Actions, Resources, and Condition Keys for Amazon RDS - AWS Identity and Access Management

Actions, Resources, and Condition Keys for Amazon RDS

Amazon RDS (service prefix: rds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon RDS

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource Types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddRoleToDBCluster Associates an Identity and Access Management (IAM) role from an Aurora DB cluster. Write

cluster*

iam:PassRole

AddRoleToDBInstance Associates an AWS Identity and Access Management (IAM) role with a DB instance. Write

db*

iam:PassRole

AddSourceIdentifierToSubscription Adds a source identifier to an existing RDS event notification subscription. Write

es*

AddTagsToResource Adds metadata tags to an Amazon RDS resource. Tagging

db

es

og

pg

proxy

ri

secgrp

snapshot

subgrp

target-group

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

ApplyPendingMaintenanceAction Applies a pending maintenance action to a resource. Write

db*

AuthorizeDBSecurityGroupIngress Enables ingress to a DBSecurityGroup using one of two forms of authorization. Permissions management

secgrp*

BacktrackDBCluster Backtracks a DB cluster to a specific time, without creating a new DB cluster. Write

cluster*

CancelExportTask Cancels an export task in progress. Write
CopyDBClusterParameterGroup Copies the specified DB cluster parameter group. Write

cluster-pg*

CopyDBClusterSnapshot Creates a snapshot of a DB cluster. Write

cluster-snapshot*

CopyDBParameterGroup Copies the specified DB parameter group. Write

pg*

CopyDBSnapshot Copies the specified DB snapshot. Write

snapshot*

CopyOptionGroup Copies the specified option group. Write

og*

CreateDBCluster Creates a new Amazon Aurora DB cluster. Tagging

cluster*

iam:PassRole

cluster-pg*

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseEngine

rds:DatabaseName

rds:StorageEncrypted

CreateDBClusterEndpoint Creates a new custom endpoint and associates it with an Amazon Aurora DB cluster. Write

cluster*

cluster-endpoint*

rds:EndpointType

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDBClusterParameterGroup Create a new DB cluster parameter group. Tagging

cluster-pg*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBClusterSnapshot Creates a snapshot of a DB cluster. Tagging

cluster*

cluster-snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBInstance Creates a new DB instance. Tagging

db*

iam:PassRole

og*

pg*

secgrp*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBInstanceReadReplica Creates a DB instance that acts as a Read Replica of a source DB instance. Tagging

db*

iam:PassRole

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBParameterGroup Creates a new DB parameter group. Tagging

pg*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBProxy Grants permission to create a database proxy Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:PassRole

CreateDBSecurityGroup Creates a new DB security group. DB security groups control access to a DB instance. Tagging

secgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBSnapshot Creates a DBSnapshot. Tagging

db*

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBSubnetGroup Creates a new DB subnet group. Tagging

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateEventSubscription Creates an RDS event notification subscription. Tagging

es*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateGlobalCluster Creates an Aurora global database spread across multiple regions. Write

cluster*

global-cluster*

CreateOptionGroup Creates a new option group. Tagging

og*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

DeleteDBCluster The DeleteDBCluster action deletes a previously provisioned DB cluster. Write

cluster*

cluster-snapshot*

DeleteDBClusterEndpoint Deletes a custom endpoint and removes it from an Amazon Aurora DB cluster. Write

cluster-endpoint*

DeleteDBClusterParameterGroup Deletes a specified DB cluster parameter group. Write

cluster-pg*

DeleteDBClusterSnapshot Deletes a DB cluster snapshot. Write

cluster-snapshot*

DeleteDBInstance The DeleteDBInstance action deletes a previously provisioned DB instance. Write

db*

DeleteDBInstanceAutomatedBackup Deletes automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID. Write
DeleteDBParameterGroup Deletes a specified DBParameterGroup. Write

