AWS Security ChangesHomeSearch

AWS drs documentation change

Service: drs · 2026-03-19 · Documentation low

File: drs/latest/userguide/failback-performing.md

Summary

Restructured and expanded failback documentation with clearer prerequisites, added an example AWS CLI command for generating temporary credentials via STS AssumeRole, and clarified credential usage and expiration.

Security assessment

The change adds explicit documentation about using temporary security credentials (AccessKeyId, SecretAccessKey, SessionToken) via AWS STS for the Failback Client, which is a security best practice. It clarifies that credentials are only used during initialization and expire after 1 hour, reducing the risk of credential exposure. However, there is no evidence this change addresses a specific, previously undisclosed security vulnerability.

Diff

diff --git a/drs/latest/userguide/failback-performing.md b/drs/latest/userguide/failback-performing.md
index d5c3b49e3..b332120bf 100644
--- a//drs/latest/userguide/failback-performing.md
+++ b//drs/latest/userguide/failback-performing.md
@@ -11 +11,16 @@ Using the Failback ClientFailback notes
-Failback replication is performed by booting the Failback Client on the source server into which you want to replicate your data from AWS. In order to use the Failback Client you must meet the failback prerequisites and generate failback AWS credentials as described below. The AWS DRS Console allows you to track the progress of your failback replication on the **Recovery instances** page. [Learn more about the Recovery instances page](./recovery-instances.html#managing-recovery-instances). 
+Failback replication allows you to replicate data from AWS back to your original source server. To initiate this process, the Failback Client is booted directly on the source server that will receive the replicated data.
+
+**Before you begin**
+
+Before starting failback replication, ensure you have completed the following:
+
+  * Meet the failback prerequisites.
+
+  * Generate failback AWS credentials.
+
+
+
+
+**Monitoring failback progress**
+
+Once failback replication is underway, you can track its progress in the AWS Elastic Disaster Recovery Console on the **Recovery instances** page. [Learn more about the Recovery instances page](./recovery-instances.html#managing-recovery-instances).
@@ -38 +53 @@ Prior to performing a failback, ensure that you meet all [replication network re
-In order to perform a failback with the Elastic Disaster Recovery Failback Client, you must first generate the required AWS credentials. You can create temporary credentials with AWS Security Token Service. These credentials are only used during Failback Client installation. 
+In order to perform a failback with the Elastic Disaster Recovery Failback Client, you must first generate the required AWS credentials. You can create temporary credentials with AWS Security Token Service. These credentials are only used during Failback Client initialization. 
@@ -48 +63,5 @@ In order to generate the temporary credentials required to install the AWS Elast
-  2. Request temporary security credentials [via AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) using the [AssumeRole API](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html). 
+  2. Request temporary security credentials [via AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) using the [AssumeRole API](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html). For example:
+    
+        aws sts assume-role \
+      --role-arn arn:aws:iam::<account-id>:role/<role-name> \
+      --role-session-name drs-failback-session
@@ -49,0 +69 @@ In order to generate the temporary credentials required to install the AWS Elast
+This command returns temporary credentials consisting of an **AccessKeyId** , **SecretAccessKey** , and **SessionToken**.
@@ -50,0 +71,14 @@ In order to generate the temporary credentials required to install the AWS Elast
+  3. When prompted by the Failback Client, enter:
+
+     * **AWS Access Key ID** – the `AccessKeyId` value
+
+     * **AWS Secret Access Key** – the `SecretAccessKey` value
+
+     * **AWS Session Token** – the `SessionToken` value
+
+     * **AWS Region** – the Region where your Recovery Instance resides
+
+
+
+
+###### Note
@@ -51,0 +86 @@ In order to generate the temporary credentials required to install the AWS Elast
+Temporary credentials expire after a default session duration of 1 hour. Ensure you complete the Failback Client initialization before they expire.