Default users (i.e. rdsadmin, rdsrepladmin etc) created by RDS PostgreSQL and their roles and functionalities

Question

A customer is using RDS PostgreSQL to store their data for a regulated business. The customer is now being asked by the regulator

1) For AWS RDS db roles, are rdsadmin, rdsrepladmin, root DEFAULT roles created by AWS and what are the purposes of these roles?

2) Running `\du` in `psql` shows “Cannot login” in the `Attributes` column for those user `rds_ad`,`rds_iam`,`rds_password`,`rds_replication`,`rds_superuser`, what does it mean?

Highly appreciated if anyone could shed us some light how to answer these questions? Are we supposed to disclose these details with regulator/customer? Thanks a lot!

Accepted Answer

If the customer is new to PostgreSQL, here is a good starter on the concept of roles and users: https://rdspg.workshop.aws/lab9-postgres-introduction/task6.html

1) RDS does create some roles to be able to provide the automation/management that it provides.  "rdsadmin" is a role with login permissions (also known as a user) that is used by our internal automation mechanisms.  "rdsrepladmin" is a role related to configuring logical replication.  "root" appears to be name of the master user that you specified when you created the database.  You could have called it something other than "root" if you wanted.

2) Those are roles without login permissions.  RDS creates these roles to allow you to grant certain types of permissions to any new users you decide to create.  For instance, you could create new users for each of your dbas and grant them the rds_superuser role which would give them capabilities equivalent to the original master user ("root" in your example).

Default users (i.e. rdsadmin, rdsrepladmin etc) created by RDS PostgreSQL and their roles and functionalities

관련 콘텐츠