Actions, resources, and condition keys for Amazon RDS - Service Authorization Reference

Actions, resources, and condition keys for Amazon RDS

Amazon RDS (service prefix: rds) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon RDS

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddRoleToDBCluster Grants permission to associate an Identity and Access Management (IAM) role from an Aurora DB cluster Write

cluster*

iam:PassRole

AddRoleToDBInstance Grants permission to associate an AWS Identity and Access Management (IAM) role with a DB instance Write

db*

iam:PassRole

AddSourceIdentifierToSubscription Grants permission to add a source identifier to an existing RDS event notification subscription Write

es*

AddTagsToResource Grants permission to add metadata tags to an Amazon RDS resource Tagging

db

es

og

pg

proxy

ri

secgrp

snapshot

subgrp

target-group

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

ApplyPendingMaintenanceAction Grants permission to apply a pending maintenance action to a resource Write

cluster

db

AuthorizeDBSecurityGroupIngress Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization Permissions management

secgrp*

BacktrackDBCluster Grants permission to backtrack a DB cluster to a specific time, without creating a new DB cluster Write

cluster*

CancelExportTask Grants permission to cancel an export task in progress Write
CopyDBClusterParameterGroup Grants permission to copy the specified DB cluster parameter group Write

cluster-pg*

aws:RequestTag/${TagKey}

aws:TagKeys

CopyDBClusterSnapshot Grants permission to create a snapshot of a DB cluster Write

cluster-snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CopyDBParameterGroup Grants permission to copy the specified DB parameter group Write

pg*

aws:RequestTag/${TagKey}

aws:TagKeys

CopyDBSnapshot Grants permission to copy the specified DB snapshot Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CopyOptionGroup Grants permission to copy the specified option group Write

og*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDBCluster Grants permission to create a new Amazon Aurora DB cluster Write

cluster*

iam:PassRole

cluster-pg*

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseEngine

rds:DatabaseName

rds:StorageEncrypted

CreateDBClusterEndpoint Grants permission to create a new custom endpoint and associates it with an Amazon Aurora DB cluster Write

cluster*

cluster-endpoint*

rds:EndpointType

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDBClusterParameterGroup Grants permission to create a new DB cluster parameter group Write

cluster-pg*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBClusterSnapshot Grants permission to create a snapshot of a DB cluster Write

cluster*

cluster-snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBInstance Grants permission to create a new DB instance Write

db*

iam:PassRole

og*

pg*

secgrp*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBInstanceReadReplica Grants permission to create a DB instance that acts as a Read Replica of a source DB instance Write

db*

iam:PassRole

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBParameterGroup Grants permission to create a new DB parameter group Write

pg*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBProxy Grants permission to create a database proxy Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:PassRole

CreateDBSecurityGroup Grants permission to create a new DB security group. DB security groups control access to a DB instance Write

secgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBSnapshot Grants permission to create a DBSnapshot Write

db*

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateDBSubnetGroup Grants permission to create a new DB subnet group Write

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateEventSubscription Grants permission to create an RDS event notification subscription Write

es*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CreateGlobalCluster Grants permission to create an Aurora global database spread across multiple regions Write

cluster*

global-cluster*

CreateOptionGroup Grants permission to create a new option group Write

og*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

CrossRegionCommunication [permission only] Grants permission to access a resource in the remote Region when executing cross-Region operations, such as cross-Region snapshot copy or cross-Region read replica creation Write
DeleteDBCluster Grants permission to delete a previously provisioned DB cluster Write

cluster*

cluster-snapshot*

DeleteDBClusterEndpoint Grants permission to delete a custom endpoint and removes it from an Amazon Aurora DB cluster Write

cluster-endpoint*

DeleteDBClusterParameterGroup Grants permission to delete a specified DB cluster parameter group Write

cluster-pg*

DeleteDBClusterSnapshot Grants permission to delete a DB cluster snapshot Write

cluster-snapshot*

DeleteDBInstance Grants permission to delete a previously provisioned DB instance Write

db*

DeleteDBInstanceAutomatedBackup Grants permission to deletes automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID Write
DeleteDBParameterGroup Grants permission to delete a specified DBParameterGroup Write

