.html). | May 21, 2025  
+AmazonAuroraDSQLConsoleFullAccess update |  Adds the capability to perform backup and restore operations for Aurora DSQL clusters through the AWS Console Home. This includes starting, stopping, and monitoring jobs. It also supports using customer-managed KMS keys for cluster encryption and launching AWS CloudShell. For more information, see [AmazonAuroraDSQLConsoleFullAccess](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonAuroraDSQLConsoleFullAccess) and [Using service-linked roles in Aurora DSQL ](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/working-with-service-linked-roles.html). | May 21, 2025