What are the least privileges required for a user to perform creates, deletes, modifications, backup, and recovery for an Amazon RDS DB instance?

Last updated: 2019-12-30

I want to limit the access that I give my AWS Identity and Access Management (IAM) users to an Amazon Relational Database Service (Amazon RDS) DB instance. How can I grant IAM users the least privileges required to perform a specific action for an Amazon RDS DB instance?

Resolution

1.    Open the IAM console, and choose Users from the navigation pane.

2.    Choose Add user, and enter a User name.

3.    For Access type, choose AWS Management Console access and create a password for using the Amazon RDS console. To provide access to the AWS Command Line Interface (AWS CLI), choose Programmatic access.

Important: For Programmatic access, be sure to download the access key ID and the secret access key by choosing Download.csv. You need the keys to create the security tokens later.

4.    Review the permissions and tags, and then choose Create user. This creates an IAM user with the IAMUserChangePassword policy.

5.    Create IAM policies for the actions that you want to perform in Amazon RDS.

6.    Return to the IAM console, and choose Users from the navigation pane.

7.    Choose the IAM user that you created.

8.    From the Permissions tab, choose Add inline policy.

9.    Choose the JSON tab, and enter one or more of the following policies based on your use case.

Note: The following policies provide the least privileges required to perform the specified actions. You might see errors (such as IAMUser is not authorized to perform: rds:Action) in the Amazon RDS console because this privilege isn't present in the policy. Most often, this error occurs for Describe actions. The error is expected, and it doesn't affect your ability to perform those actions. To avoid this error, you can modify the following example IAM policies, or you can perform actions by using the AWS CLI.

Creating and deleting RDS DB instances

The following policy allows users to create RDS DB instances without encryption enabled:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSubnets",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "rds:CreateDBInstance",
                "rds:CreateDBSubnetGroup"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to create RDS DB instances with encryption enabled:

{
        "Version": "2012-10-17",
        "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSubnets",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "rds:CreateDBInstance",
                "rds:CreateDBSubnetGroup",
                "kms:ListAliases"
                ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to delete RDS DB instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:DeleteDBInstance",
                "rds:DescribeDBInstances"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to create and delete RDS DB instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSubnets",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "rds:CreateDBInstance",
                "rds:CreateDBSubnetGroup",
                "rds:DeleteDBInstance"
            ],
            "Resource": "*"
        }
    ]
}

Stopping and starting RDS DB instances

The following policy allows users to stop and start RDS DB instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:StopDBInstance",
                "rds:StartDBInstance",
                "rds:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

Performing backup and recovery (creating DB snapshots, restoring DB instance from DB snapshots, and point in time restore)

The following policy allows users to create DB snapshots:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "rds:CreateDBSnapshot"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to restore RDS DB instances using DB snapshots:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "rds:Describe*",
                "rds:RestoreDBInstanceFromDBSnapshot"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to perform point in time recovery:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "rds:Describe*",
                "rds:RestoreDBInstanceToPointInTime"
            ],
            "Resource": "*"
        }
    ]
}

Modifying RDS DB instances

The following policy allows users to change DB instance class type, allocated storage, storage type, and instance version:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "rds:Describe*",
                "rds:ModifyDBInstance"
            ],
            "Resource": "*"
        }
    ]
}

Enabling Enhanced Monitoring and Performance Insights

The following policy allows users to enable Enhanced Monitoring:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoles",
                "iam:PassRole",
                "rds:ModifyDBInstance",
                "rds:Describe*",
                "ec2:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to enable Performance Insights:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "rds:Describe*",
                "pi:*"
            ],
            "Resource": "*"
        }
    ]
}

Creating, modifying, and deleting DB parameter groups and DB option groups

The following policy allows users to create, modify, or delete DB parameter groups and option groups:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "rds:Describe*",
                "rds:CreateDBParameterGroup",
                "rds:ModifyDBParameterGroup",
                "rds:DeleteDBParameterGroup",
                "rds:CreateOptionGroup",
                "rds:ModifyOptionGroup",
                "rds:DeleteOptionGroup"
            ],
            "Resource": "*"
        }
    ]
}

Viewing Amazon CloudWatch metrics from the Amazon RDS console

The following policy allows users to view CloudWatch metrics from the Amazon RDS console:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        }
    ]
}

10.    Choose Review policy.

11.    Enter a Name for your policy, and then choose Create policy.