By using AWS re:Post, you agree to the AWS re:Post Terms of Use

What are the least privileges required for a user to perform creates, deletes, modifications, backup, and recovery for an Amazon RDS DB instance?

6 minute read
0

I want to limit the access that I give my AWS Identity and Access Management (IAM) users to an Amazon Relational Database Service (Amazon RDS) DB instance. I want to grant IAM users the least privileges required to perform a specific action for an Amazon RDS DB instance.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you use the most recent AWS CLI version.

  1. Open the IAM console, and then choose Users from the navigation pane.
  2. Choose Add user, and then enter a User name.
  3. For Access type, choose AWS Management Console access, and then create a password to use the Amazon RDS console. To provide access to the AWS Command Line Interface (AWS CLI), choose Programmatic access.
    Important: For Programmatic access, choose Download.csv to download the access key ID and the secret access key. You need the keys to create the security tokens later.
  4. Review the permissions and tags, and then choose Create user. This creates an IAM user that have the IAMUserChangePassword policy.
  5. Create IAM policies for the desired actions to perform in Amazon RDS.
  6. Return to the IAM console, and then choose Users from the navigation pane.
  7. Choose the IAM user that you created.
  8. From the Permissions tab, choose Add inline policy.
  9. Choose the JSON tab, and then enter one or more of the following policies based on your use case.
    Note: The following policies provide the least privileges required to perform the specified actions. You might see errors in the Amazon RDS console because this privilege isn't present in the policy. For example, you might see the "IAMUser is not authorized to perform: rds:Action" error message.
  10. This error usually occurs for Describe actions. The error is expected, and it doesn't affect your ability to perform those actions. To avoid this error, you can modify the following example IAM policies, or you can use the AWS CLI to perform actions.

Create and delete RDS DB instances

The following policy allows users to create RDS DB instances without encryption activated:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeVpcs",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeSubnets",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "rds:CreateDBInstance",
        "rds:CreateDBSubnetGroup"
      ],
      "Resource": "*"
    }
  ]
}

The following policy allows users to create RDS DB instances that have encryption activated:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeVpcs",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeSubnets",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "rds:CreateDBInstance",
        "rds:CreateDBSubnetGroup",
        "kms:ListAliases"
      ],
      "Resource": "*"
    }
  ]
}

Note: To use a customer managed key for encryption, you must authorize the use of a customer managed key.

The following policy allows users to delete RDS DB instances:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DeleteDBInstance",
        "rds:DescribeDBInstances"
      ],
      "Resource": "*"
    }
  ]
}

The following policy allows users to create and delete RDS DB instances:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeVpcs",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeSubnets",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "rds:CreateDBInstance",
        "rds:CreateDBSubnetGroup",
        "rds:DeleteDBInstance"
      ],
      "Resource": "*"
    }
  ]
}

Stop and start RDS DB instances

The following policy allows users to stop and start RDS DB instances:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:StopDBInstance",
        "rds:StartDBInstance",
        "rds:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

Perform backup and recovery

The following policy allows users to create DB snapshots:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*",
        "rds:CreateDBSnapshot"
      ],
      "Resource": "*"
    }
  ]
}

The following policy allows users to restore RDS DB instances that use DB snapshots:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "rds:RestoreDBInstanceFromDBSnapshot"
      ],
      "Resource": "*"
    }
  ]
}

The following policy allows users to perform point in time recovery:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "rds:RestoreDBInstanceToPointInTime"
      ],
      "Resource": "*"
    }
  ]
}

Modify RDS DB instances

The following policy allows you to change DB instance class type, allocated storage, storage type, and instance version:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "rds:ModifyDBInstance"
      ],
      "Resource": "*"
    }
  ]
}

Activate Enhanced Monitoring and Performance Insights

The following policy allows users to activate Enhanced Monitoring:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:ListRoles",
        "rds:ModifyDBInstance",
        "rds:Describe*",
        "ec2:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::AccountID:role/rds-monitoring-role"
    }
  ]
}

Note: Be sure to enter each account that is receiving the enhanced monitoring role in place of AccountID.

When you use an iam:PassRole, a wildcard (*) is overly permissive because it allows iam:PassRole permissions on all resources. So, it's a best practice to specify the ARNs, as shown in the example earlier.

The following policy allows users to activate Performance Insights:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:ModifyDBInstance",
        "ec2:Describe*",
        "rds:Describe*",
        "pi:*"
      ],
      "Resource": "*"
    }
  ]
}

Create, modify, and delete DB parameter groups and DB option groups

The following policy allows users to create, modify, or delete DB parameter groups and option groups:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "rds:CreateDBParameterGroup",
        "rds:ModifyDBParameterGroup",
        "rds:DeleteDBParameterGroup",
        "rds:CreateOptionGroup",
        "rds:ModifyOptionGroup",
        "rds:DeleteOptionGroup"
      ],
      "Resource": "*"
    }
  ]
}

View Amazon CloudWatch metrics from the Amazon RDS console

The following policy allows users to view CloudWatch metrics from the Amazon RDS console:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    }
  ]
}
  1. Choose Review policy.
  2. Enter a Name for your policy, and then choose Create policy.

Related information

Identity and access management for Amazon RDS

How do I allow users to authenticate to an Amazon RDS for MySQL DB instance through their Amazon IAM credentials?