AWS Security ChangesHomeSearch

AWS dms documentation change

Service: dms · 2025-06-07 · Documentation medium

File: dms/latest/userguide/CHAP_Tasks.AssessmentReport.Oracle.md

Summary

Added detailed permissions requirements for Oracle sources/targets in DMS Serverless environments, including specific GRANT statements and AWS-managed vs self-managed distinctions

Security assessment

The changes document required database permissions for proper access control, which is security-related configuration guidance. However, there's no evidence this addresses a specific disclosed vulnerability.

Diff

diff --git a/dms/latest/userguide/CHAP_Tasks.AssessmentReport.Oracle.md b/dms/latest/userguide/CHAP_Tasks.AssessmentReport.Oracle.md
index 187ecdba4..191fda350 100644
--- a//dms/latest/userguide/CHAP_Tasks.AssessmentReport.Oracle.md
+++ b//dms/latest/userguide/CHAP_Tasks.AssessmentReport.Oracle.md
@@ -9 +9 @@ Validate that limited LOB mode only is used when BatchApplyEnabled is enabled Va
-This section describes individual premigration assessments for migration tasks that use an Oracle source endpoint.
+For more information about permissions when using Oracle as a source, see [User account privileges required on a self-managed Oracle source for AWS DMS](./CHAP_Source.Oracle.html#CHAP_Source.Oracle.Self-Managed.Privileges) or [User account privileges required on an AWS-managed Oracle source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Amazon-Managed).
@@ -12,0 +13,2 @@ This section describes individual premigration assessments for migration tasks t
+This section describes individual premigration assessments for migration tasks that use Oracle as a source or a target for AWS DMS.
+
@@ -28,0 +31,2 @@ If you are using self-managed Oracle database as a source for AWS DMS, please us
+Additional permissions is required if you are using a self-managed Oracle database as a source for AWS DMS Serverless:
+    
@@ -30 +34,6 @@ If you are using self-managed Oracle database as a source for AWS DMS, please us
-If you are using an AWS-managed Oracle database as a source for AWS DMS, please use following permission set:
+    grant select on dba_segments to dms_user;
+    grant select on v_$tablespace to dms_user;
+    grant select on dba_tab_subpartitions to dms_user;
+    grant select on dba_extents to dms_user; 
+
+If you are using an AWS-managed Oracle database as a source for AWS DMS, use the following set of permissions:
@@ -47 +56,20 @@ If you are using an AWS-managed Oracle database as a source for AWS DMS, please
-For more information about permissions when using Oracle as a source, see [User account privileges required on a self-managed Oracle source for AWS DMS](./CHAP_Source.Oracle.html#CHAP_Source.Oracle.Self-Managed.Privileges) or [User account privileges required on an AWS-managed Oracle source for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Source.Oracle.html#CHAP_Source.Oracle.Amazon-Managed).
+
+Additional permissions is required if you are using an AWS-managed Oracle database as a source for AWS DMS Serverless:
+    
+    
+    EXEC RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT('DBA_SEGMENTS','dms_user', 'SELECT');
+    EXEC RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT('DBA_TAB_SUBPARTITIONS','dms_user', 'SELECT');
+    EXEC RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT('DBA_EXTENTS','dms_user', 'SELECT');
+    EXEC RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT('V_$TABLESPACE','dms_user', 'SELECT');
+
+If you are using a self-managed Oracle database as a target for AWS DMS, use the following set of permissions:
+    
+    
+    grant select on v_$instance to dms_user;
+    grant execute on SYS.DBMS_XMLGEN to dms_user;
+
+If you are using an AWS-managed Oracle database as a target for AWS DMS, use the following set of permissions:
+    
+    
+    EXEC RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT('V_$INSTANCE', 'dms_user', 'SELECT');
+    GRANT EXECUTE ON SYS.DBMS_XMLGEN TO dms_user;