Authentication and Access Control for Amazon RDS
Access to Amazon RDS requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an Amazon RDS DB instance. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and Amazon RDS to help secure your resources by controlling who can access them:
When you sign up for AWS, you provide an email address and password that are associated with your AWS account. These are your root credentials and they provide complete access to all of your AWS resources.
For security reasons, we recommend that you use these root credentials for the first time only to create an administrator user with full permissions to your AWS account (see IAM Best Practices). You can then use this administrator user to create other IAM users and roles with limited permissions. For instructions, see Creating an Administrators Group in the IAM User Guide.
An IAM user is simply an identity within your AWS account that you create in the IAM service that has specific custom permissions (for example, to create an Amazon RDS DB instance). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, and the AWS Support Center.
You can also generate access keys for each user that can be used to authenticate requests when accessing AWS services programmatically either through one of the several SDKs or by using the AWS Command Line Interface (CLI). Using the access keys that you provide, the SDK and CLI tools cryptographically sign your request. If you don’t use the AWS tools, you must sign the request yourself. Amazon RDS supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services General Reference.
Instead of creating an IAM user, you can also use pre-existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are referred to as federated users. Federated users access AWS services and resources through an IAM role, which is similar to an IAM user, but is not associated with a specific person. Instead, a role is assigned to a federated user dynamically when the user requests access through an identity provider. Note that IAM roles can also be used for other purposes, such as granting other AWS accounts permissions to access your account’s resources. A federated user is associated with an IAM role that enables the user to obtain temporary access keys, which the user uses to authenticate requests. For more information about federated users, see Federated Users and Roles in the IAM User Guide.
You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Amazon RDS resources. For example, you must have permissions to create an Amazon RDS DB instance, create a DB snapshot, add an event subscription, and so on.
The following sections describe how to manage permissions for Amazon RDS. We recommend that you read the overview first.