AWS AmazonRDS documentation change
Summary
Added example IAM policy for S3 access points without encryption in native backup/restore documentation
Security assessment
The change provides explicit security configuration guidance for S3 access permissions, including required IAM actions and resource patterns. While not addressing a specific vulnerability, it enhances documentation of security-related access controls.
Diff
diff --git a/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.Native.Enabling.md b/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.Native.Enabling.md index ed9d0adcf..3a5991a1f 100644 --- a//AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.Native.Enabling.md +++ b//AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.Native.Enabling.md @@ -178,0 +179,47 @@ JSON +###### Example permissions policy for native backup and restore using access points without encryption support + +The actions required to use S3 access points are the same as for S3 buckets. The resource path is updated to match the S3 access point ARN pattern. + +###### Note + +Access points must be configured to use **Network origin: Internet** as RDS does not publish private VPCs. S3 traffic from RDS instances does not go through the public internet since it goes through private VPCs. + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:us-east-1:111122223333:accesspoint/amzn-s3-demo-ap", + "arn:aws:s3:::underlying-bucket" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObjectAttributes", + "s3:GetObject", + "s3:PutObject", + "s3:ListMultipartUploadParts", + "s3:AbortMultipartUpload" + ], + "Resource": [ + "arn:aws:s3:us-east-1:111122223333:accesspoint/amzn-s3-demo-ap/*", + "arn:aws:s3:::underlying-bucket/*" + ] + } + ] + } + +