Actions, resources, and condition keys for Amazon RDS - Service Authorization Reference

Actions, resources, and condition keys for Amazon RDS

Amazon RDS (service prefix: rds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon RDS

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddRoleToDBCluster Grants permission to associate an Identity and Access Management (IAM) role from an Aurora DB cluster Write

cluster*

iam:PassRole

AddRoleToDBInstance Grants permission to associate an AWS Identity and Access Management (IAM) role with a DB instance Write

db*

iam:PassRole

AddSourceIdentifierToSubscription Grants permission to add a source identifier to an existing RDS event notification subscription Write

es*

AddTagsToResource Grants permission to add metadata tags to an Amazon RDS resource Tagging

cev

cluster

cluster-endpoint

cluster-pg

cluster-snapshot

db

deployment

es

integration

og

pg

proxy

proxy-endpoint

ri

secgrp

snapshot

snapshot-tenant-database

subgrp

target-group

tenant-database

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

ApplyPendingMaintenanceAction Grants permission to apply a pending maintenance action to a resource Write

cluster

db

AuthorizeDBSecurityGroupIngress Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization Permissions management

secgrp*

BacktrackDBCluster Grants permission to backtrack a DB cluster to a specific time, without creating a new DB cluster Write

cluster*

CancelExportTask Grants permission to cancel an export task in progress Write
CopyCustomDBEngineVersion [permission only] Grants permission to copy a custom engine version Write

cev*

CopyDBClusterParameterGroup Grants permission to copy the specified DB cluster parameter group Write

cluster-pg*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CopyDBClusterSnapshot Grants permission to create a snapshot of a DB cluster Write

cluster-snapshot*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CopyDBParameterGroup Grants permission to copy the specified DB parameter group Write

pg*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CopyDBSnapshot Grants permission to copy the specified DB snapshot Write

snapshot*

rds:AddTagsToResource

rds:CopyCustomDBEngineVersion

aws:RequestTag/${TagKey}

aws:TagKeys

rds:CopyOptionGroup

CopyOptionGroup Grants permission to copy the specified option group Write

og*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBlueGreenDeployment Grants permission to create a blue-green deployment for a given source cluster or instance Write

deployment*

rds:AddTagsToResource

rds:CreateDBCluster

rds:CreateDBClusterEndpoint

rds:CreateDBInstance

rds:CreateDBInstanceReadReplica

cluster

cluster-pg

db

pg

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

rds:cluster-tag/${TagKey}

rds:cluster-pg-tag/${TagKey}

rds:db-tag/${TagKey}

rds:pg-tag/${TagKey}

rds:req-tag/${TagKey}

rds:DatabaseEngine

rds:DatabaseName

rds:StorageEncrypted

rds:DatabaseClass

rds:StorageSize

rds:MultiAz

rds:Piops

rds:Vpc

CreateCustomDBEngineVersion Grants permission to create a custom engine version Write

cev*

iam:CreateServiceLinkedRole

mediaimport:CreateDatabaseBinarySnapshot

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDBCluster Grants permission to create a new DB cluster Write

cluster*

iam:PassRole

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

rds:AddTagsToResource

rds:CreateDBInstance

secretsmanager:CreateSecret

secretsmanager:TagResource

cluster-pg*

og*

subgrp*

db

global-cluster

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseEngine

rds:DatabaseName

rds:StorageEncrypted

rds:DatabaseClass

rds:StorageSize

rds:Piops

rds:ManageMasterUserPassword

CreateDBClusterEndpoint Grants permission to create a new custom endpoint and associates it with an Amazon Aurora DB cluster or Amazon DocumentDB cluster Write

cluster*

rds:AddTagsToResource

cluster-endpoint*

rds:EndpointType

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDBClusterParameterGroup Grants permission to create a new DB cluster parameter group Write

cluster-pg*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBClusterSnapshot Grants permission to create a snapshot of a DB cluster Write

cluster*

rds:AddTagsToResource

cluster-snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBInstance Grants permission to create a new DB instance Write

db*

iam:PassRole

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

rds:AddTagsToResource

rds:CreateTenantDatabase

secretsmanager:CreateSecret

secretsmanager:TagResource

cluster

og

pg

secgrp

subgrp

rds:BackupTarget

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:ManageMasterUserPassword

CreateDBInstanceReadReplica Grants permission to create a DB instance that acts as a Read Replica of a source DB instance Write

cluster*

iam:PassRole

rds:AddTagsToResource

db*

og*

pg*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBParameterGroup Grants permission to create a new DB parameter group Write

pg*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBProxy Grants permission to create a database proxy Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:PassRole

