AWS aurora-dsql documentation change
Summary
Added section about witness Regions' security features including encrypted transaction handling and access restrictions
Security assessment
Documents security controls in witness Regions but doesn't indicate any vulnerability being patched
Diff
diff --git a/aurora-dsql/latest/userguide/data-protection.md b/aurora-dsql/latest/userguide/data-protection.md index bf014b5d9..0992f0b67 100644 --- a//aurora-dsql/latest/userguide/data-protection.md +++ b//aurora-dsql/latest/userguide/data-protection.md @@ -5 +5 @@ -Data encryption +Data encryptionData Protection in witness Regions @@ -70,0 +71,17 @@ You get access to Aurora DSQL through the network by using AWS-published API ope +## Data Protection in witness Regions + +When you create a multi-Region cluster, a witness Region helps enable automated failure recovery by participating in synchronous replication of encrypted transactions. If a peered cluster becomes unavailable, the witness Region remains available to validate and process database writes, ensuring no loss of availability. + +Witness Regions protect and secure your data through these design features: + + * The witness Region receives and stores only encrypted transaction logs. It never hosts, stores or transmits your encryption keys. + + * The witness Region focuses soley on write transaction logging and quorum functions. It can't read your data by design. + + * The witness Region operates without cluster connection endpoints or query processors. This prevents user database access. + + + + +For more information on witness Regions, see [Configuring multi-Region clusters](./configuring-multi-region-clusters.html). +