diff --git a/docs/pages/database-access/guides/rds.mdx b/docs/pages/database-access/guides/rds.mdx
index 896cab82767e6..fe6e7c23a0f08 100644
--- a/docs/pages/database-access/guides/rds.mdx
+++ b/docs/pages/database-access/guides/rds.mdx
@@ -36,6 +36,14 @@ This guide will help you to:
- AWS account with RDS and Aurora databases and permissions to create and attach
IAM policies.
+
+ Your RDS and Aurora databases must have password and IAM authentication
+ enabled.
+
+ If IAM authentication is not enabled on the target RDS and Aurora databases,
+ the Database Service will attempt to enable IAM authentication by modifying
+ them using respective APIs.
+
- A host, e.g., an EC2 instance, where you will run the Teleport Database
Service.
- (!docs/pages/includes/tctl.mdx!)
@@ -82,6 +90,13 @@ Service access to AWS credentials.
(!docs/pages/includes/database-access/aws-bootstrap.mdx!)
+
+Teleport uses `rds:ModifyDBInstance` and `rds:ModifyDBCluster` to automatically
+enable IAM authentication on the RDS instance and the Aurora cluster,
+respectively. You can omit these permissions if IAM authentication is already
+enabled.
+
+
## Step 4/6. Start the Database Service
(!docs/pages/includes/start-teleport.mdx service="the Database Service"!)
diff --git a/docs/pages/database-access/reference/aws.mdx b/docs/pages/database-access/reference/aws.mdx
index a4c12bbbb9670..bdd0d03bb3361 100644
--- a/docs/pages/database-access/reference/aws.mdx
+++ b/docs/pages/database-access/reference/aws.mdx
@@ -155,7 +155,7 @@ policies for each discovery type are shown below.
-Teleport uses `rds:ModifyDBInstance` and `rds:DescribeDBClusters` to
+Teleport uses `rds:ModifyDBInstance` and `rds:ModifyDBCluster` to
automatically enable [IAM
authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)
on the RDS instance and the Aurora cluster, respectively. You can omit these