pg*

DeleteDBProxy Grants permission to delete a database proxy Write

proxy*

DeleteDBSecurityGroup Deletes a DB security group. Write

secgrp*

DeleteDBSnapshot Deletes a DBSnapshot. Write

snapshot*

DeleteDBSubnetGroup Deletes a DB subnet group. Write

subgrp*

DeleteEventSubscription Deletes an RDS event notification subscription. Write

es*

DeleteGlobalCluster Deletes a global database cluster. Write

global-cluster*

DeleteOptionGroup Deletes an existing option group. Write

og*

DeregisterDBProxyTargets Grants permission to remove targets from a database proxy target group Write

cluster*

db*

proxy*

target-group*

DescribeAccountAttributes Lists all of the attributes for a customer account. List
DescribeCertificates Lists the set of CA certificates provided by Amazon RDS for this AWS account. List
DescribeDBClusterBacktracks Returns information about backtracks for a DB cluster. List

cluster*

DescribeDBClusterEndpoints Returns information about endpoints for an Amazon Aurora DB cluster. List
DescribeDBClusterParameterGroups Returns a list of DBClusterParameterGroup descriptions. List

cluster-pg*

DescribeDBClusterParameters Returns the detailed parameter list for a particular DB cluster parameter group. List

cluster-pg*

DescribeDBClusterSnapshotAttributes Returns a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot. List

cluster-snapshot*

DescribeDBClusterSnapshots Returns information about DB cluster snapshots. Read
DescribeDBClusters Returns information about provisioned Aurora DB clusters. List

cluster*

DescribeDBEngineVersions Returns a list of the available DB engines. List

pg*

DescribeDBInstanceAutomatedBackups Returns a list of automated backups for both current and deleted instances. List
DescribeDBInstances Returns information about provisioned RDS instances. List
DescribeDBLogFiles Returns a list of DB log files for the DB instance. List

db*

DescribeDBParameterGroups Returns a list of DBParameterGroup descriptions. List

pg*

DescribeDBParameters Returns the detailed parameter list for a particular DB parameter group. List

pg*

DescribeDBProxies Grants permission to view proxies List

proxy*

DescribeDBProxyTargetGroups Grants permission to view database proxy target group details List

proxy*

DescribeDBProxyTargets Grants permission to view database proxy target details List

cluster*

db*

proxy*

target-group*

DescribeDBSecurityGroups Returns a list of DBSecurityGroup descriptions. List

secgrp*

DescribeDBSnapshotAttributes Returns a list of DB snapshot attribute names and values for a manual DB snapshot. List

snapshot*

DescribeDBSnapshots Returns information about DB snapshots. List

db*

snapshot*

DescribeDBSubnetGroups Returns a list of DBSubnetGroup descriptions. List

subgrp*

DescribeEngineDefaultClusterParameters Returns the default engine and system parameter information for the cluster database engine. List
DescribeEngineDefaultParameters Returns the default engine and system parameter information for the specified database engine. List
DescribeEventCategories Displays a list of categories for all event source types, or, if specified, for a specified source type. List
DescribeEventSubscriptions Lists all the subscription descriptions for a customer account. List

es*

DescribeEvents Returns events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days. List

es*

DescribeExportTasks Returns information about the export tasks. List
DescribeGlobalClusters Returns information about Aurora global database clusters. List
DescribeOptionGroupOptions Describes all available options. List

og*

DescribeOptionGroups Describes the available option groups. List

og*

DescribeOrderableDBInstanceOptions Returns a list of orderable DB instance options for the specified engine. List
DescribePendingMaintenanceActions Returns a list of resources (for example, DB instances) that have at least one pending maintenance action. List

db*

DescribeReservedDBInstances Returns information about reserved DB instances for this account, or about a specified reserved DB instance. List

ri*

DescribeReservedDBInstancesOfferings Lists available reserved DB instance offerings. List
DescribeSourceRegions Returns a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from. List
DescribeValidDBInstanceModifications Lists available modifications you can make to your DB instance List

db*

DownloadCompleteDBLogFile Downloads the contents of the specified database log file. Read
DownloadDBLogFilePortion Downloads all or a portion of the specified log file, up to 1 MB in size. Read

