Amazon Aurora DSQL Update: Add support for resource-based policies for Aurora DSQL clusters. This will enable you to implement Block Public Access (BPA) which will help restrict access to your Aurora DSQL public or VPC endpoints.

AWS · AWS · commit 3dbb4b75dabb · 2025-10-23T18:08:00.000Z
diff --git a/.changes/next-release/feature-AmazonAuroraDSQL-83d978b.json b/.changes/next-release/feature-AmazonAuroraDSQL-83d978b.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Amazon Aurora DSQL",
+    "contributor": "",
+    "description": "Add support for resource-based policies for Aurora DSQL clusters. This will enable you to implement Block Public Access (BPA) which will help restrict access to your Aurora DSQL public or VPC endpoints."
+}
diff --git a/services/dsql/src/main/resources/codegen-resources/service-2.json b/services/dsql/src/main/resources/codegen-resources/service-2.json
@@ -30,7 +30,7 @@
         {"shape":"InternalServerException"},
         {"shape":"ConflictException"}
       ],
-      "documentation":"<p>The CreateCluster API allows you to create both single-region clusters and multi-Region clusters. With the addition of the <i>multiRegionProperties</i> parameter, you can create a cluster with witness Region support and establish peer relationships with clusters in other Regions during creation.</p> <note> <p>Creating multi-Region clusters requires additional IAM permissions beyond those needed for single-Region clusters, as detailed in the <b>Required permissions</b> section below.</p> </note> <p> <b>Required permissions</b> </p> <dl> <dt>dsql:CreateCluster</dt> <dd> <p>Required to create a cluster.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </dd> <dt>dsql:TagResource</dt> <dd> <p>Permission to add tags to a resource.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </dd> <dt>dsql:PutMultiRegionProperties</dt> <dd> <p>Permission to configure multi-region properties for a cluster.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </dd> <dt>dsql:AddPeerCluster</dt> <dd> <p>When specifying <code>multiRegionProperties.clusters</code>, permission to add peer clusters.</p> <p>Resources:</p> <ul> <li> <p>Local cluster: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </li> <li> <p>Each peer cluster: exact ARN of each specified peer cluster</p> </li> </ul> </dd> <dt>dsql:PutWitnessRegion</dt> <dd> <p>When specifying <code>multiRegionProperties.witnessRegion</code>, permission to set a witness Region. This permission is checked both in the cluster Region and in the witness Region.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> <p>Condition Keys: <code>dsql:WitnessRegion</code> (matching the specified witness region)</p> </dd> </dl> <important> <ul> <li> <p>The witness Region specified in <code>multiRegionProperties.witnessRegion</code> cannot be the same as the cluster's Region.</p> </li> </ul> </important>"
+      "documentation":"<p>The CreateCluster API allows you to create both single-Region clusters and multi-Region clusters. With the addition of the <i>multiRegionProperties</i> parameter, you can create a cluster with witness Region support and establish peer relationships with clusters in other Regions during creation.</p> <note> <p>Creating multi-Region clusters requires additional IAM permissions beyond those needed for single-Region clusters, as detailed in the <b>Required permissions</b> section below.</p> </note> <p> <b>Required permissions</b> </p> <dl> <dt>dsql:CreateCluster</dt> <dd> <p>Required to create a cluster.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </dd> <dt>dsql:TagResource</dt> <dd> <p>Permission to add tags to a resource.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </dd> <dt>dsql:PutMultiRegionProperties</dt> <dd> <p>Permission to configure multi-Region properties for a cluster.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </dd> <dt>dsql:AddPeerCluster</dt> <dd> <p>When specifying <code>multiRegionProperties.clusters</code>, permission to add peer clusters.</p> <p>Resources:</p> <ul> <li> <p>Local cluster: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> </li> <li> <p>Each peer cluster: exact ARN of each specified peer cluster</p> </li> </ul> </dd> <dt>dsql:PutWitnessRegion</dt> <dd> <p>When specifying <code>multiRegionProperties.witnessRegion</code>, permission to set a witness Region. This permission is checked both in the cluster Region and in the witness Region.</p> <p>Resources: <code>arn:aws:dsql:region:account-id:cluster/*</code> </p> <p>Condition Keys: <code>dsql:WitnessRegion</code> (matching the specified witness region)</p> </dd> </dl> <important> <ul> <li> <p>The witness Region specified in <code>multiRegionProperties.witnessRegion</code> cannot be the same as the cluster's Region.</p> </li> </ul> </important>"
     },
     "DeleteCluster":{
       "name":"DeleteCluster",
