AWS cli documentation change
Summary
Updated PubliclyAccessible parameter documentation with clarified default behaviors and error conditions
Security assessment
The changes clarify security implications of public accessibility settings and VPC configurations, but there's no evidence of addressing a specific security vulnerability. The documentation now better explains how security groups and network configurations control access.
Diff
diff --git a/cli/latest/reference/rds/create-db-cluster.md b/cli/latest/reference/rds/create-db-cluster.md index 69f440e40..5b1a1e5fc 100644 --- a//cli/latest/reference/rds/create-db-cluster.md +++ b//cli/latest/reference/rds/create-db-cluster.md @@ -15 +15 @@ - * [AWS CLI 2.31.8 Command Reference](../../index.html) » + * [AWS CLI 2.31.10 Command Reference](../../index.html) » @@ -737,4 +736,0 @@ JSON Syntax: -> When the DB cluster is publicly accessible and you connect from outside of the DB cluster’s virtual private cloud (VPC), its Domain Name System (DNS) endpoint resolves to the public IP address. When you connect from within the same VPC as the DB cluster, the endpoint resolves to the private IP address. Access to the DB cluster is ultimately controlled by the security group it uses. That public access isn’t permitted if the security group assigned to the DB cluster doesn’t permit it. -> -> When the DB cluster isn’t publicly accessible, it is an internal DB cluster with a DNS name that resolves to a private IP address. -> @@ -743,3 +739 @@ JSON Syntax: -> Default: The default behavior varies depending on whether `DBSubnetGroupName` is specified. -> -> If `DBSubnetGroupName` isn’t specified, and `PubliclyAccessible` isn’t specified, the following applies: +> When the DB cluster is publicly accessible and you connect from outside of the DB cluster’s virtual private cloud (VPC), its domain name system (DNS) endpoint resolves to the public IP address. When you connect from within the same VPC as the DB cluster, the endpoint resolves to the private IP address. Access to the DB cluster is controlled by its security group settings. @@ -747,2 +741 @@ JSON Syntax: -> * If the default VPC in the target Region doesn’t have an internet gateway attached to it, the DB cluster is private. -> * If the default VPC in the target Region has an internet gateway attached to it, the DB cluster is public. +> When the DB cluster isn’t publicly accessible, it is an internal DB cluster with a DNS name that resolves to a private IP address. @@ -750 +743 @@ JSON Syntax: - +> The default behavior when `PubliclyAccessible` is not specified depends on whether a `DBSubnetGroup` is specified. @@ -752 +745 @@ JSON Syntax: -> If `DBSubnetGroupName` is specified, and `PubliclyAccessible` isn’t specified, the following applies: +> If `DBSubnetGroup` isn’t specified, `PubliclyAccessible` defaults to `true` . @@ -754,2 +747 @@ JSON Syntax: -> * If the subnets are part of a VPC that doesn’t have an internet gateway attached to it, the DB cluster is private. -> * If the subnets are part of a VPC that has an internet gateway attached to it, the DB cluster is public. +> If `DBSubnetGroup` is specified, `PubliclyAccessible` defaults to `false` unless the value of `DBSubnetGroup` is `default` , in which case `PubliclyAccessible` defaults to `true` . @@ -757 +749 @@ JSON Syntax: - +> If `PubliclyAccessible` is true and the VPC that the `DBSubnetGroup` is in doesn’t have an internet gateway attached to it, Amazon RDS returns an error. @@ -2142 +2134 @@ DBCluster -> (structure) - * [AWS CLI 2.31.8 Command Reference](../../index.html) » + * [AWS CLI 2.31.10 Command Reference](../../index.html) »