AWS Security ChangesHomeSearch

AWS aurora-dsql documentation change

Service: aurora-dsql · 2025-10-25 · Documentation medium

File: aurora-dsql/latest/userguide/security-iam-awsmanpol.md

Summary

Expanded documentation for managed policies to include resource-based policy management permissions and console support.

Security assessment

Adds details about managing inline cluster policies and updates managed policies to include RBP-related permissions. This documents new security features for access control but does not indicate a security fix.

Diff

diff --git a/aurora-dsql/latest/userguide/security-iam-awsmanpol.md b/aurora-dsql/latest/userguide/security-iam-awsmanpol.md
index 5a15f7d3f..7cbf78961 100644
--- a//aurora-dsql/latest/userguide/security-iam-awsmanpol.md
+++ b//aurora-dsql/latest/userguide/security-iam-awsmanpol.md
@@ -24,0 +25,2 @@ This policy grants permissions that allows full administrative access to Aurora
+  * Manage cluster inline policies (create, view, update, and delete policies)
+
@@ -71 +73 @@ You can attach `AmazonAuroraDSQLReadOnlyAccess` to your users, groups, and roles
-Allows read access to Aurora DSQL. Principals with these permissions can list clusters and view information about individual clusters. They can see the tags attached to Aurora DSQL clusters. They can retrieve and see any metrics from CloudWatch on your account. 
+Allows read access to Aurora DSQL. Principals with these permissions can list clusters and view information about individual clusters. They can see the tags attached to Aurora DSQL clusters, and view cluster inline policies. They can retrieve and see any metrics from CloudWatch on your account. 
@@ -93,0 +96,2 @@ Allows full administrative access to Amazon Aurora DSQL via the AWS Management C
+  * Manage cluster inline policies through the console (create, view, update, and delete policies)
+
@@ -114,0 +119,2 @@ Allows full administrative access to Amazon Aurora DSQL via the AWS Management C
+You can find the `AmazonAuroraDSQLConsoleFullAccess` policy on the IAM console and [AmazonAuroraDSQLConsoleFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAuroraDSQLConsoleFullAccess.html) in the AWS Managed Policy Reference Guide.
+
@@ -132,0 +139,4 @@ This policy includes the following permissions.
+  * `fis`—grants permissions to use AWS FIS to inject failures into Aurora DSQL clusters for fault tolerance testing.
+
+  * `access-analyzer:ValidatePolicy` grants permission for the linter in the policy editor, which provides real-time feedback about errors, warnings, and security issues in the current policy.
+
@@ -152,0 +163 @@ AmazonAuroraDSQLFullAccess and AmazonAuroraDSQLConsoleFullAccess update |  Added
+AmazonAuroraDSQLFullAccess, AmazonAuroraDSQLReadOnlyAccess, and AmazonAuroraDSQLConsoleFullAccess update |  Added resource-based policy (RBP) support with new permissions: `PutClusterPolicy`, `GetClusterPolicy`, and `DeleteClusterPolicy`. These permissions allow managing inline policies attached to Aurora DSQL clusters for fine-grained access control. For more information, see [AmazonAuroraDSQLFullAccess](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonAuroraDSQLFullAccess), [AmazonAuroraDSQLReadOnlyAccess](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonAuroraDSQLReadOnlyAccess), and [AmazonAuroraDSQLConsoleFullAccess](https://docs.aws.amazon.com/aurora-dsql/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonAuroraDSQLConsoleFullAccess). | October 15, 2025