AWS AmazonRDS documentation change
Summary
Removed reference to AWSServiceRoleForRDS overriding custom IAM roles for CloudWatch Logs access.
Security assessment
Update corrects documentation about IAM role behavior for logs publishing (security feature), but doesn't indicate a security vulnerability fix.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.md b/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.md index aa44b084e..d7fd8e01b 100644 --- a//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.md +++ b//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.md @@ -21 +21 @@ To publish logs to CloudWatch Logs, the respective logs must be enabled. Error l -If you use this alternative method, you must have an IAM role to access CloudWatch Logs and set the `aws_default_logs_role` cluster-level parameter to the ARN for this role. For information about creating the role, see [Setting up IAM roles to access AWS services](./AuroraMySQL.Integrating.Authorizing.IAM.html). However, if you have the `AWSServiceRoleForRDS` service-linked role, it provides access to CloudWatch Logs and overrides any custom-defined roles. For information about service-linked roles for Amazon RDS, see [Using service-linked roles for Amazon Aurora](./UsingWithRDS.IAM.ServiceLinkedRoles.html). +If you use this alternative method, you must have an IAM role to access CloudWatch Logs and set the `aws_default_logs_role` cluster-level parameter to the ARN for this role. For information about creating the role, see [Setting up IAM roles to access AWS services](./AuroraMySQL.Integrating.Authorizing.IAM.html).