pg*

DeleteDBProxy Grants permission to delete a database proxy Write

proxy*

DeleteDBSecurityGroup Grants permission to delete a DB security group Write

secgrp*

DeleteDBSnapshot Grants permission to delete a DBSnapshot Write

snapshot*

DeleteDBSubnetGroup Grants permission to delete a DB subnet group Write

subgrp*

DeleteEventSubscription Grants permission to delete an RDS event notification subscription Write

es*

DeleteGlobalCluster Grants permission to delete a global database cluster Write

global-cluster*

DeleteOptionGroup Grants permission to delete an existing option group Write

og*

DeregisterDBProxyTargets Grants permission to remove targets from a database proxy target group Write

cluster*

db*

proxy*

target-group*

DescribeAccountAttributes Grants permission to list all of the attributes for a customer account List
DescribeCertificates Lists the set of CA certificates provided by Amazon RDS for this AWS account List
DescribeDBClusterBacktracks Grants permission to return information about backtracks for a DB cluster List

cluster*

DescribeDBClusterEndpoints Grants permission to return information about endpoints for an Amazon Aurora DB cluster List

cluster-endpoint*

cluster

DescribeDBClusterParameterGroups Grants permission to return a list of DBClusterParameterGroup descriptions List

cluster-pg*

DescribeDBClusterParameters Grants permission to return the detailed parameter list for a particular DB cluster parameter group List

cluster-pg*

DescribeDBClusterSnapshotAttributes Grants permission to return a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot List

cluster-snapshot*

DescribeDBClusterSnapshots Grants permission to return information about DB cluster snapshots List

cluster-snapshot*

DescribeDBClusters Grants permission to return information about provisioned Aurora DB clusters List

cluster*

DescribeDBEngineVersions Grants permission to return a list of the available DB engines List
DescribeDBInstanceAutomatedBackups Grants permission to return a list of automated backups for both current and deleted instances List

db

DescribeDBInstances Grants permission to return information about provisioned RDS instances List

db*

DescribeDBLogFiles Grants permission to return a list of DB log files for the DB instance List

db*

DescribeDBParameterGroups Grants permission to return a list of DBParameterGroup descriptions List

pg*

DescribeDBParameters Grants permission to return the detailed parameter list for a particular DB parameter group List

pg*

DescribeDBProxies Grants permission to view proxies List

proxy*

DescribeDBProxyTargetGroups Grants permission to view database proxy target group details List

proxy*

DescribeDBProxyTargets Grants permission to view database proxy target details List

cluster*

db*

proxy*

target-group*

DescribeDBSecurityGroups Grants permission to return a list of DBSecurityGroup descriptions List

secgrp*

DescribeDBSnapshotAttributes Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot List

snapshot*

DescribeDBSnapshots Grants permission to return information about DB snapshots List

snapshot*

db

DescribeDBSubnetGroups Grants permission to return a list of DBSubnetGroup descriptions List

subgrp*

DescribeEngineDefaultClusterParameters Grants permission to return the default engine and system parameter information for the cluster database engine List
DescribeEngineDefaultParameters Grants permission to return the default engine and system parameter information for the specified database engine List
DescribeEventCategories Grants permission to display a list of categories for all event source types, or, if specified, for a specified source type List
DescribeEventSubscriptions Grants permission to list all the subscription descriptions for a customer account List

es*

DescribeEvents Grants permission to return events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days List
DescribeExportTasks Grants permission to return information about the export tasks List
DescribeGlobalClusters Grants permission to return information about Aurora global database clusters List

global-cluster*

DescribeOptionGroupOptions Grants permission to describe all available options List

og*

DescribeOptionGroups Grants permission to describe the available option groups List

og*

DescribeOrderableDBInstanceOptions Grants permission to return a list of orderable DB instance options for the specified engine List
DescribePendingMaintenanceActions Grants permission to return a list of resources (for example, DB instances) that have at least one pending maintenance action List

cluster

db

DescribeReservedDBInstances Grants permission to return information about reserved DB instances for this account, or about a specified reserved DB instance List

