Amazon RDS: Allows tag owners full access to RDS resources that they have tagged - AWS Identity and Access Management

Amazon RDS: Allows tag owners full access to RDS resources that they have tagged

This example shows how you might create an IAM policy that allows tag owners full access to RDS resources that they have tagged. This policy grants the permissions necessary to complete this action from the AWS API or AWS CLI only.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:Describe*", "rds:List*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "rds:DeleteDBInstance", "rds:RebootDBInstance", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": {"rds:db-tag/Owner": "${aws:username}"} } }, { "Action": [ "rds:ModifyOptionGroup", "rds:DeleteOptionGroup" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": {"rds:og-tag/Owner": "${aws:username}"} } }, { "Action": [ "rds:ModifyDBParameterGroup", "rds:ResetDBParameterGroup" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": {"rds:pg-tag/Owner": "${aws:username}"} } }, { "Action": [ "rds:AuthorizeDBSecurityGroupIngress", "rds:RevokeDBSecurityGroupIngress", "rds:DeleteDBSecurityGroup" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": {"rds:secgrp-tag/Owner": "${aws:username}"} } }, { "Action": [ "rds:DeleteDBSnapshot", "rds:RestoreDBInstanceFromDBSnapshot" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": {"rds:snapshot-tag/Owner": "${aws:username}"} } }, { "Action": [ "rds:ModifyDBSubnetGroup", "rds:DeleteDBSubnetGroup" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": {"rds:subgrp-tag/Owner": "${aws:username}"} } }, { "Action": [ "rds:ModifyEventSubscription", "rds:AddSourceIdentifierToSubscription", "rds:RemoveSourceIdentifierFromSubscription", "rds:DeleteEventSubscription" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEqualsIgnoreCase": {"rds:es-tag/Owner": "${aws:username}"} } } ] }