AWS AmazonRDS documentation change
Summary
Added documentation clarifying that Amazon RDS uses and manages Public Elastic IPv4 addresses for publicly accessible database instances, including details about visibility in AWS accounts, CloudTrail logging, and that these IPs don't count against EIP limits.
Security assessment
This change adds security-related documentation about how RDS manages public IP addresses, including visibility in accounts, CloudTrail logging of API calls, and service-managed attributes. It helps users understand security monitoring capabilities and resource management, but doesn't address a specific security vulnerability.
Diff
diff --git a/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md b/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md index 527e3da72..1c25eeb67 100644 --- a//AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md +++ b//AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.md @@ -166,0 +167,10 @@ A public IP address is an IPv4 address that's reachable from the internet. You c +Amazon RDS uses Public Elastic IPv4 addresses from EC2's public IPv4 address pool for publicly accessible database instances. These IP addresses are visible in your AWS account when using the `describe-addresses` CLI, API or viewing the Elastic IPs (EIP) section in the AWS Management Console. Each RDS-managed IP address is marked with a `service_managed` attribute set to `"rds"`. + +While these IPs are visible in your account, they remain fully managed by Amazon RDS and cannot be modified or released. Amazon RDS releases IPs back into the public IPv4 address pool when no longer in use. + +CloudTrail logs API calls related to RDS's EIP, such as the `AllocateAddress`. These API calls are invoked by the Service Principal `rds.amazonaws.com`. + +###### Note + +IPs allocated by Amazon RDS do not count against your account's EIP limits. +