AWS AmazonRDS medium security documentation change
Summary
Added SQS permissions to IAM policy and Multi-AZ deployment note about SQS service
Security assessment
Added explicit SQS permissions (SendMessage, ReceiveMessage, DeleteMessage) with resource constraints and tag-based conditions. This addresses potential service disruptions and ensures least-privilege access for RDS Custom operations. Missing these permissions could lead to failed operations affecting availability.
Diff
diff --git a/AmazonRDS/latest/UserGuide/custom-setup-orcl.md b/AmazonRDS/latest/UserGuide/custom-setup-orcl.md index 0f87235d2..6faa5b80a 100644 --- a//AmazonRDS/latest/UserGuide/custom-setup-orcl.md +++ b//AmazonRDS/latest/UserGuide/custom-setup-orcl.md @@ -479,0 +480,16 @@ Set this variable to the Amazon Resource Name (ARN) of the AWS KMS key that you + }, + { + "Sid": "13", + "Effect": "Allow", + "Action": [ + "sqs:SendMessage", + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueUrl" + ], + "Resource": "arn:aws:sqs:'$REGION':'$ACCOUNT_Id':do-not-delete-rds-custom-*", + "Condition": { + "StringLike": { + "aws:ResourceTag/AWSRDSCustom": "custom-oracle" + } + } @@ -711,0 +728,4 @@ When you use the CloudFormation template for your VPC, it creates the following +If you're creating a Multi-AZ deployment: + + * `com.amazonaws.`region`.sqs` +