db*

FailoverDBCluster Forces a failover for a DB cluster. Write

cluster*

ListTagsForResource Lists all tags on an Amazon RDS resource. Read

db

es

og

pg

proxy

ri

secgrp

snapshot

subgrp

target-group

ModifyCurrentDBClusterCapacity Modify current cluster capacity for an Amazon Aurora Severless DB cluster. Write

cluster*

ModifyDBCluster Modify a setting for an Amazon Aurora DB cluster. Write

cluster*

iam:PassRole

cluster-pg*

og*

ModifyDBClusterEndpoint Modifies the properties of an endpoint in an Amazon Aurora DB cluster. Write

cluster-endpoint*

ModifyDBClusterParameterGroup Modifies the parameters of a DB cluster parameter group. Write

cluster-pg*

ModifyDBClusterSnapshotAttribute Adds an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot. Write

cluster-snapshot*

ModifyDBInstance Modify settings for a DB instance. Write

db*

iam:PassRole

og*

pg*

secgrp*

ModifyDBParameterGroup Modifies the parameters of a DB parameter group. Write

pg*

ModifyDBProxy Grants permission to modify database proxy Write

proxy*

iam:PassRole

ModifyDBProxyTargetGroup Grants permission to modify target group for a database proxy Write

target-group*

ModifyDBSnapshot Updates a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version. Write

snapshot*

ModifyDBSnapshotAttribute Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot. Write

snapshot*

ModifyDBSubnetGroup Modifies an existing DB subnet group. Write

subgrp*

ModifyEventSubscription Modifies an existing RDS event notification subscription. Write

es*

ModifyGlobalCluster Modify a setting for an Amazon Aurora global cluster. Write

global-cluster*

ModifyOptionGroup Modifies an existing option group. Write

og*

iam:PassRole

PromoteReadReplica Promotes a Read Replica DB instance to a standalone DB instance. Write

db*

PromoteReadReplicaDBCluster Promotes a Read Replica DB cluster to a standalone DB cluster. Write

cluster*

PurchaseReservedDBInstancesOffering Purchases a reserved DB instance offering. Write

ri*

aws:RequestTag/${TagKey}

aws:TagKeys

RebootDBInstance Rebooting a DB instance restarts the database engine service. Write

db*

RegisterDBProxyTargets Grants permission to add targets to a database proxy target group Write

target-group*

RemoveFromGlobalCluster Detaches an Aurora secondary cluster from an Aurora global database cluster. Write

cluster*

global-cluster*

RemoveRoleFromDBCluster Disassociates an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster. Write

cluster*

iam:PassRole

RemoveRoleFromDBInstance Disassociates an AWS Identity and Access Management (IAM) role from a DB instance. Write

db*

iam:PassRole

RemoveSourceIdentifierFromSubscription Removes a source identifier from an existing RDS event notification subscription. Write

es*

RemoveTagsFromResource Removes metadata tags from an Amazon RDS resource. Tagging

db

es

og

pg

proxy

ri

secgrp

snapshot

subgrp

target-group

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

ResetDBClusterParameterGroup Modifies the parameters of a DB cluster parameter group to the default value. Write

cluster-pg*

ResetDBParameterGroup Modifies the parameters of a DB parameter group to the engine/system default value. Write

pg*

RestoreDBClusterFromS3 Creates an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket. Write

cluster*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseEngine

rds:DatabaseName

rds:StorageEncrypted

RestoreDBClusterFromSnapshot Creates a new DB cluster from a DB cluster snapshot. Write

cluster*

iam:PassRole

cluster-snapshot*

og*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBClusterToPointInTime Restores a DB cluster to an arbitrary point in time. Write

cluster*

iam:PassRole

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBInstanceFromDBSnapshot Creates a new DB instance from a DB snapshot. Write

db*

iam:PassRole

og*

snapshot*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBInstanceFromS3 Creates a new DB instance from an Amazon S3 bucket. Write

db*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBInstanceToPointInTime Restores a DB instance to an arbitrary point in time. Write