ri*

DescribeReservedDBInstancesOfferings Grants permission to list available reserved DB instance offerings List
DescribeSourceRegions Grants permission to return a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from List
DescribeValidDBInstanceModifications Grants permission to list available modifications you can make to your DB instance List

db*

DownloadDBLogFilePortion Grants permission to download all or a portion of the specified log file, up to 1 MB in size Read

db*

FailoverDBCluster Grants permission to force a failover for a DB cluster Write

cluster*

ListTagsForResource Grants permission to list all tags on an Amazon RDS resource Read

db

es

og

pg

proxy

ri

secgrp

snapshot

subgrp

target-group

ModifyCurrentDBClusterCapacity Grants permission to modify current cluster capacity for an Amazon Aurora Severless DB cluster Write

cluster*

ModifyDBCluster Grants permission to modify a setting for an Amazon Aurora DB cluster Write

cluster*

iam:PassRole

cluster-pg*

og*

ModifyDBClusterEndpoint Grants permission to modify the properties of an endpoint in an Amazon Aurora DB cluster Write

cluster-endpoint*

ModifyDBClusterParameterGroup Grants permission to modify the parameters of a DB cluster parameter group Write

cluster-pg*

ModifyDBClusterSnapshotAttribute Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot Write

cluster-snapshot*

ModifyDBInstance Grants permission to modify settings for a DB instance Write

db*

iam:PassRole

og*

pg*

secgrp*

ModifyDBParameterGroup Grants permission to modify the parameters of a DB parameter group Write

pg*

ModifyDBProxy Grants permission to modify database proxy Write

proxy*

iam:PassRole

ModifyDBProxyTargetGroup Grants permission to modify target group for a database proxy Write

target-group*

ModifyDBSnapshot Grants permission to update a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version Write

snapshot*

ModifyDBSnapshotAttribute Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot Write

snapshot*

ModifyDBSubnetGroup Grants permission to modify an existing DB subnet group Write

subgrp*

ModifyEventSubscription Grants permission to modify an existing RDS event notification subscription Write

es*

ModifyGlobalCluster Grants permission to modify a setting for an Amazon Aurora global cluster Write

global-cluster*

ModifyOptionGroup Grants permission to modify an existing option group Write

og*

iam:PassRole

PromoteReadReplica Grants permission to promote a Read Replica DB instance to a standalone DB instance Write

db*

PromoteReadReplicaDBCluster Grants permission to promote a Read Replica DB cluster to a standalone DB cluster Write

cluster*

PurchaseReservedDBInstancesOffering Grants permission to purchase a reserved DB instance offering Write

ri*

aws:RequestTag/${TagKey}

aws:TagKeys

RebootDBInstance Grants permission to restart the database engine service Write

db*

RegisterDBProxyTargets Grants permission to add targets to a database proxy target group Write

target-group*

RemoveFromGlobalCluster Grants permission to detach an Aurora secondary cluster from an Aurora global database cluster Write

cluster*

global-cluster*

RemoveRoleFromDBCluster Grants permission to disassociate an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster Write

cluster*

iam:PassRole

RemoveRoleFromDBInstance Grants permission to disassociate an AWS Identity and Access Management (IAM) role from a DB instance Write

db*

iam:PassRole

RemoveSourceIdentifierFromSubscription Grants permission to remove a source identifier from an existing RDS event notification subscription Write

es*

RemoveTagsFromResource Grants permission to remove metadata tags from an Amazon RDS resource Tagging

db

es

og

pg

proxy

ri

secgrp

snapshot

subgrp

target-group

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

ResetDBClusterParameterGroup Grants permission to modify the parameters of a DB cluster parameter group to the default value Write

cluster-pg*

ResetDBParameterGroup Grants permission to modify the parameters of a DB parameter group to the engine/system default value Write

pg*

RestoreDBClusterFromS3 Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket Write

cluster*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

rds:DatabaseEngine

rds:DatabaseName

rds:StorageEncrypted

RestoreDBClusterFromSnapshot Grants permission to create a new DB cluster from a DB cluster snapshot Write

cluster*

iam:PassRole

cluster-snapshot*

og*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBClusterToPointInTime Grants permission to restore a DB cluster to an arbitrary point in time Write