@@ -52,6 +52,26 @@
       "documentation":"<p>Deletes a cluster in Amazon Aurora DSQL.</p>",
       "idempotent":true
     },
+    "DeleteClusterPolicy":{
+      "name":"DeleteClusterPolicy",
+      "http":{
+        "method":"DELETE",
+        "requestUri":"/cluster/{identifier}/policy",
+        "responseCode":200
+      },
+      "input":{"shape":"DeleteClusterPolicyInput"},
+      "output":{"shape":"DeleteClusterPolicyOutput"},
+      "errors":[
+        {"shape":"ThrottlingException"},
+        {"shape":"ValidationException"},
+        {"shape":"AccessDeniedException"},
+        {"shape":"InternalServerException"},
+        {"shape":"ResourceNotFoundException"},
+        {"shape":"ConflictException"}
+      ],
+      "documentation":"<p>Deletes the resource-based policy attached to a cluster. This removes all access permissions defined by the policy, reverting to default access controls.</p>",
+      "idempotent":true
+    },
     "GetCluster":{
       "name":"GetCluster",
       "http":{
@@ -70,6 +90,24 @@
       ],
       "documentation":"<p>Retrieves information about a cluster.</p>"
     },
+    "GetClusterPolicy":{
+      "name":"GetClusterPolicy",
+      "http":{
+        "method":"GET",
+        "requestUri":"/cluster/{identifier}/policy",
+        "responseCode":200
+      },
+      "input":{"shape":"GetClusterPolicyInput"},
+      "output":{"shape":"GetClusterPolicyOutput"},
+      "errors":[
+        {"shape":"ThrottlingException"},
+        {"shape":"ValidationException"},
+        {"shape":"AccessDeniedException"},
+        {"shape":"InternalServerException"},
+        {"shape":"ResourceNotFoundException"}
+      ],
+      "documentation":"<p>Retrieves the resource-based policy document attached to a cluster. This policy defines the access permissions and conditions for the cluster.</p>"
+    },
     "GetVpcEndpointServiceName":{
       "name":"GetVpcEndpointServiceName",
       "http":{
@@ -124,6 +162,26 @@
       ],
       "documentation":"<p>Lists all of the tags for a resource.</p>"
     },
+    "PutClusterPolicy":{
+      "name":"PutClusterPolicy",
+      "http":{
+        "method":"POST",
+        "requestUri":"/cluster/{identifier}/policy",
+        "responseCode":200
+      },
+      "input":{"shape":"PutClusterPolicyInput"},
+      "output":{"shape":"PutClusterPolicyOutput"},
+      "errors":[
+        {"shape":"ThrottlingException"},
+        {"shape":"ValidationException"},
+        {"shape":"AccessDeniedException"},
+        {"shape":"InternalServerException"},
+        {"shape":"ResourceNotFoundException"},
+        {"shape":"ConflictException"}
+      ],
+      "documentation":"<p>Attaches a resource-based policy to a cluster. This policy defines access permissions and conditions for the cluster, allowing you to control which principals can perform actions on the cluster.</p>",
+      "idempotent":true
+    },
     "TagResource":{
       "name":"TagResource",
       "http":{
@@ -178,7 +236,7 @@
         {"shape":"ResourceNotFoundException"},
         {"shape":"ConflictException"}
       ],
-      "documentation":"<p>The <i>UpdateCluster</i> API allows you to modify both single-Region and multi-Region cluster configurations. With the <i>multiRegionProperties</i> parameter, you can add or modify witness Region support and manage peer relationships with clusters in other Regions.</p> <note> <p>Note that updating multi-region clusters requires additional IAM permissions beyond those needed for standard cluster updates, as detailed in the Permissions section.</p> </note> <p> <b>Required permissions</b> </p> <dl> <dt>dsql:UpdateCluster</dt> <dd> <p>Permission to update a DSQL cluster.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </dd> </dl> <dl> <dt>dsql:PutMultiRegionProperties</dt> <dd> <p>Permission to configure multi-Region properties for a cluster.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </dd> </dl> <dl> <dt>dsql:GetCluster</dt> <dd> <p>Permission to retrieve cluster information.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </dd> <dt>dsql:AddPeerCluster</dt> <dd> <p>Permission to add peer clusters.</p> <p>Resources:</p> <ul> <li> <p>Local cluster: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </li> <li> <p>Each peer cluster: exact ARN of each specified peer cluster</p> </li> </ul> </dd> <dt>dsql:RemovePeerCluster</dt> <dd> <p>Permission to remove peer clusters. The <i>dsql:RemovePeerCluster</i> permission uses a wildcard ARN pattern to simplify permission management during updates.</p> <p>Resources: <code>arn:aws:dsql:*:<i>account-id</i>:cluster/*</code> </p> </dd> </dl> <dl> <dt>dsql:PutWitnessRegion</dt> <dd> <p>Permission to set a witness Region.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> <p>Condition Keys: dsql:WitnessRegion (matching the specified witness Region)</p> <p> <b>This permission is checked both in the cluster Region and in the witness Region.</b> </p> </dd> </dl> <important> <ul> <li> <p>The witness region specified in <code>multiRegionProperties.witnessRegion</code> cannot be the same as the cluster's Region.</p> </li> <li> <p>When updating clusters with peer relationships, permissions are checked for both adding and removing peers.</p> </li> <li> <p>The <code>dsql:RemovePeerCluster</code> permission uses a wildcard ARN pattern to simplify permission management during updates.</p> </li> </ul> </important>"
