Example policies: Using condition keys - Amazon Relational Database Service

Example policies: Using condition keys

Following are examples of how you can use condition keys in Amazon RDS IAM permissions policies.

Example 1: Grant permission to create a DB instance that uses a specific DB engine and isn't MultiAZ

The following policy uses an RDS condition key and allows a user to create only DB instances that use the MySQL database engine and don't use MultiAZ. The Condition element indicates the requirement that the database engine is MySQL.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowMySQLCreate", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "StringEquals": { "rds:DatabaseEngine": "mysql" }, "Bool": { "rds:MultiAz": false } } } ] }

Example 2: Explicitly deny permission to create DB instances for certain DB instance classes and create DB instances that use Provisioned IOPS

The following policy explicitly denies permission to create DB instances that use the DB instance classes r3.8xlarge and m4.10xlarge, which are the largest and most expensive DB instance classes. This policy also prevents users from creating DB instances that use Provisioned IOPS, which incurs an additional cost.

Explicitly denying permission supersedes any other permissions granted. This ensures that identities to not accidentally get permission that you never want to grant.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyLargeCreate", "Effect": "Deny", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "StringEquals": { "rds:DatabaseClass": [ "db.r3.8xlarge", "db.m4.10xlarge" ] } } }, { "Sid": "DenyPIOPSCreate", "Effect": "Deny", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "NumericNotEquals": { "rds:Piops": "0" } } } ] }

Example 3: Limit the set of tag keys and values that can be used to tag a resource

The following policy uses an RDS condition key and allows the addition of a tag with the key stage to be added to a resource with the values test, qa, and production.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource": "*", "Condition": { "streq": { "rds:req-tag/stage": [ "test", "qa", "production" ] } } } ] }