AWS Security ChangesHomeSearch

AWS fedramp documentation change

Service: fedramp · 2026-02-16 · Documentation low

File: fedramp/latest/userguide/amazon-rds.md

Summary

Added detailed policy selection guide with MFA requirements, use case descriptions, access permissions, testing procedures, and policy JSON examples for Read-Only, Operator, and Administrator roles.

Security assessment

The changes enhance security documentation by explicitly defining least privilege access controls, MFA requirements, and testing procedures for different roles. While this improves security posture by clarifying access boundaries and verification methods, there's no evidence of addressing a specific security vulnerability or incident.

Diff

diff --git a/fedramp/latest/userguide/amazon-rds.md b/fedramp/latest/userguide/amazon-rds.md
index 94bbc60ac..54d277d50 100644
--- a//fedramp/latest/userguide/amazon-rds.md
+++ b//fedramp/latest/userguide/amazon-rds.md
@@ -947,0 +948,10 @@ This section provides sample IAM policies for implementing least privilege acces
+### Policy Selection Guide
+
+Choose the appropriate policy based on your role:
+
+Policy | Use Case | MFA Required  
+---|---|---  
+Read-Only Access |  Auditors, compliance reviewers, monitoring dashboards |  No  
+Operator Access |  Database operators performing routine management tasks |  Yes  
+Administrator Access |  Database administrators with full management access |  Yes (1-hour max)  
+  
@@ -949,0 +960,37 @@ This section provides sample IAM policies for implementing least privilege acces
+**Use this for:** Auditors, compliance reviewers, monitoring dashboards
+
+**Grants access to:**
+
+  * View database instance configurations
+
+  * List all RDS resources
+
+  * Describe database parameters and options
+
+  * Monitor database metrics
+
+
+
+
+**Does NOT grant:**
+
+  * Start, stop, or reboot instances
+
+  * Modify database configurations
+
+  * Create or delete databases
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify read access works
+    aws rds describe-db-instances
+    
+    # Verify write access is denied (should fail)
+    aws rds create-db-instance --db-instance-identifier test-db
+
+**Policy JSON:**
+
@@ -969,0 +1017,37 @@ This section provides sample IAM policies for implementing least privilege acces
+**Use this for:** Database operators performing routine management tasks
+
+**Grants access to:**
+
+  * All read-only permissions
+
+  * Start, stop, and reboot database instances
+
+  * Modify database instance configurations
+
+  * Create and restore snapshots
+
+
+
+
+**Does NOT grant:**
+
+  * Delete database instances
+
+  * Modify security groups
+
+  * Change master passwords without proper authorization
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify operator access works (requires MFA)
+    aws rds stop-db-instance --db-instance-identifier my-database
+    
+    # Verify admin access is denied (should fail)
+    aws rds delete-db-instance --db-instance-identifier my-database
+
+**Policy JSON:**
+
@@ -998,0 +1083,33 @@ This section provides sample IAM policies for implementing least privilege acces
+**Use this for:** Database administrators with full management access
+
+**Grants access to:**
+
+  * All operator permissions
+
+  * Create and delete database instances
+
+  * Modify security groups and parameter groups
+
+  * Manage master passwords and encryption keys
+
+  * Configure cross-region replication
+
+
+
+
+**Requires:**
+
+  * MFA with maximum 1-hour session duration
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify full admin access works (requires MFA)
+    aws rds create-db-instance --db-instance-identifier new-database --db-instance-class db.t3.micro --engine postgres
+    aws rds delete-db-instance --db-instance-identifier old-database --skip-final-snapshot
+
+**Policy JSON:**
+