AWS dms documentation change
Summary
Replaced high-level permission note with detailed GRANT statements for DMS user on DB2 source
Security assessment
Added granular database permissions documentation for DMS user accounts. This clarifies security controls (permissions required for database access) but doesn't address a specific vulnerability. Improves security posture by specifying least-privilege permissions.
Diff
diff --git a/dms/latest/userguide/CHAP_Source.DB2.md b/dms/latest/userguide/CHAP_Source.DB2.md index 35b0d0aa8..feae672ef 100644 --- a//dms/latest/userguide/CHAP_Source.DB2.md +++ b//dms/latest/userguide/CHAP_Source.DB2.md @@ -37 +37,19 @@ If your database is recoverable, then AWS DMS can access the Db2 `ARCHIVE LOG` i -###### Note + * For **full-load only** tasks, the DMS user account needs the following permissions: + + GRANT CONNECT ON DATABASE TO USER <DMS_USER>; + GRANT USAGE ON WORKLOAD SYSDEFAULTUSERWORKLOAD TO USER <DMS_USER>; + GRANT SELECT ON SYSIBM.SYSDUMMY1 TO USER <DMS_USER>; + GRANT SELECT ON SYSIBMADM.ENV_INST_INFO TO USER <DMS_USER>; + GRANT SELECT ON SYSIBMADM.ENV_SYS_INFO TO USER <DMS_USER>; + GRANT SELECT ON SYSIBMADM.DBCFG TO USER <DMS_USER>; + GRANT SELECT ON SYSIBMADM.DB2_CF TO USER <DMS_USER>; + GRANT EXECUTE ON FUNCTION SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID TO USER <DMS_USER>; + + -- Use the following queries to generate the grants, and then execute the resulting statements. + SELECT 'GRANT SELECT ON SYSCAT.' || RTRIM(TABNAME) || ' TO USER <DMS_USER>;' FROM SYSCAT.TABLES WHERE TABSCHEMA = 'SYSCAT' AND TYPE = 'V'; + SELECT 'GRANT SELECT ON SYSIBM.' || RTRIM(TABNAME) || ' TO USER <DMS_USER>;' FROM SYSCAT.TABLES WHERE TABSCHEMA = 'SYSIBM' AND TYPE in ('T', 'V'); + SELECT 'GRANT EXECUTE ON PACKAGE NULLID.' || RTRIM(PKGNAME) || ' TO USER <DMS_USER>;' FROM SYSCAT.PACKAGES WHERE PKGSCHEMA = 'NULLID'; + SELECT 'GRANT EXECUTE ON PROCEDURE SYSIBM.' || RTRIM(PROCNAME) || ' TO USER <DMS_USER>;' FROM SYSCAT.PROCEDURES WHERE PROCSCHEMA = 'SYSIBM'; + + -- For all the source tables grant the select permission + GRANT SELECT ON <SCHEMA>.<TABLE> TO USER <DMS_USER>; @@ -39 +56,0 @@ If your database is recoverable, then AWS DMS can access the Db2 `ARCHIVE LOG` i -For full-load only tasks, the DMS user account needs DATAACCESS permission.