+      "documentation":"<p>The <i>UpdateCluster</i> API allows you to modify both single-Region and multi-Region cluster configurations. With the <i>multiRegionProperties</i> parameter, you can add or modify witness Region support and manage peer relationships with clusters in other Regions.</p> <note> <p>Note that updating multi-Region clusters requires additional IAM permissions beyond those needed for standard cluster updates, as detailed in the Permissions section.</p> </note> <p> <b>Required permissions</b> </p> <dl> <dt>dsql:UpdateCluster</dt> <dd> <p>Permission to update a DSQL cluster.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </dd> </dl> <dl> <dt>dsql:PutMultiRegionProperties</dt> <dd> <p>Permission to configure multi-Region properties for a cluster.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </dd> </dl> <dl> <dt>dsql:GetCluster</dt> <dd> <p>Permission to retrieve cluster information.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </dd> <dt>dsql:AddPeerCluster</dt> <dd> <p>Permission to add peer clusters.</p> <p>Resources:</p> <ul> <li> <p>Local cluster: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> </li> <li> <p>Each peer cluster: exact ARN of each specified peer cluster</p> </li> </ul> </dd> <dt>dsql:RemovePeerCluster</dt> <dd> <p>Permission to remove peer clusters. The <i>dsql:RemovePeerCluster</i> permission uses a wildcard ARN pattern to simplify permission management during updates.</p> <p>Resources: <code>arn:aws:dsql:*:<i>account-id</i>:cluster/*</code> </p> </dd> </dl> <dl> <dt>dsql:PutWitnessRegion</dt> <dd> <p>Permission to set a witness Region.</p> <p>Resources: <code>arn:aws:dsql:<i>region</i>:<i>account-id</i>:cluster/<i>cluster-id</i> </code> </p> <p>Condition Keys: dsql:WitnessRegion (matching the specified witness Region)</p> <p> <b>This permission is checked both in the cluster Region and in the witness Region.</b> </p> </dd> </dl> <important> <ul> <li> <p>The witness region specified in <code>multiRegionProperties.witnessRegion</code> cannot be the same as the cluster's Region.</p> </li> <li> <p>When updating clusters with peer relationships, permissions are checked for both adding and removing peers.</p> </li> <li> <p>The <code>dsql:RemovePeerCluster</code> permission uses a wildcard ARN pattern to simplify permission management during updates.</p> </li> </ul> </important>"
     }
   },
   "shapes":{
@@ -202,6 +260,10 @@
       "min":1,
       "pattern":"arn:.+"
     },
+    "BypassPolicyLockoutSafetyCheck":{
+      "type":"boolean",
+      "box":true
+    },
     "ClientToken":{
       "type":"string",
       "documentation":"<p>Idempotency token so a request is only processed once.</p>",
@@ -311,6 +373,14 @@
         "multiRegionProperties":{
           "shape":"MultiRegionProperties",
           "documentation":"<p>The configuration settings when creating a multi-Region cluster, including the witness region and linked cluster properties.</p>"
+        },
+        "policy":{
+          "shape":"PolicyDocument",
+          "documentation":"<p>An optional resource-based policy document in JSON format that defines access permissions for the cluster.</p>"
+        },
+        "bypassPolicyLockoutSafetyCheck":{
+          "shape":"BypassPolicyLockoutSafetyCheck",
+          "documentation":"<p>An optional field that controls whether to bypass the lockout prevention check. When set to true, this parameter allows you to apply a policy that might lock you out of the cluster. Use with caution.</p>"
         }
       }
     },
@@ -402,6 +472,39 @@
       },
       "documentation":"<p>The output from a deleted cluster.</p>"
     },
+    "DeleteClusterPolicyInput":{
+      "type":"structure",
+      "required":["identifier"],
+      "members":{
+        "identifier":{
+          "shape":"ClusterId",
+          "location":"uri",
+          "locationName":"identifier"
+        },
+        "expectedPolicyVersion":{
+          "shape":"PolicyVersion",
+          "documentation":"<p>The expected version of the policy to delete. This parameter ensures that you're deleting the correct version of the policy and helps prevent accidental deletions.</p>",
+          "location":"querystring",
+          "locationName":"expected-policy-version"
+        },
+        "clientToken":{
+          "shape":"ClientToken",
