From ba30e3c06ece6f35ca8845e560c3bf55ceeee338 Mon Sep 17 00:00:00 2001
From: "STeve (Xin) Huang" <xin.huang@goteleport.com>
Date: Thu, 12 Oct 2023 13:48:03 -0400
Subject: [PATCH 1/2] [docs] clarify RDS/Aurora databases getting modified
 (#33312)

---
 docs/pages/database-access/guides/rds.mdx    | 17 +++++++++++++++--
 docs/pages/database-access/reference/aws.mdx |  2 +-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/docs/pages/database-access/guides/rds.mdx b/docs/pages/database-access/guides/rds.mdx
index 896cab82767e6..903ab5873f095 100644
--- a/docs/pages/database-access/guides/rds.mdx
+++ b/docs/pages/database-access/guides/rds.mdx
@@ -36,8 +36,14 @@ This guide will help you to:
 
 - AWS account with RDS and Aurora databases and permissions to create and attach
   IAM policies.
-- A host, e.g., an EC2 instance, where you will run the Teleport Database
-  Service.
+  <Admonition type="warning" title="IAM authentication">
+  Your RDS and Aurora databases must have password and IAM authentication
+  enabled.
+
+  If IAM authentication is not enabled on the target RDS and Aurora databases,
+  the Database Service will attempt to enable IAM authentication by modifying
+  them using respective APIs.
+  </Admonition>
 - (!docs/pages/includes/tctl.mdx!)
 
 ## Step 1/6. Create a Teleport user
@@ -82,6 +88,13 @@ Service access to AWS credentials.
 
 (!docs/pages/includes/database-access/aws-bootstrap.mdx!)
 
+<Admonition type="note">
+Teleport uses `rds:ModifyDBInstance` and `rds:ModifyDBCluster` to automatically
+enable IAM authentication on the RDS instance and the Aurora cluster,
+respectively. You can omit these permissions if IAM authentication is already
+enabled.
+</Admonition>
+
 ## Step 4/6. Start the Database Service
 
 (!docs/pages/includes/start-teleport.mdx service="the Database Service"!)
diff --git a/docs/pages/database-access/reference/aws.mdx b/docs/pages/database-access/reference/aws.mdx
index a4c12bbbb9670..bdd0d03bb3361 100644
--- a/docs/pages/database-access/reference/aws.mdx
+++ b/docs/pages/database-access/reference/aws.mdx
@@ -155,7 +155,7 @@ policies for each discovery type are shown below.
 </Tabs>
 
 <Admonition type="note">
-Teleport uses `rds:ModifyDBInstance` and `rds:DescribeDBClusters` to
+Teleport uses `rds:ModifyDBInstance` and `rds:ModifyDBCluster` to
 automatically enable [IAM
 authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html)
 on the RDS instance and the Aurora cluster, respectively. You can omit these

From 40b22627b19ac515ea6fca1e610655b38a52f141 Mon Sep 17 00:00:00 2001
From: STeve Huang <xin.huang@goteleport.com>
Date: Fri, 13 Oct 2023 07:48:28 -0400
Subject: [PATCH 2/2] fix missing req

---
 docs/pages/database-access/guides/rds.mdx | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/pages/database-access/guides/rds.mdx b/docs/pages/database-access/guides/rds.mdx
index 903ab5873f095..fe6e7c23a0f08 100644
--- a/docs/pages/database-access/guides/rds.mdx
+++ b/docs/pages/database-access/guides/rds.mdx
@@ -44,6 +44,8 @@ This guide will help you to:
   the Database Service will attempt to enable IAM authentication by modifying
   them using respective APIs.
   </Admonition>
+- A host, e.g., an EC2 instance, where you will run the Teleport Database
+  Service.
 - (!docs/pages/includes/tctl.mdx!)
 
 ## Step 1/6. Create a Teleport user