Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Example policies: Using condition keys

Focus mode
Example policies: Using condition keys - Amazon Relational Database Service

Following are examples of how you can use condition keys in Amazon RDS IAM permissions policies.

Example 1: Grant permission to create a DB instance that uses a specific DB engine and isn't MultiAZ

The following policy uses an RDS condition key and allows a user to create only DB instances that use the MySQL database engine and don't use MultiAZ. The Condition element indicates the requirement that the database engine is MySQL.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowMySQLCreate", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "StringEquals": { "rds:DatabaseEngine": "mysql" }, "Bool": { "rds:MultiAz": false } } } ] }

Example 2: Explicitly deny permission to create DB instances for certain DB instance classes and create DB instances that use Provisioned IOPS

The following policy explicitly denies permission to create DB instances that use the DB instance classes r3.8xlarge and m4.10xlarge, which are the largest and most expensive DB instance classes. This policy also prevents users from creating DB instances that use Provisioned IOPS, which incurs an additional cost.

Explicitly denying permission supersedes any other permissions granted. This ensures that identities to not accidentally get permission that you never want to grant.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyLargeCreate", "Effect": "Deny", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "StringEquals": { "rds:DatabaseClass": [ "db.r3.8xlarge", "db.m4.10xlarge" ] } } }, { "Sid": "DenyPIOPSCreate", "Effect": "Deny", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "NumericNotEquals": { "rds:Piops": "0" } } } ] }

Example 3: Limit the set of tag keys and values that can be used to tag a resource

The following policy uses an RDS condition key and allows the addition of a tag with the key stage to be added to a resource with the values test, qa, and production.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource": "*", "Condition": { "streq": { "rds:req-tag/stage": [ "test", "qa", "production" ] } } } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.