AWS cli medium security documentation change
Summary
Updated documentation for PubliclyAccessible parameter with more detailed network accessibility rules and default behaviors based on VPC configuration
Security assessment
The changes clarify security implications of public accessibility settings, emphasizing that security groups ultimately control access. This helps prevent accidental public exposure by explaining how VPC internet gateways and subnet groups affect default accessibility. The explicit warnings about security group controls and network configuration relationships directly impact security configuration understanding.
Diff
diff --git a/cli/latest/reference/rds/create-db-cluster.md b/cli/latest/reference/rds/create-db-cluster.md index 5b1a1e5fc..a08f249ef 100644 --- a//cli/latest/reference/rds/create-db-cluster.md +++ b//cli/latest/reference/rds/create-db-cluster.md @@ -15 +15 @@ - * [AWS CLI 2.31.10 Command Reference](../../index.html) » + * [AWS CLI 2.31.13 Command Reference](../../index.html) » @@ -736,0 +737,4 @@ JSON Syntax: +> When the DB cluster is publicly accessible and you connect from outside of the DB cluster’s virtual private cloud (VPC), its Domain Name System (DNS) endpoint resolves to the public IP address. When you connect from within the same VPC as the DB cluster, the endpoint resolves to the private IP address. Access to the DB cluster is ultimately controlled by the security group it uses. That public access isn’t permitted if the security group assigned to the DB cluster doesn’t permit it. +> +> When the DB cluster isn’t publicly accessible, it is an internal DB cluster with a DNS name that resolves to a private IP address. +> @@ -739 +743 @@ JSON Syntax: -> When the DB cluster is publicly accessible and you connect from outside of the DB cluster’s virtual private cloud (VPC), its domain name system (DNS) endpoint resolves to the public IP address. When you connect from within the same VPC as the DB cluster, the endpoint resolves to the private IP address. Access to the DB cluster is controlled by its security group settings. +> Default: The default behavior varies depending on whether `DBSubnetGroupName` is specified. @@ -741 +745 @@ JSON Syntax: -> When the DB cluster isn’t publicly accessible, it is an internal DB cluster with a DNS name that resolves to a private IP address. +> If `DBSubnetGroupName` isn’t specified, and `PubliclyAccessible` isn’t specified, the following applies: @@ -743 +747,2 @@ JSON Syntax: -> The default behavior when `PubliclyAccessible` is not specified depends on whether a `DBSubnetGroup` is specified. +> * If the default VPC in the target Region doesn’t have an internet gateway attached to it, the DB cluster is private. +> * If the default VPC in the target Region has an internet gateway attached to it, the DB cluster is public. @@ -745 +750,3 @@ JSON Syntax: -> If `DBSubnetGroup` isn’t specified, `PubliclyAccessible` defaults to `true` . + +> +> If `DBSubnetGroupName` is specified, and `PubliclyAccessible` isn’t specified, the following applies: @@ -747 +754,2 @@ JSON Syntax: -> If `DBSubnetGroup` is specified, `PubliclyAccessible` defaults to `false` unless the value of `DBSubnetGroup` is `default` , in which case `PubliclyAccessible` defaults to `true` . +> * If the subnets are part of a VPC that doesn’t have an internet gateway attached to it, the DB cluster is private. +> * If the subnets are part of a VPC that has an internet gateway attached to it, the DB cluster is public. @@ -749 +757 @@ JSON Syntax: -> If `PubliclyAccessible` is true and the VPC that the `DBSubnetGroup` is in doesn’t have an internet gateway attached to it, Amazon RDS returns an error. + @@ -2134 +2142 @@ DBCluster -> (structure) - * [AWS CLI 2.31.10 Command Reference](../../index.html) » + * [AWS CLI 2.31.13 Command Reference](../../index.html) »