AWS Security ChangesHomeSearch

AWS aurora-dsql medium security documentation change

Service: aurora-dsql · 2025-08-13 · Security-related medium

File: aurora-dsql/latest/userguide/working-with-service-linked-roles.md

Summary

Rewrote IAM policy example to use specific dsql:CreateCluster actions with regional resource ARNs instead of service-linked role creation

Security assessment

Changes implement least-privilege principles by narrowing permissions from broad iam:CreateServiceLinkedRole to specific cluster creation actions with regional restrictions

Diff

diff --git a/aurora-dsql/latest/userguide/working-with-service-linked-roles.md b/aurora-dsql/latest/userguide/working-with-service-linked-roles.md
index 18385ae5f..343334135 100644
--- a//aurora-dsql/latest/userguide/working-with-service-linked-roles.md
+++ b//aurora-dsql/latest/userguide/working-with-service-linked-roles.md
@@ -24,0 +25,6 @@ You must configure permissions to allow an IAM entity (such as a user, group, or
+JSON
+    
+
+****
+    
+    
@@ -27,8 +33,9 @@ You must configure permissions to allow an IAM entity (such as a user, group, or
-    "Sid" : "CreateDsqlServiceLinkedRole",
-        "Effect" : "Allow",
-        "Action" : "iam:CreateServiceLinkedRole",
-        "Resource" : "*",
-        "Condition" : {
-          "StringEquals" : {
-            "iam:AWSServiceName" : "dsql.amazonaws.com"
-          }
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": ["dsql:CreateCluster"], 
+                "Resource": [
+                    "arn:aws:dsql:us-east-1:*:cluster/*",
+                    "arn:aws:dsql:us-east-2:*:cluster/*"
+                ],
+                "Effect": "Allow"
@@ -35,0 +43 @@ You must configure permissions to allow an IAM entity (such as a user, group, or
+        ]