AWS AmazonRDS documentation change
Summary
Added documentation about read replica constraints when adding tenant databases: 1) Tenant databases can only be added to primary instances, 2) Replication health validation requirements (replicas available and <5min lag), 3) Secrets Manager unsupported for read replicas, 4) Custom character sets prohibited when replicas exist.
Security assessment
Changes describe operational constraints for read replicas without addressing vulnerabilities or security weaknesses. The Secrets Manager note is a feature limitation, not a security fix. No evidence of security incident remediation.
Diff
diff --git a/AmazonRDS/latest/UserGuide/oracle-cdb-configuring.adding.pdb.md b/AmazonRDS/latest/UserGuide/oracle-cdb-configuring.adding.pdb.md index 5672eb36e..d84d2c3de 100644 --- a//AmazonRDS/latest/UserGuide/oracle-cdb-configuring.adding.pdb.md +++ b//AmazonRDS/latest/UserGuide/oracle-cdb-configuring.adding.pdb.md @@ -16 +16 @@ In the RDS for Oracle multi-tenant configuration, a tenant database is a PDB. To -You can add a tenant database using the AWS Management Console, the AWS CLI, or the RDS API. You can't add multiple tenant databases in a single operation: you must add them one at a time. If the CDB has backup retention enabled, Amazon RDS backs up the DB instance before and after it adds a new tenant database. +You can add a tenant database using the AWS Management Console, the AWS CLI, or the RDS API. You can't add multiple tenant databases in a single operation: you must add them one at a time. If the CDB has backup retention enabled, Amazon RDS backs up the DB instance before and after it adds a new tenant database. If the CDB has read replicas, you can only add a tenant database to the primary DB instance; Amazon RDS automatically creates the tenant database on the replicas. Replication health is also validated, ensuring all replicas are available and replication lag is less than 5 minutes before the tenant is created. @@ -44 +44 @@ In **Select the encryption key** , choose either a KMS key that Secrets Manager -We recommend AWS Secrets Manager as the most secure technique for managing credentials. Additional charges apply. For more information, see [Password management with Amazon RDS and AWS Secrets Manager](./rds-secrets-manager.html). +We recommend AWS Secrets Manager as the most secure technique for managing credentials. Additional charges apply. AWS Secrets Manager is not supported for instances using read replicas. For more information, see [Password management with Amazon RDS and AWS Secrets Manager](./rds-secrets-manager.html). @@ -52 +52 @@ To specify a password, clear the **Auto generate a password** check box if it is - * For **Tenant database character set** , choose a character set for the PDB. The default is **AL32UTF8**. You can choose a PDB character set that is different from the CDB character set. + * For **Tenant database character set** , choose a character set for the PDB. The default is **AL32UTF8**. You can choose a PDB character set that is different from the CDB character set. If the instance has read replicas, tenants cannot be created with a custom character set. You can create your tenants with a custom character set before creating a read replica if needed.