Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Amazon RDS API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each Amazon RDS API operation, the corresponding actions for which you can grant permissions to perform the action, the AWS resource for which you can grant the permissions, and condition keys that you can include for fine-grained access control (for more information about conditions, see Using IAM Policy Conditions for Fine-Grained Access Control). You specify the actions in the policy's Action field, the resource value in the policy's Resource field, and conditions in the policy's Condition field.

You can use AWS-wide condition keys in your Amazon RDS policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

Note

To specify an action, use the rds: prefix followed by the API operation name (for example, rds:CreateDBInstance).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Amazon RDS API and Required Permissions for Actions

RDS API Operations and Actions Resources Condition Keys

AddSourceIdentifierToSubscription

rds:AddSourceIdentifierToSubscription

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

AddTagsToResource

rds:AddTagsToResource

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

Reserved DB instance

arn:aws:rds:region:account-id:ri:reserved-db-instance-name

rds:ri-tag

ApplyPendingMaintenanceAction

rds:ApplyPendingMaintenanceAction

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

AuthorizeDBSecurityGroupIngress

rds:AuthorizeDBSecurityGroupIngress

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

CopyDBClusterSnapshot

rds:CopyDBClusterSnapshot

DB cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

CopyDBParameterGroup

rds:CopyDBParameterGroup

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

CopyDBSnapshot

rds:CopyDBSnapshot

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

CopyOptionGroup

rds:CopyOptionGroup

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

CreateDBCluster

rds:CreateDBCluster

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:DatabaseEngine

rds:DatabaseName

rds:cluster-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

CreateDBClusterParameterGroup

rds:CreateDBClusterParameterGroup

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

CreateDBClusterSnapshot

rds:CreateDBClusterSnapshot

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:cluster-tag

DB cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

CreateDBInstance

rds:CreateDBInstance

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:DatabaseEngine

rds:DatabaseName

rds:MultiAz

rds:Piops

rds:StorageSize

rds:Vpc

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

CreateDBInstanceReadReplica

rds:CreateDBInstanceReadReplica

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:Piops

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

CreateDBParameterGroup

rds:CreateDBParameterGroup

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

CreateDBSecurityGroup

rds:CreateDBSecurityGroup

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

CreateDBSnapshot

rds:CreateDBSnapshot

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

CreateDBSubnetGroup

rds:CreateDBSubnetGroup

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

CreateEventSubscription

rds:CreateEventSubscription

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

CreateOptionGroup

rds:CreateOptionGroup

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DeleteDBCluster

rds:DeleteDBCluster

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:cluster-tag

DB cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

DeleteDBClusterParameterGroup

rds:DeleteDBClusterParameterGroup

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

DeleteDBClusterSnapshot

rds:DeleteDBClusterSnapshot

DB cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

DeleteDBInstance

rds:DeleteDBInstance

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DeleteDBParameterGroup

rds:DeleteDBParameterGroup

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DeleteDBSecurityGroup

rds:DeleteDBSecurityGroup

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

DeleteDBSnapshot

rds:DeleteDBSnapshot

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

DeleteDBSubnetGroup

rds:DeleteDBSubnetGroup

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DeleteEventSubscription

rds:DeleteEventSubscription

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

DeleteOptionGroup

rds:DeleteOptionGroup

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DescribeAccountAttributes

rds:DescribeAccountAttributes

DescribeCertificates

rds:DescribeCertificates

DescribeDBClusterParameterGroups

rds:DescribeDBClusterParameterGroups

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

DescribeDBClusterParameters

rds:DescribeDBClusterParameters

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

DescribeDBClusters

rds:DescribeDBClusters

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:cluster-tag

DescribeDBClusterSnapshotAttributes

rds:DescribeDBClusterSnapshotAttributes

DB cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

DescribeDBEngineVersions

rds:DescribeDBEngineVersions

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DescribeDBInstances

rds:DescribeDBInstances

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DescribeDBLogFiles

rds:DescribeDBLogFiles

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DescribeDBParameterGroups

rds:DescribeDBParameterGroups

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DescribeDBParameters

rds:DescribeDBParameters

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DescribeDBSecurityGroups

rds:DescribeDBSecurityGroups

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

DescribeDBSnapshotAttributes

rds:DescribeDBSnapshotAttributes

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

DescribeDBSnapshots

rds:DescribeDBSnapshots

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

DescribeDBSubnetGroups

rds:DescribeDBSubnetGroups

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DescribeEngineDefaultClusterParameters