CreateDBProxyEndpoint Grants permission to create a database proxy endpoint Write

proxy*

proxy-endpoint*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDBSecurityGroup Grants permission to create a new DB security group. DB security groups control access to a DB instance Write

secgrp*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBShardGroup Grants permission to create a new Aurora Limitless Database DB shard group Write

cluster*

shardgrp*

CreateDBSnapshot Grants permission to create a DBSnapshot Write

db*

rds:AddTagsToResource

snapshot*

snapshot-tenant-database*

rds:BackupTarget

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBSubnetGroup Grants permission to create a new DB subnet group Write

subgrp*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateEventSubscription Grants permission to create an RDS event notification subscription Write

es*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateGlobalCluster Grants permission to create an Aurora global database or DocumentDB global database spread across multiple regions Write

cluster*

global-cluster*

CreateIntegration Grants permission to create an Aurora zero-ETL integration with Redshift Write

cluster*

kms:CreateGrant

kms:DescribeKey

rds:AddTagsToResource

integration*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateOptionGroup Grants permission to create a new option group Write

og*

rds:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateTenantDatabase Grants permission to create a new tenant database Write

db*

rds:AddTagsToResource

tenant-database*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:TenantDatabaseName

CrossRegionCommunication [permission only] Grants permission to access a resource in the remote Region when executing cross-Region operations, such as cross-Region snapshot copy or cross-Region read replica creation Write
DeleteBlueGreenDeployment Grants permission to delete blue green deployments Write

deployment*

rds:DeleteDBCluster

rds:DeleteDBClusterEndpoint

rds:DeleteDBInstance

rds:PromoteReadReplica

rds:PromoteReadReplicaDBCluster

aws:ResourceTag/${TagKey}

DeleteCustomDBEngineVersion Grants permission to delete an existing custom engine version Write

cev*

DeleteDBCluster Grants permission to delete a previously provisioned DB cluster Write

cluster*

rds:AddTagsToResource

rds:CreateDBClusterSnapshot

rds:DeleteDBInstance

cluster-snapshot*

DeleteDBClusterAutomatedBackup Grants permission to delete cluster automated backups based on the source cluster's DbClusterResourceId value or the restorable cluster's resource ID Write

cluster-auto-backup*

DeleteDBClusterEndpoint Grants permission to delete a custom endpoint and removes it from an Amazon Aurora DB cluster or Amazon DocumentDB cluster Write

cluster-endpoint*

DeleteDBClusterParameterGroup Grants permission to delete a specified DB cluster parameter group Write

cluster-pg*

DeleteDBClusterSnapshot Grants permission to delete a DB cluster snapshot Write

cluster-snapshot*

DeleteDBInstance Grants permission to delete a previously provisioned DB instance Write

db*

rds:AddTagsToResource

rds:CreateDBSnapshot

rds:DeleteTenantDatabase

DeleteDBInstanceAutomatedBackup Grants permission to delete automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID Write

auto-backup*

DeleteDBParameterGroup Grants permission to delete a specified DBParameterGroup Write

pg*

DeleteDBProxy Grants permission to delete a database proxy Write

proxy*

DeleteDBProxyEndpoint Grants permission to delete a database proxy endpoint Write

proxy-endpoint*

DeleteDBSecurityGroup Grants permission to delete a DB security group Write

secgrp*

DeleteDBShardGroup Grants permission to delete an Aurora Limitless Database DB shard group Write

