AWS AmazonRDS documentation change
Summary
Added section about VPC encryption control detailing enforcement of encryption-in-transit requirements and compatibility checks for Nitro-based instances
Security assessment
Introduces documentation for a new security control feature (VPC encryption control) that enforces encryption-in-transit compliance but does not indicate remediation of an existing vulnerability
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md b/AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md index d436135ee..2abd61aa8 100644 --- a//AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md +++ b//AmazonRDS/latest/AuroraUserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md @@ -5 +5 @@ -Working with a DB cluster in a VPCWorking with DB subnet groupsShared subnetsIP addressingHiding a DB cluster in a VPC from the internetCreating a DB cluster in a VPC +Working with a DB cluster in a VPCEncryption controlWorking with DB subnet groupsShared subnetsIP addressingHiding a DB cluster in a VPC from the internetCreating a DB cluster in a VPC @@ -18,0 +19,2 @@ For a list of scenarios involving Amazon Aurora DB clusters in a VPC , see [Scen + * VPC encryption control + @@ -69,0 +72,25 @@ When you set the instance tenancy attribute to dedicated for a DB cluster, it do +## VPC encryption control + +VPC encryption controls allow you to enforce encryption-in-transit for all network traffic within your VPCs. Use encryption control to meet regulatory compliance requirements by ensuring that only encryption-capable Nitro-based hardware can be provisioned in designated VPCs. Encryption control also catches compatibility issues at API request time rather than during provisioning. Your existing workloads continue operating and only new incompatible requests are blocked. + +Set your VPC encryption controls by setting the VPC control mode to : + + * _disabled_ (default) + + * _monitor_ + + * _enforced_ + + + + +To check the current control mode for your VPC, use the AWS Management Console or [DescribeVpcs](https://docs.aws.amazon.com//AWSEC2/latest/APIReference/API_DescribeVpcs.html) CLI or API command. + +If your VPC enforces encryption, you can only provision Nitro-based DB clusters that support encryption in transit in that VPC. For more information see, [DB instance class types](./Concepts.DBInstanceClass.Types.html). For information about Nitro instances, see [Instances built on the AWS Nitro System](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html) in the _Amazon EC2 User Guide_. + +###### Note + +If you try to provision incompatible DB clusters in an encryption-enforced VPC, Aurora returns a `VpcEncryptionControlViolationException` exception. + +For Aurora Serverless for MySQL and PostreSQL, encryption control requires platform version 3 or higher. +