Database Account Security

Password Strength Requirements

• RDS has a password security policy for user-created database accounts. Passwords must:
  • Consist of at least eight characters.
  • Contain letters, digits, and special characters.
  • Not contain the username.

Suggestions for Creating Users

When you run CREATE USER or CREATE ROLE, you are advised to specify a password expiration time with the VALID UNTIL 'timestamp' parameter (timestamp indicates the expiration time).

Suggestions for Accessing Databases

When you access a database object, you are advised to specify the schema name of the database object to prevent trojan-horse attacks.

Account Description

To provide O&M services, the system automatically creates system accounts when you create PostgreSQL DB instances. These accounts cannot be used by users.

Attempting to delete, rename, and change passwords or permissions for these accounts will result in an error.

• rdsAdmin: management account, which has the superuser permissions and is used to query and modify DB instance information, rectify faults, migrate data, and restore data.
• rdsRepl: replication account, which is used to synchronize data from primary DB instances to standby DB instances or read replicas.
• rdsBackup: backup account, which is used for backend backup.
• rdsMetric: metric monitoring account, which is used by watchdog to collect database status data.
• rdsProxy: database proxy account, which is used for authentication when the database is connected through the read/write splitting address. This account is automatically created when you enable read/write splitting.