shardgrp*

DeleteDBSnapshot Grants permission to delete a DBSnapshot Write

snapshot*

DeleteDBSubnetGroup Grants permission to delete a DB subnet group Write

subgrp*

DeleteEventSubscription Grants permission to delete an RDS event notification subscription Write

es*

DeleteGlobalCluster Grants permission to delete a global database cluster Write

global-cluster*

DeleteIntegration Grants permission to delete an Aurora zero-ETL integration with Redshift Write

integration*

DeleteOptionGroup Grants permission to delete an existing option group Write

og*

DeleteTenantDatabase Grants permission to delete a tenant database Write

db*

rds:AddTagsToResource

rds:CreateDBSnapshot

tenant-database*

DeregisterDBProxyTargets Grants permission to remove targets from a database proxy target group Write

cluster*

db*

proxy*

target-group*

DescribeAccountAttributes Grants permission to list all of the attributes for a customer account List
DescribeBlueGreenDeployments Grants permission to describe blue green deployments List

deployment

DescribeCertificates Grants permission to list the set of CA certificates provided by Amazon RDS for this AWS account List
DescribeDBClusterAutomatedBackups Grants permission to return a list of cluster automated backups for both current and deleted clusters List

cluster-auto-backup*

cluster

DescribeDBClusterBacktracks Grants permission to return information about backtracks for a DB cluster List

cluster*

DescribeDBClusterEndpoints Grants permission to return information about endpoints for an Amazon Aurora DB cluster List

cluster

cluster-endpoint

DescribeDBClusterParameterGroups Grants permission to return a list of DBClusterParameterGroup descriptions List

cluster-pg*

DescribeDBClusterParameters Grants permission to return the detailed parameter list for a particular DB cluster parameter group List

cluster-pg*

DescribeDBClusterSnapshotAttributes Grants permission to return a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot List

cluster-snapshot*

DescribeDBClusterSnapshots Grants permission to return information about DB cluster snapshots List

cluster

cluster-snapshot

DescribeDBClusters Grants permission to return information about provisioned Aurora DB clusters or DocumentDB clusters List

cluster*

DescribeDBEngineVersions Grants permission to return a list of the available DB engines List
DescribeDBInstanceAutomatedBackups Grants permission to return a list of automated backups for both current and deleted instances List

auto-backup

db

DescribeDBInstances Grants permission to return information about provisioned RDS instances List

db*

DescribeDBLogFiles Grants permission to return a list of DB log files for the DB instance List

db*

DescribeDBParameterGroups Grants permission to return a list of DBParameterGroup descriptions List

pg*

DescribeDBParameters Grants permission to return the detailed parameter list for a particular DB parameter group List

pg*

DescribeDBProxies Grants permission to view proxies List

proxy*

DescribeDBProxyEndpoints Grants permission to view proxy endpoints List

proxy*

proxy-endpoint*

DescribeDBProxyTargetGroups Grants permission to view database proxy target group details List

proxy*

DescribeDBProxyTargets Grants permission to view database proxy target details List

proxy*

target-group*

DescribeDBRecommendations Grants permission to list recommendation details List
DescribeDBSecurityGroups Grants permission to return a list of DBSecurityGroup descriptions List

secgrp*

DescribeDBShardGroups Grants permission to return information about all Aurora Limitless Database DB shard groups for this account. You can filter by shard group(s) List

shardgrp*

DescribeDBSnapshotAttributes Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot List

snapshot*

DescribeDBSnapshotTenantDatabases Grants permission to return information about tenant databases in DB snapshots. You can filter by Region or snapshot List

snapshot-tenant-database*

db

snapshot

DescribeDBSnapshots Grants permission to return information about DB snapshots List

db

snapshot

DescribeDBSubnetGroups Grants permission to return a list of DBSubnetGroup descriptions List

subgrp*

DescribeEngineDefaultClusterParameters Grants permission to return the default engine and system parameter information for the cluster database engine List
DescribeEngineDefaultParameters Grants permission to return the default engine and system parameter information for the specified database engine List
DescribeEventCategories Grants permission to display a list of categories for all event source types, or, if specified, for a specified source type List
DescribeEventSubscriptions Grants permission to list all the subscription descriptions for a customer account List

