AWS AmazonRDS documentation change
Summary
Added details about incremental snapshot conditions and cross-account encryption requirements
Security assessment
The change strengthens documentation about encryption lineage requirements for cross-account snapshots, improving security posture awareness. The added condition about 'matching inheritance depth and consistent encryption keys' prevents potential access control issues but doesn't reference a specific vulnerability.
Diff
diff --git a/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md b/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md index 32695abf3..8b4aab32c 100644 --- a//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md +++ b//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md @@ -414 +414 @@ An _incremental_ snapshot contains only the data that has changed after the most -Whether a snapshot copy is incremental is determined by the most recently completed snapshot copy and the source snapshot. If the most recent snapshot copy was deleted, the next copy is a full copy, not an incremental copy. A snapshot copy will be the same type as the source snapshot. If the source snapshot is an incremental snapshot, then the snapshot copy will be an incremental snapshot. +Whether a snapshot copy is incremental is determined by the most recently completed snapshot copy and the source snapshot. If the most recent snapshot copy was deleted, the next copy is a full copy, not an incremental copy. A snapshot copy will be the same type as the source snapshot. If the source snapshot is an incremental snapshot, then the snapshot copy will be an incremental snapshot. Incrementality is also determined by the number of changes that have taken place in the source DB instance since the most recent snapshot. @@ -420 +420 @@ When you copy a snapshot across AWS accounts, the copy is an incremental copy on - * All copies of the snapshot in the destination account are either unencrypted, or were encrypted using the same KMS key. + * All copies of the snapshot in the destination account are either unencrypted, or were encrypted using the same KMS key. If they are encrypted, then they must have the same lineage i.e matching inheritance depth and consistent encryption keys at corresponding levels.