AWS Security ChangesHomeSearch

AWS AmazonRDS medium security documentation change

Service: AmazonRDS · 2026-06-13 · Security-related medium

File: AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.PasswordPolicies.md

Summary

Refined instructions for validate_password component migration and clarified password validation failure behavior during rotation.

Security assessment

Changes explicitly document security-critical password validation behavior during credential rotation (AWS-REDACTED-SECRETSMANAGER), including rotation failure scenarios. Strengthens documentation for security feature implementation.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.PasswordPolicies.md b/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.PasswordPolicies.md
index 3581c83c1..ceda990d5 100644
--- a//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.PasswordPolicies.md
+++ b//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.PasswordPolicies.md
@@ -123 +123 @@ For more information on MySQL validate_password parameters, see [MySQL Password
-Starting from Aurora MySQL version 8.4, if you had previously installed the `validate_password` plugin through the `INSTALL PLUGIN` command, you can migrate to the `validate_password` component by enabling the parameter `aurora_enable_validate_password_component` and then remove the plugin through the `UNINSTALL PLUGIN` command on your writer instance.
+Starting from Aurora MySQL version 8.4, if you had previously installed the `validate_password` plugin through the `INSTALL PLUGIN` command, you can migrate to the `validate_password` component. Enable the parameter `aurora_enable_validate_password_component` and then remove the plugin through the `UNINSTALL PLUGIN` command on your writer instance.
@@ -129 +129 @@ If you have both the plugin installed and the parameter `aurora_enable_validate_
-If you previously installed the `validate_password` component manually using `INSTALL COMPONENT 'file://component_validate_password'`, ensure you set the `aurora_enable_validate_password_component` parameter in your target DB cluster parameter group when upgrading. After upgrading, the component will no longer be listed in the `mysql.component` table. You can use the `aurora_enable_validate_password_component` global variable to verify the status of the component.
+If you previously installed the `validate_password` component manually using `INSTALL COMPONENT 'file://component_validate_password'`, set the `aurora_enable_validate_password_component` parameter in your target DB cluster parameter group when upgrading. After upgrading, the component will no longer be listed in the `mysql.component` table. You can use the `aurora_enable_validate_password_component` global variable to verify the status of the component.
@@ -162 +162 @@ When disabled:
-When resetting the master user password through the `modify-db-cluster` API, if the new password does not comply with the configured password validation rules, Aurora MySQL will emit a customer-visible event indicating the failure, and you will have to retry the operation with a compliant password.
+When resetting the master user password through the `modify-db-cluster` API, if the new password does not comply with the configured password validation rules, Aurora MySQL emits a customer-visible event indicating the failure. You must retry the operation with a compliant password.
@@ -166 +166 @@ When resetting the master user password through the `modify-db-cluster` API, if
-For clusters using Amazon RDS-managed master user credentials stored in AWS Secrets Manager, if the automatically generated password during rotation does not comply with the configured validation requirements, the rotation will fail. You will need to adjust your password validation parameters to allow the rotation to succeed. We suggest not using the `validate_password` component and managed master user password together.
+For clusters using Amazon RDS-managed master user credentials stored in AWS Secrets Manager, if the automatically generated password during rotation does not comply with the configured validation requirements, the rotation will fail. Adjust your password validation parameters to allow the rotation to succeed. We suggest not using the `validate_password` component and managed master user password together.