es*

DescribeEvents Grants permission to return events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days List
DescribeExportTasks Grants permission to return information about the export tasks List

cluster

cluster-snapshot

snapshot

DescribeGlobalClusters Grants permission to return information about Aurora global database clusters or DocumentDB global database clusters List

global-cluster*

DescribeIntegrations Grants permission to describe an Aurora zero-ETL integration with Redshift List

integration*

aws:ResourceTag/${TagKey}

DescribeOptionGroupOptions Grants permission to describe all available options List
DescribeOptionGroups Grants permission to describe the available option groups List

og*

DescribeOrderableDBInstanceOptions Grants permission to return a list of orderable DB instance options for the specified engine List
DescribePendingMaintenanceActions Grants permission to return a list of resources (for example, DB instances) that have at least one pending maintenance action List

cluster

db

DescribeRecommendationGroups [permission only] Grants permission to return information about recommendation groups Read
DescribeRecommendations [permission only] Grants permission to return information about recommendations Read
DescribeReservedDBInstances Grants permission to return information about reserved DB instances for this account, or about a specified reserved DB instance List

ri*

DescribeReservedDBInstancesOfferings Grants permission to list available reserved DB instance offerings List
DescribeSourceRegions Grants permission to return a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from List
DescribeTenantDatabases Grants permission to return information about provisioned tenant databases. You can filter by Region or snapshot List

tenant-database*

db

DescribeValidDBInstanceModifications Grants permission to list available modifications you can make to your DB instance List

db*

DisableHttpEndpoint Grants permission to disable http endpoint for a DB cluster Write

cluster*

DownloadCompleteDBLogFile Grants permission to download specified log file Read

db*

DownloadDBLogFilePortion Grants permission to download all or a portion of the specified log file, up to 1 MB in size Read

db*

EnableHttpEndpoint Grants permission to enable http endpoint for a DB cluster Write

cluster*

FailoverDBCluster Grants permission to force a failover for a DB cluster Write

cluster*

FailoverGlobalCluster Grants permission to failover a global cluster Write

cluster*

global-cluster*

ListTagsForResource Grants permission to list all tags on an Amazon RDS resource Read

cev

cluster

cluster-endpoint

cluster-pg

cluster-snapshot

db

es

integration

og

pg

proxy

proxy-endpoint

ri

secgrp

snapshot

snapshot-tenant-database

subgrp

target-group

tenant-database

ModifyActivityStream Grants permission to modify a database activity stream Write

db*

ModifyCertificates Grants permission to modify the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances Write
ModifyCurrentDBClusterCapacity Grants permission to modify current cluster capacity for an Amazon Aurora Serverless DB cluster Write

cluster*

ModifyCustomDBEngineVersion Grants permission to modify an existing custom engine version Write

cev*

ModifyDBCluster Grants permission to modify a setting for an Amazon Aurora DB cluster or Amazon DocumentDB cluster Write

cluster*

iam:PassRole

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

rds:ModifyDBInstance

secretsmanager:CreateSecret

secretsmanager:RotateSecret

secretsmanager:TagResource

cluster-pg

og

pg

rds:DatabaseClass

rds:StorageSize

rds:Piops

rds:ManageMasterUserPassword

ModifyDBClusterEndpoint Grants permission to modify the properties of an endpoint in an Amazon Aurora DB cluster or Amazon DocumentDB cluster Write

cluster-endpoint*

ModifyDBClusterParameterGroup Grants permission to modify the parameters of a DB cluster parameter group Write

cluster-pg*

ModifyDBClusterSnapshotAttribute Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot Write

cluster-snapshot*

ModifyDBInstance Grants permission to modify settings for a DB instance Write

db*

iam:PassRole

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

rds:AddTagsToResource

rds:CreateTenantDatabase

secretsmanager:CreateSecret

secretsmanager:RotateSecret

secretsmanager:TagResource

og

pg

secgrp

subgrp

rds:ManageMasterUserPassword

ModifyDBParameterGroup Grants permission to modify the parameters of a DB parameter group Write

