Amazon DocumentDB API Permissions: Actions, Resources, and Conditions Reference - Amazon DocumentDB

Amazon DocumentDB API Permissions: Actions, Resources, and Conditions Reference

Use the following sections as a reference when you set up Managing Access Using Policies and write permissions policies that you can attach to an IAM identity (identity-based policies).

The following lists each Amazon DocumentDB API operation. Included in the list are the corresponding actions for which you can grant permissions to perform the action, the AWS resource that you can grant the permissions for, and condition keys that you can include for fine-grained access control. You specify the actions in the policy's Action field, the resource value in the policy's Resource field, and conditions in the policy's Condition field. For more information about conditions, see Specifying Conditions in a Policy.

You can use AWS-wide condition keys in your Amazon DocumentDB policies to express conditions. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide.

You can test IAM policies with the IAM policy simulator. It automatically provides a list of resources and parameters required for each AWS action, including Amazon DocumentDB actions. The IAM policy simulator determines the permissions that are required for each of the actions that you specify. For information about the IAM policy simulator, see Testing IAM Policies with the IAM Policy Simulator in the IAM User Guide.

Note

To specify an action, use the rds: prefix followed by the API operation name (for example, rds:CreateDBInstance).

The following lists Amazon RDS API operations and their related actions, resources, and condition keys.

Amazon DocumentDB Actions That Support Resource-Level Permissions

Resource-level permissions provide the ability to specify the resources on which users are allowed to perform actions. Amazon DocumentDB has partial support for resource-level permissions. This means that for certain Amazon DocumentDB actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use. For example, you can grant users permission to modify only specific instances.

The following lists Amazon DocumentDB API operations and their related actions, resources, and condition keys.

For certain management features, Amazon DocumentDB uses operational technology that is shared with Amazon RDS.

Amazon DocumentDB API Operations and Actions Resources Condition Keys

AddTagsToResource

rds:AddTagsToResource

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

ApplyPendingMaintenanceAction

rds:ApplyPendingMaintenanceAction

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

CopyDBClusterSnapshot

rds:CopyDBClusterSnapshot

Cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

CreateDBCluster

rds:CreateDBCluster

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:cluster-tag

Cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

CreateDBClusterParameterGroup

rds:CreateDBClusterParameterGroup

Cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

CreateDBClusterSnapshot

rds:CreateDBClusterSnapshot

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:cluster-tag

Cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

CreateDBInstance

rds:CreateDBInstance

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:db-tag

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:cluster-tag

CreateDBSubnetGroup

rds:CreateDBSubnetGroup

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DeleteDBInstance

rds:DeleteDBInstance

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

DeleteDBSubnetGroup

rds:DeleteDBSubnetGroup

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DescribeDBClusterParameterGroups

rds:DescribeDBClusterParameterGroups

Cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

DescribeDBClusterParameters

rds:DescribeDBClusterParameters

Cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

DescribeDBClusters

rds:DescribeDBClusters

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:cluster-tag

DescribeDBClusterSnapshotAttributes

rds:DescribeDBClusterSnapshotAttributes

Cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

DescribeDBSubnetGroups

rds:DescribeDBSubnetGroups

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

DescribePendingMaintenanceActions

rds:DescribePendingMaintenanceActions

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:db-tag

FailoverDBCluster

rds:FailoverDBCluster

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:cluster-tag

ListTagsForResource

rds:ListTagsForResource

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

ModifyDBCluster

rds:ModifyDBCluster

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-name

rds:cluster-tag

Cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

ModifyDBClusterParameterGroup

rds:ModifyDBClusterParameterGroup

Cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

ModifyDBClusterSnapshotAttribute

rds:ModifyDBClusterSnapshotAttribute

Cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

ModifyDBInstance

rds:ModifyDBInstance

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:DatabaseClass

rds:db-tag

RebootDBInstance

rds:RebootDBInstance

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

RemoveTagsFromResource

rds:RemoveTagsFromResource

Instance

arn:aws:rds:region:account-id:db:db-instance-name

rds:db-tag

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

ResetDBClusterParameterGroup

rds:ResetDBClusterParameterGroup

Cluster parameter group

arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name

rds:cluster-pg-tag

RestoreDBClusterFromSnapshot

rds:RestoreDBClusterFromSnapshot

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:cluster-tag

Cluster snapshot

arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name

rds:cluster-snapshot-tag

RestoreDBClusterToPointInTime

rds:RestoreDBClusterToPointInTime

Cluster

arn:aws:rds:region:account-id:cluster:db-cluster-instance-name

rds:cluster-tag

Subnet group

arn:aws:rds:region:account-id:subgrp:subnet-group-name

rds:subgrp-tag

Amazon DocumentDB Actions That Don't Support Resource-Level Permissions

You can use all Amazon DocumentDB actions in an IAM policy to either grant or deny users permission to use that action. However, not all Amazon DocumentDB actions support resource-level permissions, which enable you to specify the resources on which an action can be performed. The following Amazon DocumentDB API actions currently don't support resource-level permissions. Therefore, to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement.

  • rds:DescribeDBClusterSnapshots

  • rds:DescribeDBInstances