AWS Security ChangesHomeSearch

AWS AmazonRDS documentation change

Service: AmazonRDS · 2026-05-22 · Documentation high

File: AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md

Summary

Updated Aurora MySQL security documentation with new sections on reserved users, password policies, authentication methods, and enhanced TLS configurations. Changed default require_secure_transport setting to ON for version 8.4, updated TLS version/cipher support tables, added cipher restrictions for version 8.4, and implemented protections for reserved users.

Security assessment

The changes enhance security documentation by adding new security features (TLS enforcement by default, reserved user protections) and updating cryptographic standards. However, there's no evidence of addressing a specific vulnerability; changes proactively improve security posture through modernized defaults (TLS 1.2+ requirement) and restricted cipher suites in Aurora 8.4 to prevent weak encryption. The reserved user restrictions mitigate potential privilege escalation risks.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md b/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md
index 252ba4116..355f7bcdd 100644
--- a//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md
+++ b//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md
@@ -7 +7 @@
-Master user privileges with Aurora MySQLTLS connections
+Master user privileges with Aurora MySQLTLS connectionsReserved users in Aurora MySQL
@@ -51,0 +52,4 @@ In the following sections, see information about user permissions for Aurora MyS
+  * Reserved users in Aurora MySQL
+
+  * [Password policies and Password validation in Aurora MySQL](./AuroraMySQL.PasswordPolicies.html)
+
@@ -66,0 +71,13 @@ We strongly recommend that you do not use the master user directly in your appli
+You can choose between multiple authentication methods for your master user when creating or modifying your DB cluster:
+
+  * [IAM database authentication ](./UsingWithRDS.IAMDBAuth.html)
+
+  * [Password management with Amazon Aurora and AWS Secrets Manager](./rds-secrets-manager.html)
+
+  * Self-managed password-based authentication
+
+
+
+
+Starting Aurora MySQL version 8.4, when resetting the master user password via the AWS Management Console, CLI, or API, or through AWS Secrets Manager rotation, Aurora automatically uses the authentication plugin defined by the current `authentication_policy` parameter value at the time of the reset. In Aurora MySQL version 2 and 3, the `mysql_native_password` plugin is always used.
+
@@ -98 +115 @@ We recommend the AWS JDBC Driver as a client that supports SAN with TLS. For mor
-You can require that all user connections to your Aurora MySQL DB cluster use TLS by using the `require_secure_transport` DB cluster parameter. By default, the `require_secure_transport` parameter is set to `OFF`. You can set the `require_secure_transport` parameter to `ON` to require TLS for connections to your DB cluster.
+You can require that all user connections to your Aurora MySQL DB cluster use TLS by using the `require_secure_transport` DB cluster parameter. By default, the `require_secure_transport` parameter is set to `ON` in Aurora MySQL version 8.4, while it is set to `OFF` in Aurora MySQL versions 2 and 3. You can set the `require_secure_transport` parameter to `ON` to require TLS for connections to your DB cluster.
@@ -104 +121 @@ You can set the `require_secure_transport` parameter value by updating the DB cl
-The `require_secure_transport` parameter is available for Aurora MySQL version 2 and 3. You can set this parameter in a custom DB cluster parameter group. The parameter isn't available in DB instance parameter groups.
+The `require_secure_transport` parameter is available for Aurora MySQL versions 2 and above. You can set this parameter in a custom DB cluster parameter group. The parameter isn't available in DB instance parameter groups.
@@ -117,3 +134,5 @@ Aurora MySQL version | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | Default
-Aurora MySQL version 2 | Deprecated | Deprecated |  Supported | Not supported | All supported TLS versions  
-Aurora MySQL version 3 (lower than 3.04.0) | Deprecated | Deprecated | Supported | Not supported | All supported TLS versions  
-Aurora MySQL version 3 (3.04.0 and higher) | Not supported  | Not supported  | Supported | Supported | All supported TLS versions  
+Aurora MySQL version 2 | Deprecated | Deprecated |  Supported | Not supported | TLS 1.2  
+Aurora MySQL version 3 (lower than 3.04.0) | Deprecated | Deprecated | Supported | Not supported | TLS 1.2  
+Aurora MySQL version 3 (3.04.0 and higher) | Not supported  | Not supported  | Supported | Supported | TLS 1.2, TLS 1.3  
+Aurora MySQL version 8.4 | Not supported | Not supported | Supported | Supported | TLS 1.2, TLS 1.3  