pg*

ModifyDBProxy Grants permission to modify database proxy Write

proxy*

iam:PassRole

ModifyDBProxyEndpoint Grants permission to modify database proxy endpoint Write

proxy-endpoint*

ModifyDBProxyTargetGroup Grants permission to modify target group for a database proxy Write

target-group*

ModifyDBRecommendation Grants permission to modify recommendation Write
ModifyDBShardGroup Grants permission to modify properties of an Aurora Limitless Database DB shard group Write

shardgrp*

ModifyDBSnapshot Grants permission to update a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version Write

snapshot*

og

ModifyDBSnapshotAttribute Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot Write

snapshot*

ModifyDBSubnetGroup Grants permission to modify an existing DB subnet group Write

subgrp*

ModifyEventSubscription Grants permission to modify an existing RDS event notification subscription Write

es*

ModifyGlobalCluster Grants permission to modify a setting for an Amazon Aurora global cluster or Amazon DocumentDB global cluster Write

global-cluster*

ModifyIntegration Grants permission to modify an Aurora zero-ETL integration with Redshift Write

integration*

ModifyOptionGroup Grants permission to modify an existing option group Write

og*

iam:PassRole

ModifyRecommendation [permission only] Grants permission to modify recommendation Write
ModifyTenantDatabase Grants permission to modify a tenant database Write

db*

tenant-database*

rds:TenantDatabaseName

PromoteReadReplica Grants permission to promote a Read Replica DB instance to a standalone DB instance Write

db*

PromoteReadReplicaDBCluster Grants permission to promote a Read Replica DB cluster to a standalone DB cluster Write

cluster*

PurchaseReservedDBInstancesOffering Grants permission to purchase a reserved DB instance offering Write

ri*

aws:RequestTag/${TagKey}

aws:TagKeys

RebootDBCluster Grants permission to reboot a previously provisioned DB cluster Write

cluster*

rds:RebootDBInstance

RebootDBInstance Grants permission to restart the database engine service Write

db*

RebootDBShardGroup Grants permission to reboot an Aurora Limitless Database DB shard group Write

shardgrp*

RegisterDBProxyTargets Grants permission to add targets to a database proxy target group Write

target-group*

RemoveFromGlobalCluster Grants permission to detach an Aurora secondary cluster from an Aurora global database cluster or DocumentDB global cluster Write

cluster*

global-cluster*

RemoveRoleFromDBCluster Grants permission to disassociate an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster Write

cluster*

iam:PassRole

RemoveRoleFromDBInstance Grants permission to disassociate an AWS Identity and Access Management (IAM) role from a DB instance Write

db*

iam:PassRole

RemoveSourceIdentifierFromSubscription Grants permission to remove a source identifier from an existing RDS event notification subscription Write

es*

RemoveTagsFromResource Grants permission to remove metadata tags from an Amazon RDS resource Tagging

cev

cluster

cluster-endpoint

cluster-pg

cluster-snapshot

db

deployment

es

integration

og

pg

proxy

proxy-endpoint

ri

secgrp

snapshot

snapshot-tenant-database

subgrp

target-group

tenant-database

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

ResetDBClusterParameterGroup Grants permission to modify the parameters of a DB cluster parameter group to the default value Write

cluster-pg*

ResetDBParameterGroup Grants permission to modify the parameters of a DB parameter group to the engine/system default value Write

pg*

RestoreDBClusterFromS3 Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket Write

cluster*

iam:PassRole

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

rds:AddTagsToResource

secretsmanager:CreateSecret

secretsmanager:TagResource

cluster-pg*

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseEngine

rds:DatabaseName

rds:StorageEncrypted

rds:ManageMasterUserPassword

RestoreDBClusterFromSnapshot Grants permission to create a new DB cluster from a DB cluster snapshot Write

