AWS AmazonRDS documentation change
Summary
Added guidance for region-specific service principals in IAM trust policies for Kerberos authentication
Security assessment
This update improves documentation for Kerberos authentication setup (a security feature) by specifying region-specific service principals. It enhances security posture by ensuring correct IAM configurations but doesn't address a specific vulnerability.
Diff
diff --git a/AmazonRDS/latest/UserGuide/mysql-kerberos.md b/AmazonRDS/latest/UserGuide/mysql-kerberos.md index e8e9805d5..173c20e22 100644 --- a//AmazonRDS/latest/UserGuide/mysql-kerberos.md +++ b//AmazonRDS/latest/UserGuide/mysql-kerberos.md @@ -229,0 +230,40 @@ JSON +For opt-in AWS Regions, use Region-specific service principals in IAM role trust policies. When you create a trust policy for services in these Regions, specify the Region code in the service principal. + +The following example shows a trust policy that includes Region-specific service principals: + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "directoryservice.rds.REGION-CODE.amazonaws.com", + "rds.REGION-CODE.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] + } + + +Replace REGION-CODE with the code for your specific Region. For example, use the following service principals for the Asia Pacific (Melbourne) Region: + + + "Service": [ + "directoryservice.rds.ap-southeast-4.amazonaws.com", + "rds.ap-southeast-4.amazonaws.com" + ] + + +For AWS Regions launched after Israel (Tel Aviv), starting with Canada West (Calgary), use the engine-specific service principal `directoryservice-`engine`.rds.`region-code`.amazonaws.com`, where `engine` is `mysql`. For example, for Canada West (Calgary) Region: + + + "Service": [ + "directoryservice-mysql.rds.ca-west-1.amazonaws.com", + "rds.ca-west-1.amazonaws.com" + ] + +