+Aurora MySQL version 8.4 | Not supported | Not supported | Supported | Supported | All supported TLS versions  
@@ -155 +174,3 @@ By using configurable cipher suites, you can have more control over the security
-Configurable cipher suites are supported in Aurora MySQL version 3 and Aurora MySQL version 2. To specify the list of permissible TLS 1.2, TLS 1.1, TLS 1.0 ciphers for encrypting connections, modify the `ssl_cipher` cluster parameter. Set the `ssl_cipher` parameter in a cluster parameter group using the AWS Management Console, the AWS CLI, or the RDS API.
+Configurable cipher suites are supported in Aurora MySQL version 2 and above. To specify the list of permissible TLS 1.2, TLS 1.1, TLS 1.0 ciphers for encrypting connections, modify the `ssl_cipher` cluster parameter. Set the `ssl_cipher` parameter in a cluster parameter group using the AWS Management Console, the AWS CLI, or the RDS API.
+
+Aurora MySQL version 8.4 only supports ciphers aligned with modern cryptographic standards. Only GCM and CCM mode ciphers are supported. All other cipher modes, including CBC and CHACHA20-POLY1305, are not supported.
@@ -163,16 +184,23 @@ The following table shows the supported ciphers along with the TLS encryption pr
-Cipher | Encryption protocol | Supported Aurora MySQL versions  
----|---|---  
-`ECDHE-RSA-AES128-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-RSA-AES128-SHA256` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-RSA-AES128-GCM-SHA256` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-RSA-AES256-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-RSA-AES256-GCM-SHA384` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-RSA-CHACHA20-POLY1305` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-ECDSA-AES128-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-ECDSA-AES256-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-ECDSA-AES128-GCM-SHA256` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-ECDSA-AES256-GCM-SHA384` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
-`ECDHE-ECDSA-CHACHA20-POLY1305` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
-`TLS_AES_128_GCM_SHA256` | TLS 1.3 | 3.04.0 and higher  
-`TLS_AES_256_GCM_SHA384` | TLS 1.3 | 3.04.0 and higher  
-`TLS_CHACHA20_POLY1305_SHA256` | TLS 1.3 | 3.04.0 and higher  
+Cipher | Aurora MySQL 2.11.0+ | Aurora MySQL 3.04.0+ | Aurora MySQL 8.4.7+  
+---|---|---|---  
+**TLS 1.0 Ciphers**  
+`ECDHE-RSA-AES128-SHA` | ✓ | ✓ | X  
+`ECDHE-RSA-AES256-SHA` | ✓ | ✓ | X  
+`ECDHE-ECDSA-AES128-SHA` | ✓ | ✓ | X  
+`ECDHE-ECDSA-AES256-SHA` | ✓ | ✓ | X  
+**TLS 1.2 Ciphers**  
+`ECDHE-RSA-AES128-GCM-SHA256` | ✓ | ✓ | ✓  
+`ECDHE-RSA-AES256-GCM-SHA384` | ✓ | ✓ | ✓  
+`ECDHE-ECDSA-AES128-GCM-SHA256` | ✓ | ✓ | ✓  
+`ECDHE-ECDSA-AES256-GCM-SHA384` | ✓ | ✓ | ✓  
+`ECDHE-RSA-AES128-SHA256` | ✓ | ✓ | X  
+`ECDHE-RSA-CHACHA20-POLY1305` | ✓ | ✓ | X  
+`ECDHE-ECDSA-CHACHA20-POLY1305` | ✓ | ✓ | X  
+**TLS 1.3 Ciphers**  
+`TLS_AES_128_GCM_SHA256` | X | ✓ | ✓  
+`TLS_AES_256_GCM_SHA384` | X | ✓ | ✓  
+`TLS_CHACHA20_POLY1305_SHA256` | X | ✓ | X  
+  
+###### Important
+
+Before upgrading to Aurora MySQL version 8.4, verify that your applications support the updated cipher suites. Applications using TLS 1.0/1.1 or unsupported ciphers will not connect after upgrading if you have set the `require_secure_transport` parameter to `ON`.
@@ -240,0 +269,40 @@ For more information on TLS connections with MySQL, see the [MySQL documentation
+## Reserved users in Aurora MySQL
+
+The following usernames are reserved for Aurora MySQL features and cannot be used for your database user accounts:
+
+  * `rdsadmin`
+
+  * `rdsproxyadmin`
+
+  * `rdsrepladmin`
+
+  * `rdsrepladmin_priv_checks_user`
+
+  * `rds_superuser_role`
+
+  * `AWS_COMPREHEND_ACCESS`
+
+  * `AWS_LAMBDA_ACCESS`
+
+  * `AWS_LOAD_S3_ACCESS`
+
+  * `AWS_SAGEMAKER_ACCESS`
+
+  * `AWS_SELECT_S3_ACCESS`
+
+  * `AWS_BEDROCK_ACCESS`
+
+
+
+
+Starting in Aurora MySQL version 8.4.7, you can't `CREATE`, `DROP`, `RENAME`, `GRANT`, `REVOKE`, or `SET PASSWORD` for the `rdsproxyadmin` user. Enforcement applies at any host, including `rdsproxyadmin@%`, `rdsproxyadmin@localhost`, and specific hosts or IP addresses. These operations return an error similar to the following:
+    
+    
+    mysql> DROP USER 'rdsproxyadmin'@'%';
+    ERROR 1396 (HY000): Operation DROP USER failed for 'rdsproxyadmin'@'%'
+    
+    mysql> GRANT SELECT ON testdb.* TO 'rdsproxyadmin'@'%';
+    ERROR 1132 (42000): Access denied on rdsproxyadmin
+
+The `rdsproxyadmin` account is created automatically the first time you register a proxy target for your DB cluster. For more information about the RDS Proxy monitoring user, see [Amazon RDS Proxy for Aurora](./rds-proxy.html).
+
@@ -249 +317 @@ Aurora MySQL version 2 compatible with MySQL 5.7
-Updating applications for new TLS certificates
+Password policies and Password validation in Aurora MySQL