AWS Security ChangesHomeSearch

AWS AmazonRDS medium security documentation change

Service: AmazonRDS · 2025-07-01 · Security-related medium

File: AmazonRDS/latest/UserGuide/custom-setup-orcl.md

Summary

Added SQS permissions to IAM policy and Multi-AZ deployment note about SQS service

Security assessment

Added explicit SQS permissions (SendMessage, ReceiveMessage, DeleteMessage) with resource constraints and tag-based conditions. This addresses potential service disruptions and ensures least-privilege access for RDS Custom operations. Missing these permissions could lead to failed operations affecting availability.

Diff

diff --git a/AmazonRDS/latest/UserGuide/custom-setup-orcl.md b/AmazonRDS/latest/UserGuide/custom-setup-orcl.md
index 0f87235d2..6faa5b80a 100644
--- a//AmazonRDS/latest/UserGuide/custom-setup-orcl.md
+++ b//AmazonRDS/latest/UserGuide/custom-setup-orcl.md
@@ -479,0 +480,16 @@ Set this variable to the Amazon Resource Name (ARN) of the AWS KMS key that you
+            },
+            {
+                "Sid": "13",
+                "Effect": "Allow",
+                "Action": [
+                    "sqs:SendMessage",
+                    "sqs:ReceiveMessage",
+                    "sqs:DeleteMessage",
+                    "sqs:GetQueueUrl"
+                ],
+                "Resource": "arn:aws:sqs:'$REGION':'$ACCOUNT_Id':do-not-delete-rds-custom-*",
+                "Condition": {
+                    "StringLike": {
+                        "aws:ResourceTag/AWSRDSCustom": "custom-oracle"
+                    }
+                }
@@ -711,0 +728,4 @@ When you use the CloudFormation template for your VPC, it creates the following
+If you're creating a Multi-AZ deployment:
+
+    * `com.amazonaws.`region`.sqs`
+