Amazon Aurora DSQL is provided as a Preview service.
To learn more, see Betas and Previews
In addition to the following ways to securely use Aurora DSQL, see Security in AWS Well-Architected Tool to learn about how cloud technologies improve your security.
- Use IAM roles to authenticate access to Aurora DSQL
-
For users, applications, and other AWS services to access Aurora DSQL, they must include valid AWS credentials in their AWS API requests. You should not store AWS credentials directly in the application or EC2 instance. These are long-term credentials that are not automatically rotated, and therefore could have significant business impact if they are compromised. An IAM role lets you obtain temporary access keys that can be used to access AWS services and resources.
For more information, see Authentication and authorization for Aurora DSQL.
- Use IAM policies for Aurora DSQL base authorization
-
When granting permissions, you decide who is getting them, which Aurora DSQL API operations they are getting permissions for, and the specific actions you want to allow on those resources. Implementing least privilege is key in reducing security risk and the impact that can result from errors or malicious intent.
Attach permissions policies to IAM roles and thereby grant permissions to perform operations on Aurora DSQL resources. Also available are permissions boundaries for IAM entities, which let you set the maximum permissions that an identity-based policy can grant to an IAM entity.
Similar to the root user best practices for your AWS account, don't use the admin role in Aurora DSQL to perform everyday operations. Instead, we recommend that you create custom database roles to manage and connect to your cluster. For more information, see Accessing Aurora DSQL and Authentication and authorization for Aurora DSQL.
