RDS IAM Auth + SSO Users


Hi all,

I have 2 accounts:

  • Mgmt (SSO enabled)
  • Development (RDS)

I have SSO configured with a group (team_leaders) and permission set (TeamLeaderAccess).

Are part of this group:

  • john
  • michael

I've configured a RDS DB (Postgre) with IAM Auth and created these users into the database.

Now I'm trying to configure the Permission Set with this policy:

    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../*"

In this case, John is able to get his SSO credentials and log-in into RDS as john AND michael (impersonation), because I have this "/*" in my policy.

On the other hand, if I replace that by:

    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../john"

Michael won't be able to log in.

How to setup a policy per user?

Has anyone faced this scenario and found a solution for it?


1 Answer
Accepted Answer

It's possible to simplify the management of AWS RDS access while leveraging AWS Single Sign-On (SSO) using dynamic IAM policies. Here's a quick guide:

  1. Goal: Enable secure, user-specific access to AWS RDS databases, preventing impersonation.
  2. Strategy: Utilize AWS SSO with dynamic IAM policies, incorporating the ${aws:username} variable to align SSO usernames with database usernames.


  1. Activate AWS SSO ABAC: Allows for dynamic permissions based on user context.
  2. Configure a Dynamic IAM Policy: Insert ${aws:username} in the policy to ensure users can only access their database user.
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../${aws:username}"

Note: Ensure Consistency between SSO usernames and RDS database usernames. This alignment is critical for the dynamic policy to function correctly.

Additionally, you have the option to conduct tests by utilizing the IAM Policy Simulator, which allows for the simulation of permissions and actions for each user within the group. For more detailed analysis, you can access the tool directly at https://policysim.aws.amazon.com/home/index.jsp.

Using the policy to validate users


  1. https://docs.aws.amazon.com/singlesignon/latest/userguide/attributesforaccesscontrol.html
profile picture
answered 2 months ago
profile pictureAWS
reviewed 2 months ago
  • Hi Osvaldo, obrigado!

    I have the SSO ABAC enabled now, but I haven't created any new attribute.

    I'm using the ${aws:username} variable in my PermissionSet's inline policy, but it's not working.

    Do you know if it's possible to use this variable in my permission set or should I create a customer managed policy - and move this policy block - in my Dev account?

  • It worked by creating a custom attribute (Username) on ABAC panel, and using this in the policy: ${aws:PrincipalTag/Username}

    Thank you for helping!

  • Your welcome!, glad to see it worked

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions