AWS Security ChangesHomeSearch

AWS aurora-dsql documentation change

Service: aurora-dsql · 2025-08-25 · Documentation medium

File: aurora-dsql/latest/userguide/security-iam-awsmanpol.md

Summary

Added AWS FIS permissions to managed policies for fault tolerance testing, restructured policy descriptions into bullet points, and updated policy references.

Security assessment

The change introduces AWS FIS permissions to enable controlled fault injection testing, which is a security-related feature for resilience validation. However, there is no evidence this addresses an existing security vulnerability. The update documents security-adjacent capabilities but does not remediate a specific security issue.

Diff

diff --git a/aurora-dsql/latest/userguide/security-iam-awsmanpol.md b/aurora-dsql/latest/userguide/security-iam-awsmanpol.md
index 99886236e..5a15f7d3f 100644
--- a//aurora-dsql/latest/userguide/security-iam-awsmanpol.md
+++ b//aurora-dsql/latest/userguide/security-iam-awsmanpol.md
@@ -21 +21,24 @@ You can attach `AmazonAuroraDSQLFullAccess` to your users, groups, and roles.
-This policy grants permissions that allows full administrative access to Aurora DSQL. Principals with these permissions can create, delete, and update Aurora DSQL clusters, including multi-Region clusters. They can add and remove tags from clusters. They can list clusters and view information about individual clusters. They can see tags attached to Aurora DSQL clusters. They can connect to the database as any user, including admin. They can perform backup and restore operations for Aurora DSQL clusters, including starting, stopping, and monitoring backup and restore jobs. The policy includes AWS KMS permissions that allow operations on customer-managed keys used for cluster encryption. They can see any metrics from CloudWatch on your account. They also have permissions to create service-linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters. 
+This policy grants permissions that allows full administrative access to Aurora DSQL. Principals with these permissions can:
+
+  * Create, delete, and update Aurora DSQL clusters, including multi-Region clusters
+
+  * Add and remove tags from clusters
+
+  * List clusters and view information about individual clusters
+
+  * See tags attached to Aurora DSQL clusters
+
+  * Connect to the database as any user, including admin
+
+  * Perform backup and restore operations for Aurora DSQL clusters, including starting, stopping, and monitoring backup and restore jobs
+
+  * Use customer-managed AWS KMS keys for cluster encryption
+
+  * View any metrics from CloudWatch their account account
+
+  * Use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing
+
+  * Create service-linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters
+
+
+
@@ -36,0 +60,2 @@ This policy includes the following permissions.
+  * `fis`—grants permissions to use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing.
+
@@ -40 +65 @@ This policy includes the following permissions.
-You can find the `AmazonAuroraDSQLFullAccess` policy on the IAM console and [AmazonAuroraDSQLFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLFullAccess.html) in the AWS Managed Policy Reference Guide.
+You can find the `AmazonAuroraDSQLFullAccess` policy in the IAM console and in the [AWS Managed Policy Reference Guide](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLFullAccess.html).
@@ -59 +84 @@ This policy includes the following permissions.
-You can find the `AmazonAuroraDSQLReadOnlyAccess` policy on the IAM console and [AmazonAuroraDSQLReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLReadOnlyAccess.html) in the AWS Managed Policy Reference Guide.
+You can find the `AmazonAuroraDSQLReadOnlyAccess` policy in the IAM console and the [AWS Managed Policy Reference Guide](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLReadOnlyAccess.html).
@@ -65 +90,23 @@ You can attach `AmazonAuroraDSQLConsoleFullAccess` to your users, groups, and ro
-Allows full administrative access to Amazon Aurora DSQL via the AWS Management Console. Principals with these permissions can create, delete, and update Aurora DSQL clusters, including multi-Region clusters, with the console. They can list clusters and view information about individual clusters. They can see tags on any resource on your account. They can connect to the database as any user, including the admin. They can perform backup and restore operations for Aurora DSQL clusters, including starting, stopping, and monitoring backup and restore jobs. The policy includes AWS KMS permissions that allow operations on customer-managed keys used for cluster encryption. They can launch AWS CloudShell from the AWS Management Console. They can see any metrics from CloudWatch on your account. They also have permissions to create service linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters. 
+Allows full administrative access to Amazon Aurora DSQL via the AWS Management Console. Principals with these permissions can:
+
+  * Create, delete, and update Aurora DSQL clusters, including multi-Region clusters, with the console
+
+  * List clusters and view information about individual clusters
+
+  * See tags on any resource on your account
+
+  * Connect to the database as any user, including the admin
+
+  * Perform backup and restore operations for Aurora DSQL clusters, including starting, stopping, and monitoring backup and restore jobs
+
+  * Use customer-managed AWS KMS keys for cluster encryption
+
+  * Launch AWS CloudShell from the AWS Management Console
+
+  * View any metrics from CloudWatch on your account
+
+  * Use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing
+
+  * Create service linked roles for the `dsql.amazonaws.com` service, which is required for creating clusters
+
+
@@ -67 +113,0 @@ Allows full administrative access to Amazon Aurora DSQL via the AWS Management C
-You can find the `AmazonAuroraDSQLConsoleFullAccess` policy on the IAM console and [AmazonAuroraDSQLConsoleFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLConsoleFullAccess.html) in the AWS Managed Policy Reference Guide.
@@ -86,0 +133,2 @@ This policy includes the following permissions.
+  * `fis`—grants permissions to use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing.
+
@@ -90 +138 @@ This policy includes the following permissions.
-You can find the `AmazonAuroraDSQLReadOnlyAccess` policy on the IAM console and [AmazonAuroraDSQLReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLReadOnlyAccess.html) in the AWS Managed Policy Reference Guide.
+You can find the `AmazonAuroraDSQLConsoleFullAccess` policy in the IAM console and the [AWS Managed Policy Reference Guide](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLConsoleFullAccess.html).
@@ -103,0 +152 @@ Change | Description | Date
+AmazonAuroraDSQLFullAccess and AmazonAuroraDSQLConsoleFullAccess update |  Added support for AWS Fault Injection Service (AWS FIS) integration with Aurora DSQL. This allows you to inject failures into single-Region and multi-Region Aurora DSQL clusters to test fault tolerance of your applications. You can create experiment templates in the AWS FIS console to define failure scenarios and target specific Aurora DSQL clusters for testing. For more on these policies, see [AmazonAuroraDSQLFullAccess](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonAuroraDSQLFullAccess) and [AmazonAuroraDSQLConsoleFullAccess](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonAuroraDSQLConsoleFullAccess). | August 19, 2025