cluster*

iam:PassRole

rds:AddTagsToResource

rds:CreateDBInstance

cluster-pg*

og*

subgrp*

cluster-snapshot

snapshot

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseClass

rds:StorageSize

rds:Piops

RestoreDBClusterToPointInTime Grants permission to restore a DB cluster to an arbitrary point in time Write

cluster*

iam:PassRole

rds:AddTagsToResource

rds:CreateDBInstance

cluster-pg*

og*

subgrp*

cluster-auto-backup

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseClass

rds:StorageSize

rds:Piops

RestoreDBInstanceFromDBSnapshot Grants permission to create a new DB instance from a DB snapshot Write

db*

iam:PassRole

rds:AddTagsToResource

rds:CreateTenantDatabase

og*

pg*

subgrp*

cluster-snapshot

snapshot

rds:BackupTarget

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBInstanceFromS3 Grants permission to create a new DB instance from an Amazon S3 bucket Write

db*

iam:PassRole

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

rds:AddTagsToResource

secretsmanager:CreateSecret

secretsmanager:TagResource

og*

pg*

subgrp*

secgrp

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:ManageMasterUserPassword

RestoreDBInstanceToPointInTime Grants permission to restore a DB instance to an arbitrary point in time Write

db*

iam:PassRole

rds:AddTagsToResource

rds:CreateTenantDatabase

og*

pg*

subgrp*

auto-backup

rds:BackupTarget

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RevokeDBSecurityGroupIngress Grants permission to revoke ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups Write

secgrp*

StartActivityStream Grants permission to start Activity Stream Write

cluster

db

StartDBCluster Grants permission to start the DB cluster Write

cluster*

StartDBInstance Grants permission to start the DB instance Write

db*

StartDBInstanceAutomatedBackupsReplication Grants permission to start replication of automated backups to a different AWS Region Write

auto-backup*

db*

StartExportTask Grants permission to start a new Export task for a DB snapshot Write

cluster

iam:PassRole

cluster-snapshot

snapshot

StopActivityStream Grants permission to stop Activity Stream Write

cluster

db

StopDBCluster Grants permission to stop the DB cluster Write

cluster*

StopDBInstance Grants permission to stop the DB instance Write

db*

rds:AddTagsToResource

rds:CreateDBSnapshot

snapshot

StopDBInstanceAutomatedBackupsReplication Grants permission to stop automated backup replication for a DB instance Write

db*

SwitchoverBlueGreenDeployment Grants permission to switch a blue-green deployment from source instance or cluster to target Write

deployment*

rds:ModifyDBCluster

rds:ModifyDBInstance

rds:PromoteReadReplica

rds:PromoteReadReplicaDBCluster

aws:ResourceTag/${TagKey}

SwitchoverGlobalCluster Grants permission to switchover a global cluster Write

cluster*

global-cluster*

SwitchoverReadReplica Grants permission to switch over a read replica, making it the new primary database Write

db*

Resource types defined by Amazon RDS

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
cluster arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}

aws:ResourceTag/${TagKey}

rds:cluster-tag/${TagKey}

shardgrp arn:${Partition}:rds:${Region}:${Account}:shard-group:${DbShardGroupResourceId}
cluster-auto-backup arn:${Partition}:rds:${Region}:${Account}:cluster-auto-backup:${DbClusterAutomatedBackupId}
auto-backup arn:${Partition}:rds:${Region}:${Account}:auto-backup:${DbInstanceAutomatedBackupId}
cluster-endpoint arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}

aws:ResourceTag/${TagKey}

cluster-pg arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}

aws:ResourceTag/${TagKey}

rds:cluster-pg-tag/${TagKey}

cluster-snapshot arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}

aws:ResourceTag/${TagKey}

rds:cluster-snapshot-tag/${TagKey}

db arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}

aws:ResourceTag/${TagKey}

rds:DatabaseClass

rds:DatabaseEngine

rds:DatabaseName

rds:MultiAz

rds:Piops

rds:StorageEncrypted

rds:StorageSize

rds:Vpc

rds:db-tag/${TagKey}

es arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}

aws:ResourceTag/${TagKey}

rds:es-tag/${TagKey}

global-cluster arn:${Partition}:rds::${Account}:global-cluster:${GlobalCluster}
og arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}