rds:DescribeEngineDefaultClusterParameters

DescribeEngineDefaultParameters

rds:DescribeEngineDefaultParameters

DescribeEventCategories

rds:DescribeEventCategories

DescribeEvents

rds:DescribeEvents

DescribeEventSubscriptions

rds:DescribeEventSubscriptions

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

DescribeOptionGroupOptions

rds:DescribeOptionGroupOptions

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DescribeOptionGroups

rds:DescribeOptionGroups

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DescribeOrderableDBInstanceOptions

rds:DescribeOrderableDBInstanceOptions

DescribePendingMaintenanceActions

rds:DescribePendingMaintenanceActions

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:DatabaseEngine

rds:DatabaseName

rds:MultiAz

rds:Piops

rds:StorageSize

rds:Vpc

rds:db-tag

DescribeReservedDBInstances

rds:DescribeReservedDBInstances

Reserved DB instance

arn:aws:rds:region:account-id:ri:reserved-db-instance-name

rds:DatabaseClass

rds:MultiAz

rds:ri-tag

DescribeReservedDBInstancesOfferings

rds:DescribeReservedDBInstancesOfferings

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:MultiAz

DownloadCompleteDBLogFile

rds:DownloadCompleteDBLogFile

DownloadDBLogFilePortion

rds:DownloadDBLogFilePortion

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

FailoverDBCluster

rds:FailoverDBCluster

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:cluster-tag

ListTagsForResource

rds:ListTagsForResource

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

Reserved DB instance

arn:aws:rds:region:account-id:ri:reserved-db-instance-name

rds:ri-tag

ModifyDBCluster

rds:ModifyDBCluster

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:cluster-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

ModifyDBClusterParameterGroup

rds:ModifyDBClusterParameterGroup

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

ModifyDBClusterSnapshotAttribute

rds:ModifyDBClusterSnapshotAttribute

DB cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

ModifyDBInstance

rds:ModifyDBInstance

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:MultiAz

rds:Piops

rds:StorageSize

rds:Vpc

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

ModifyDBParameterGroup

rds:ModifyDBParameterGroup

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

ModifyDBSnapshotAttribute

rds:ModifyDBSnapshotAttribute

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

ModifyDBSubnetGroup

rds:ModifyDBSubnetGroup

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

ModifyEventSubscription

rds:ModifyEventSubscription

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

ModifyOptionGroup

rds:ModifyOptionGroup

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

PromoteReadReplica

rds:PromoteReadReplica

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

PromoteReadReplicaDBCluster

rds:PromoteReadReplicaDBCluster

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

PurchaseReservedDBInstancesOffering

rds:PurchaseReservedDBInstancesOffering

RebootDBInstance

rds:RebootDBInstance

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

RemoveSourceIdentifierFromSubscription

rds:RemoveSourceIdentifierFromSubscription

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

RemoveTagsFromResource

rds:RemoveTagsFromResource

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

Event subscription

arn:aws:rds:region:account-id:es:subscription-name

rds:es-tag

Reserved DB instance

arn:aws:rds:region:account-id:ri:reserved-db-instance-name

rds:ri-tag

ResetDBClusterParameterGroup

rds:ResetDBClusterParameterGroup

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

ResetDBParameterGroup

rds:ResetDBParameterGroup

DB parameter group

arn:aws:rds:region:account-id:pg:parameter-group-name

rds:pg-tag

RestoreDBClusterFromS3

rds:RestoreDBClusterFromS3

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:DatabaseEngine

rds:DatabaseName

rds:cluster-tag

DB cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

RestoreDBClusterFromSnapshot

rds:RestoreDBClusterFromSnapshot

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:DatabaseEngine

rds:DatabaseName

rds:cluster-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

RestoreDBClusterToPointInTime

rds:RestoreDBClusterToPointInTime

DB cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:cluster-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

RestoreDBInstanceFromDBSnapshot

rds:RestoreDBInstanceFromDBSnapshot

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:DatabaseEngine

rds:DatabaseName

rds:MultiAz

rds:Piops

rds:Vpc

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

RestoreDBInstanceToPointInTime

rds:RestoreDBInstanceToPointInTime

DB instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:DatabaseEngine

rds:DatabaseName

rds:MultiAz

rds:Piops

rds:Vpc

rds:db-tag

DB option group

arn:aws:rds:region:account-id:og:option-group-name

rds:og-tag

DB snapshot

arn:aws:rds:region:account-id:snapshot:snapshot-name

rds:snapshot-tag

DB subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

RevokeDBSecurityGroupIngress

rds:RevokeDBSecurityGroupIngress

DB security group

arn:aws:rds:region:account-id:secgrp:security-group-name

rds:secgrp-tag

Related Topics

On this page: