diff --git a/docs/pages/database-access/guides/rds.mdx b/docs/pages/database-access/guides/rds.mdx
index 7a064631d8e41..cae7d5e356d49 100644
--- a/docs/pages/database-access/guides/rds.mdx
+++ b/docs/pages/database-access/guides/rds.mdx
@@ -45,8 +45,15 @@ which supports IAM authentication.
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
- AWS account with RDS and Aurora databases and permissions to create and attach
- IAM policies. Your RDS and Aurora databases must have password and IAM
- authentication enabled.
+ IAM policies.
+
+ Your RDS and Aurora databases must have password and IAM authentication
+ enabled.
+
+ If IAM authentication is not enabled on the target RDS and Aurora databases,
+ the Database Service will attempt to enable IAM authentication by modifying
+ them using respective APIs.
+
- A Linux host or Amazon Elastic Kubernetes Service cluster where you will run
the Teleport Database Service, which proxies connections to your RDS
databases.
@@ -157,6 +164,13 @@ Follow these instructions on your Linux host.
(!docs/pages/includes/database-access/aws-bootstrap.mdx type="rds"!)
+
+Teleport uses `rds:ModifyDBInstance` and `rds:ModifyDBCluster` to automatically
+enable IAM authentication on the RDS instance and the Aurora cluster,
+respectively. You can omit these permissions if IAM authentication is already
+enabled.
+
+
diff --git a/docs/pages/database-access/reference/aws.mdx b/docs/pages/database-access/reference/aws.mdx
index a4c12bbbb9670..bdd0d03bb3361 100644
--- a/docs/pages/database-access/reference/aws.mdx
+++ b/docs/pages/database-access/reference/aws.mdx
@@ -155,7 +155,7 @@ policies for each discovery type are shown below.
-Teleport uses `rds:ModifyDBInstance` and `rds:DescribeDBClusters` to
+Teleport uses `rds:ModifyDBInstance` and `rds:ModifyDBCluster` to
automatically enable [IAM
authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)
on the RDS instance and the Aurora cluster, respectively. You can omit these