AWS aurora-dsql documentation change
Summary
Updated managed policy documentation to include permissions for CDC stream management, added IAM role passing for CDC streams, and extended tag operations to CDC streams
Security assessment
The changes document new IAM permissions for managing CDC streams and passing roles to them, which are security-sensitive operations. However, there's no evidence of a specific security vulnerability being addressed - this appears to be feature expansion documentation.
Diff
diff --git a/aurora-dsql/latest/userguide/security-iam-awsmanpol.md b/aurora-dsql/latest/userguide/security-iam-awsmanpol.md index af16a1659..e5545eb5b 100644 --- a//aurora-dsql/latest/userguide/security-iam-awsmanpol.md +++ b//aurora-dsql/latest/userguide/security-iam-awsmanpol.md @@ -29 +29,3 @@ This policy grants permissions that allows full administrative access to Aurora - * Add and remove tags from clusters + * Create, update, delete, and manage CDC streams for clusters + + * Add and remove tags from clusters and CDC streams @@ -36,0 +39,2 @@ This policy grants permissions that allows full administrative access to Aurora + * Pass IAM roles to CDC streams for data delivery to target destinations + @@ -54 +58 @@ This policy includes the following permissions. - * `dsql`—grants principals full access to Aurora DSQL. + * `dsql` – grants principals full access to Aurora DSQL. @@ -56 +60 @@ This policy includes the following permissions. - * `cloudwatch`—grants permission to publish metric data points to Amazon CloudWatch. + * `cloudwatch` – grants permission to publish metric data points to Amazon CloudWatch. @@ -58 +62 @@ This policy includes the following permissions. - * `iam`—grants permission to create a service-linked role. + * `iam` – grants permission to create a service-linked role and pass roles to CDC streams for data delivery. @@ -60 +64 @@ This policy includes the following permissions. - * `backup and restore`—grants permissions to start, stop, and monitor backup and restore jobs for Aurora DSQL clusters. + * `backup and restore` – grants permissions to start, stop, and monitor backup and restore jobs for Aurora DSQL clusters. @@ -62 +66 @@ This policy includes the following permissions. - * `kms`—grants permissions required to validate access to customer-managed keys used for Aurora DSQL cluster encryption when creating, updating, or connecting to clusters. + * `kms` – grants permissions required to validate access to customer-managed keys used for Aurora DSQL cluster encryption when creating, updating, or connecting to clusters. @@ -64 +68 @@ This policy includes the following permissions. - * `fis`—grants permissions to use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing. + * `fis` – grants permissions to use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing. @@ -75 +79 @@ You can attach `AmazonAuroraDSQLReadOnlyAccess` to your users, groups, and roles -Allows read access to Aurora DSQL. Principals with these permissions can list clusters and view information about individual clusters. They can see the tags attached to Aurora DSQL clusters, and view cluster inline policies. They can retrieve and see any metrics from CloudWatch on your account. +Allows read access to Aurora DSQL. Principals with these permissions can list clusters and view information about individual clusters. They can see the tags attached to Aurora DSQL clusters and CDC streams, view information about individual CDC streams, and view cluster inline policies. They can retrieve and see any metrics from CloudWatch on your account. @@ -84,0 +89,2 @@ This policy includes the following permissions. + * `iam` – grants permissions to pass roles to CDC streams for data delivery configuration. + @@ -127 +133 @@ This policy includes the following permissions. - * `dsql`—grants full administrative permissions to all resources in Aurora DSQL via the AWS Management Console. + * `dsql` – grants full administrative permissions to all resources in Aurora DSQL via the AWS Management Console. @@ -129 +135 @@ This policy includes the following permissions. - * `cloudwatch`—grants permission to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data. + * `cloudwatch` – grants permission to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data. @@ -131 +137 @@ This policy includes the following permissions. - * `tag`—grants permission to returns tag keys and values currently in use in the specified AWS Region for the calling account. + * `tag` – grants permission to returns tag keys and values currently in use in the specified AWS Region for the calling account. @@ -133 +139 @@ This policy includes the following permissions. - * `backup and restore`—grants permissions to start, stop, and monitor backup and restore jobs for Aurora DSQL clusters. + * `backup and restore` – grants permissions to start, stop, and monitor backup and restore jobs for Aurora DSQL clusters. @@ -135 +141 @@ This policy includes the following permissions. - * `kms`—grants permissions required to validate access to customer-managed keys used for Aurora DSQL cluster encryption when creating, updating, or connecting to clusters. + * `kms` – grants permissions required to validate access to customer-managed keys used for Aurora DSQL cluster encryption when creating, updating, or connecting to clusters. @@ -137 +143 @@ This policy includes the following permissions. - * `cloudshell`—grants permissions to launch AWS CloudShell to interact with Aurora DSQL. + * `cloudshell` – grants permissions to launch AWS CloudShell to interact with Aurora DSQL. @@ -139 +145 @@ This policy includes the following permissions. - * `ec2`—grants permission to view Amazon VPC endpoint information needed for Aurora DSQL connections. + * `ec2` – grants permission to view Amazon VPC endpoint information needed for Aurora DSQL connections. @@ -141 +147 @@ This policy includes the following permissions. - * `fis`—grants permissions to use AWS FIS to inject failures into Aurora DSQL clusters for fault tolerance testing. + * `fis` – grants permissions to use AWS FIS to inject failures into Aurora DSQL clusters for fault tolerance testing. @@ -145 +151 @@ This policy includes the following permissions. - * `fis`—grants permissions to use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing. + * `fis` – grants permissions to use AWS Fault Injection Service (AWS FIS) to inject failures into Aurora DSQL clusters for fault tolerance testing.