AWS Security ChangesHomeSearch

AWS AmazonRDS medium security documentation change

Service: AmazonRDS · 2026-07-13 · Security-related medium

File: AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md

Summary

Added 7 new configuration parameters for password policies and archive log management

Security assessment

Introduces password complexity controls (length, character requirements) and secure log archiving to S3. These directly mitigate credential brute-forcing and insecure storage risks. The added note explains security enforcement behaviors.

Diff

diff --git a/AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md b/AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md
index c47843088..92e8b7e48 100644
--- a//AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md
+++ b//AmazonRDS/latest/UserGuide/db2-sp-managing-databases.md
@@ -511,0 +512,7 @@ Name | Description
+`ARCHIVE_LOG_COPY_TARGET_S3_ARN` |  Specifies the S3 bucket ARN where archive logs are copied. This setting applies to all databases on the DB instance that have [Copying archive logs to Amazon S3](./db2-managing-databases.html#db2-copying-archive-logs-to-s3) enabled.  
+`RDS_PASSWORD_MAX_LENGTH` |  Specifies the maximum password length. The value must be between 8 and 128 characters. Default value is 128.  
+`RDS_PASSWORD_MIN_LENGTH` |  Specifies the minimum password length. The value must be between 8 and 128 characters. Default value is 8.  
+`RDS_PASSWORD_MIN_NUMERIC` |  Specifies the minimum number of numeric characters required in a password. The value must be between 0 and 128. Default value is 0.  
+`RDS_PASSWORD_MIN_UPPER_CASE_CHAR` |  Specifies the minimum number of uppercase characters required in a password. The value must be between 0 and 128. Default value is 0.  
+`RDS_PASSWORD_MIN_LOWER_CASE_CHAR` |  Specifies the minimum number of lowercase characters required in a password. The value must be between 0 and 128. Default value is 0.  
+`RDS_PASSWORD_RULES` |  Specifies the password rules configuration. Valid values are `DEFAULT` or `CUSTOM`.  
@@ -513 +519,0 @@ Name | Description
-`RESTORE_DATABASE_PARALLELISM` |  The number of buffer manipulators to create during a restore operation. This value must be less than double the number of vCPUs for the DB instance. If this setting isn't configured, Db2 determines the value to use during the restore operation. For more information, see [RESTORE DATABASE command](https://www.ibm.com/docs/en/db2/11.5?topic=commands-restore-database) in the IBM Db2 documentation.  
@@ -514,0 +521 @@ Name | Description
+`RESTORE_DATABASE_PARALLELISM` |  The number of buffer manipulators to create during a restore operation. This value must be less than double the number of vCPUs for the DB instance. If this setting isn't configured, Db2 determines the value to use during the restore operation. For more information, see [RESTORE DATABASE command](https://www.ibm.com/docs/en/db2/11.5?topic=commands-restore-database) in the IBM Db2 documentation.  
@@ -516,0 +524,13 @@ Name | Description
+###### Note
+
+The following behavior applies to the password configuration parameters:
+
+  * RDS for Db2 automatically sets `RDS_PASSWORD_RULES` to `CUSTOM` when any password parameter is set.
+
+  * When you set `RDS_PASSWORD_RULES` to `DEFAULT`, RDS for Db2 resets all password parameters to their defaults.
+
+  * You cannot set a password parameter to `NULL`. To reset all password parameters to their defaults, use `set_configuration('RDS_PASSWORD_RULES', 'DEFAULT')`.
+
+
+
+