aws:ResourceTag/${TagKey}

rds:og-tag/${TagKey}

pg arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}

aws:ResourceTag/${TagKey}

rds:pg-tag/${TagKey}

proxy arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}

aws:ResourceTag/${TagKey}

proxy-endpoint arn:${Partition}:rds:${Region}:${Account}:db-proxy-endpoint:${DbProxyEndpointId}

aws:ResourceTag/${TagKey}

ri arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}

aws:ResourceTag/${TagKey}

rds:ri-tag/${TagKey}

secgrp arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}

aws:ResourceTag/${TagKey}

rds:secgrp-tag/${TagKey}

snapshot arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}

aws:ResourceTag/${TagKey}

rds:snapshot-tag/${TagKey}

subgrp arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}

aws:ResourceTag/${TagKey}

rds:subgrp-tag/${TagKey}

target-group arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}

aws:ResourceTag/${TagKey}

cev arn:${Partition}:rds:${Region}:${Account}:cev:${Engine}/${EngineVersion}/${CustomDbEngineVersionId}

aws:ResourceTag/${TagKey}

deployment arn:${Partition}:rds:${Region}:${Account}:deployment:${BlueGreenDeploymentIdentifier}

aws:ResourceTag/${TagKey}

integration arn:${Partition}:rds:${Region}:${Account}:integration:${IntegrationIdentifier}

aws:ResourceTag/${TagKey}

snapshot-tenant-database arn:${Partition}:rds:${Region}:${Account}:snapshot-tenant-database:${SnapshotName}:${TenantResourceId}

aws:ResourceTag/${TagKey}

tenant-database arn:${Partition}:rds:${Region}:${Account}:tenant-database:${TenantResourceId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon RDS

Amazon RDS defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the set of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by the set of tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the set of tag keys in the request ArrayOfString
rds:BackupTarget Filters access by the type of backup target. One of: region, outposts String
rds:CopyOptionGroup Filters access by the value that specifies whether the CopyDBSnapshot action requires copying the DB option group Bool
rds:DatabaseClass Filters access by the type of DB instance class String
rds:DatabaseEngine Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API String
rds:DatabaseName Filters access by the user-defined name of the database on the DB instance String
rds:EndpointType Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM String
rds:ManageMasterUserPassword Filters access by the value that specifies whether RDS manages master user password in AWS Secrets Manager for the DB instance or cluster Bool
rds:MultiAz Filters access by the value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true Bool
rds:Piops Filters access by the value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0 Numeric
rds:StorageEncrypted Filters access by the value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true Bool
rds:StorageSize Filters access by the storage volume size (in GB) Numeric
rds:TenantDatabaseName Filters access by the tenant database name in CreateTenantDatabase and by the new tenant database name in ModifyTenantDatabase String
rds:Vpc Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true Bool
rds:cluster-pg-tag/${TagKey} Filters access by the tag attached to a DB cluster parameter group String
rds:cluster-snapshot-tag/${TagKey} Filters access by the tag attached to a DB cluster snapshot String
rds:cluster-tag/${TagKey} Filters access by the tag attached to a DB cluster String
rds:db-tag/${TagKey} Filters access by the tag attached to a DB instance String
rds:es-tag/${TagKey} Filters access by the tag attached to an event subscription String
rds:og-tag/${TagKey} Filters access by the tag attached to a DB option group String
rds:pg-tag/${TagKey} Filters access by the tag attached to a DB parameter group String
rds:req-tag/${TagKey} Filters access by the set of tag keys and values that can be used to tag a resource String
rds:ri-tag/${TagKey} Filters access by the tag attached to a reserved DB instance String
rds:secgrp-tag/${TagKey} Filters access by the tag attached to a DB security group String
rds:snapshot-tag/${TagKey} Filters access by the tag attached to a DB snapshot String
rds:subgrp-tag/${TagKey} Filters access by the tag attached to a DB subnet group String