AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2025-08-28 · Documentation medium

File: AmazonRDS/latest/UserGuide/Oracle.Options.OEMAgent.md

Summary

Added new ECDSA cipher suites and certificate compatibility guidance for OEM Agent TLS configuration

Security assessment

The changes add documentation about secure cipher suite configurations and certificate compatibility, but there's no evidence of addressing a specific security vulnerability. This is preventive security guidance rather than patching an existing issue.

Diff

diff --git a/AmazonRDS/latest/UserGuide/Oracle.Options.OEMAgent.md b/AmazonRDS/latest/UserGuide/Oracle.Options.OEMAgent.md
index 9fff8cef6..084d3e7b1 100644
--- a//AmazonRDS/latest/UserGuide/Oracle.Options.OEMAgent.md
+++ b//AmazonRDS/latest/UserGuide/Oracle.Options.OEMAgent.md
@@ -152,0 +153,15 @@ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 13.2.0.0.v3 and higher | Yes
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 13.4.0.9.v1 and higher | Yes  
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 13.4.0.9.v1 and higher | Yes  
+  
+### Certificate compatibility with cipher suites
+
+RDS for Oracle supports both RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) certificates. When you configure the OEM Agent option for your DB instance, you must ensure that the cipher suites you specify in the `TLS_CIPHER_SUITE` option setting are compatible with the certificate type used by your DB instance.
+
+The following table shows the compatibility between certificate types and cipher suites:
+
+Certificate type | Compatible cipher suites | Incompatible cipher suites  
+---|---|---  
+RSA certificates (rds-ca-2019, rds-ca-rsa2048-g1, rds-ca-rsa4096-g1) |  TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  
+ECDSA certificates (rds-ca-ecc384-g1) |  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |  TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  
+  
+When you specify a cipher suite in the `TLS_CIPHER_SUITE` option setting, make sure it is compatible with the certificate type used by your DB instance. If you attempt to associate an option group with an OEM Agent option that contains a cipher suite incompatible with the certificate type of a DB instance, the operation will fail with an error message indicating the incompatibility.