db*

iam:PassRole

og*

snapshot*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RevokeDBSecurityGroupIngress Revokes ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups. Write

secgrp*

StartActivityStream Enables the user to start Activity Stream. Write

cluster*

StartDBCluster Starts the DB cluster. Write

cluster*

StartDBInstance Starts the DB instance. Write

db*

StartExportTask Starts a new Export task for a DB snapshot. Write

iam:PassRole

StopActivityStream Enables the user to stop Activity Stream. Write

cluster*

StopDBCluster Stops the DB cluster. Write

cluster*

StopDBInstance Stops the DB instance. Write

db*

Resource Types Defined by Amazon RDS

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}

aws:ResourceTag/${TagKey}

rds:cluster-tag/${TagKey}

cluster-endpoint arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}

aws:ResourceTag/${TagKey}

cluster-pg arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}

aws:ResourceTag/${TagKey}

rds:cluster-pg-tag/${TagKey}

cluster-snapshot arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}

aws:ResourceTag/${TagKey}

rds:cluster-snapshot-tag/${TagKey}

db arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}

aws:ResourceTag/${TagKey}

rds:DatabaseClass

rds:DatabaseEngine

rds:DatabaseName

rds:MultiAz

rds:Piops

rds:StorageEncrypted

rds:StorageSize

rds:Vpc

rds:db-tag/${TagKey}

es arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}

aws:ResourceTag/${TagKey}

rds:es-tag/${TagKey}

global-cluster arn:${Partition}:rds:${Account}:global-cluster:${GlobalCluster}
og arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}

aws:ResourceTag/${TagKey}

rds:og-tag/${TagKey}

pg arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}

aws:ResourceTag/${TagKey}

rds:pg-tag/${TagKey}

proxy arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}

aws:ResourceTag/${TagKey}

ri arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}

aws:ResourceTag/${TagKey}

rds:ri-tag/${TagKey}

secgrp arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}

aws:ResourceTag/${TagKey}

rds:secgrp-tag/${TagKey}

snapshot arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}

aws:ResourceTag/${TagKey}

rds:snapshot-tag/${TagKey}

subgrp arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}

aws:ResourceTag/${TagKey}

rds:subgrp-tag/${TagKey}

target arn:${Partition}:rds:${Region}:${Account}:target:${TargetId}
target-group arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}

aws:ResourceTag/${TagKey}

Condition Keys for Amazon RDS

Amazon RDS defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String
rds:DatabaseClass A type of DB instance class. String
rds:DatabaseEngine A database engine. For possible values refer to engine parameter in https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html String
rds:DatabaseName The user-defined name of the database on the DB instance. String
rds:EndpointType The type of the endpoint. One of: READER, WRITER, CUSTOM. String
rds:MultiAz A value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true. Boolean
rds:Piops A value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0. Numeric
rds:StorageEncrypted A value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true. Boolean
rds:StorageSize The storage volume size (in GB). Numeric
rds:Vpc A value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true. Boolean
rds:cluster-pg-tag/${TagKey} A tag attached to a DB cluster parameter group. String
rds:cluster-snapshot-tag/${TagKey} A tag attached to a DB cluster snapshot. String
rds:cluster-tag/${TagKey} A tag attached to a DB cluster. String
rds:db-tag/${TagKey} A tag attached to a DB instance. String
rds:es-tag/${TagKey} A tag attached to an event subscription. String
rds:og-tag/${TagKey} A tag attached to a DB option group. String
rds:pg-tag/${TagKey} A tag attached to a DB parameter group. String
rds:req-tag/${TagKey} Limits the set of tag keys and values that can be used to tag a resource. String
rds:ri-tag/${TagKey} A tag attached to a reserved DB instance. String
rds:secgrp-tag/${TagKey} A tag attached to a DB security group. String
rds:snapshot-tag/${TagKey} A tag attached to a DB snapshot. String
rds:subgrp-tag/${TagKey} A tag attached to a DB subnet group. String