+          "idempotencyToken":true,
+          "location":"querystring",
+          "locationName":"client-token"
+        }
+      }
+    },
+    "DeleteClusterPolicyOutput":{
+      "type":"structure",
+      "required":["policyVersion"],
+      "members":{
+        "policyVersion":{
+          "shape":"PolicyVersion",
+          "documentation":"<p>The version of the policy that was deleted.</p>"
+        }
+      }
+    },
     "DeletionProtectionEnabled":{
       "type":"boolean",
       "documentation":"<p>Indicates whether deletion protection is enabled for a cluster.</p>",
@@ -499,6 +602,35 @@
       },
       "documentation":"<p>The output of a cluster.</p>"
     },
+    "GetClusterPolicyInput":{
+      "type":"structure",
+      "required":["identifier"],
+      "members":{
+        "identifier":{
+          "shape":"ClusterId",
+          "documentation":"<p>The ID of the cluster to retrieve the policy from.</p>",
+          "location":"uri",
+          "locationName":"identifier"
+        }
+      }
+    },
+    "GetClusterPolicyOutput":{
+      "type":"structure",
+      "required":[
+        "policy",
+        "policyVersion"
+      ],
+      "members":{
+        "policy":{
+          "shape":"PolicyDocument",
+          "documentation":"<p>The resource-based policy document attached to the cluster, returned as a JSON string.</p>"
+        },
+        "policyVersion":{
+          "shape":"PolicyVersion",
+          "documentation":"<p>The version of the policy document. This version number is incremented each time the policy is updated.</p>"
+        }
+      }
+    },
     "GetVpcEndpointServiceNameInput":{
       "type":"structure",
       "required":["identifier"],
@@ -614,11 +746,11 @@
       "members":{
         "witnessRegion":{
           "shape":"Region",
-          "documentation":"<p>The that serves as the witness region for a multi-Region cluster. The witness region helps maintain cluster consistency and quorum.</p>"
+          "documentation":"<p>The Region that serves as the witness region for a multi-Region cluster. The witness Region helps maintain cluster consistency and quorum.</p>"
         },
         "clusters":{
           "shape":"ClusterArnList",
-          "documentation":"<p>The set of linked clusters that form the multi-Region cluster configuration. Each linked cluster represents a database instance in a different Region.</p>"
+          "documentation":"<p>The set of peered clusters that form the multi-Region cluster configuration. Each peered cluster represents a database instance in a different Region.</p>"
         }
       },
       "documentation":"<p>Defines the structure for multi-Region cluster configurations, containing the witness region and linked cluster settings.</p>"
@@ -627,6 +759,53 @@
       "type":"string",
       "documentation":"<p>Token used to retrieve next page.</p>"
     },
+    "PolicyDocument":{
+      "type":"string",
+      "documentation":"<p>A resource-based policy document in JSON format. Length constraints: Minimum length of 1. Maximum length of 20480 characters (approximately 20KB).</p>",
+      "max":20480,
+      "min":1
+    },
+    "PolicyVersion":{"type":"string"},
+    "PutClusterPolicyInput":{
+      "type":"structure",
+      "required":[
+        "identifier",
+        "policy"
+      ],
+      "members":{
+        "identifier":{
+          "shape":"ClusterId",
+          "location":"uri",
+          "locationName":"identifier"
+        },
+        "policy":{
+          "shape":"PolicyDocument",
+          "documentation":"<p>The resource-based policy document to attach to the cluster. This should be a valid JSON policy document that defines permissions and conditions.</p>"
+        },
+        "bypassPolicyLockoutSafetyCheck":{
+          "shape":"BypassPolicyLockoutSafetyCheck",
+          "documentation":"<p>A flag that allows you to bypass the policy lockout safety check. When set to true, this parameter allows you to apply a policy that might lock you out of the cluster. Use with caution.</p>"
+        },
+        "expectedPolicyVersion":{
+          "shape":"PolicyVersion",
+          "documentation":"<p>The expected version of the current policy. This parameter ensures that you're updating the correct version of the policy and helps prevent concurrent modification conflicts.</p>"
+        },
+        "clientToken":{
+          "shape":"ClientToken",
+          "idempotencyToken":true
+        }
+      }
+    },
+    "PutClusterPolicyOutput":{
+      "type":"structure",
+      "required":["policyVersion"],
+      "members":{
+        "policyVersion":{
+          "shape":"PolicyVersion",
+          "documentation":"<p>The version of the policy after it has been updated or created.</p>"
+        }
+      }
+    },
     "Region":{
       "type":"string",
       "documentation":"<p> Region name.</p>",