cluster*

iam:PassRole

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBInstanceFromDBSnapshot Grants permission to create a new DB instance from a DB snapshot Write

db*

iam:PassRole

og*

snapshot*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBInstanceFromS3 Grants permission to create a new DB instance from an Amazon S3 bucket Write

db*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RestoreDBInstanceToPointInTime Grants permission to restore a DB instance to an arbitrary point in time Write

db*

iam:PassRole

og*

subgrp*

aws:RequestTag/${TagKey}

aws:TagKeys

rds:req-tag/${TagKey}

RevokeDBSecurityGroupIngress Grants permission to revoke ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups Write

secgrp*

StartActivityStream Grants permission to start Activity Stream Write

cluster*

StartDBCluster Starts the DB cluster Write

cluster*

StartDBInstance Grants permission to start the DB instance Write

db*

StartExportTask Grants permission to start a new Export task for a DB snapshot Write

iam:PassRole

StopActivityStream Grants permission to stop Activity Stream Write

cluster*

StopDBCluster Grants permission to stop the DB cluster Write

cluster*

StopDBInstance Grants permission to stop the DB instance Write

db*

Resource types defined by Amazon RDS

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
cluster arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}

aws:ResourceTag/${TagKey}

rds:cluster-tag/${TagKey}

cluster-endpoint arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}

aws:ResourceTag/${TagKey}

cluster-pg arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}

aws:ResourceTag/${TagKey}

rds:cluster-pg-tag/${TagKey}

cluster-snapshot arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}

aws:ResourceTag/${TagKey}

rds:cluster-snapshot-tag/${TagKey}

db arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}

aws:ResourceTag/${TagKey}

rds:DatabaseClass

rds:DatabaseEngine

rds:DatabaseName

rds:MultiAz

rds:Piops

rds:StorageEncrypted

rds:StorageSize

rds:Vpc

rds:db-tag/${TagKey}

es arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}

aws:ResourceTag/${TagKey}

rds:es-tag/${TagKey}

global-cluster arn:${Partition}:rds::${Account}:global-cluster:${GlobalCluster}
og arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}

aws:ResourceTag/${TagKey}

rds:og-tag/${TagKey}

pg arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}

aws:ResourceTag/${TagKey}

rds:pg-tag/${TagKey}

proxy arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}

aws:ResourceTag/${TagKey}

ri arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}

aws:ResourceTag/${TagKey}

rds:ri-tag/${TagKey}

secgrp arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}

aws:ResourceTag/${TagKey}

rds:secgrp-tag/${TagKey}

snapshot arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}

aws:ResourceTag/${TagKey}

rds:snapshot-tag/${TagKey}

subgrp arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}

aws:ResourceTag/${TagKey}

rds:subgrp-tag/${TagKey}

target arn:${Partition}:rds:${Region}:${Account}:target:${TargetId}
target-group arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon RDS

Amazon RDS defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access based on tag key-value pairs attached to the resource String
aws:TagKeys Filters access based on the presence of tag keys in the request String
rds:DatabaseClass Filters access by the type of DB instance class String
rds:DatabaseEngine Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API String
rds:DatabaseName Filters access by the user-defined name of the database on the DB instance String
rds:EndpointType Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM String
rds:MultiAz Filters access by the value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true Boolean
rds:Piops Filters access by the value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0 Numeric
rds:StorageEncrypted Filters access by the value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true Boolean
rds:StorageSize Filters access by the storage volume size (in GB) Numeric
rds:Vpc Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true Boolean
rds:cluster-pg-tag/${TagKey} Filters access by the tag attached to a DB cluster parameter group String
rds:cluster-snapshot-tag/${TagKey} Filters access by the tag attached to a DB cluster snapshot String
rds:cluster-tag/${TagKey} Filters access by the tag attached to a DB cluster String
rds:db-tag/${TagKey} Filters access by the tag attached to a DB instance String
rds:es-tag/${TagKey} Filters access by the tag attached to an event subscription String
rds:og-tag/${TagKey} Filters access by the tag attached to a DB option group String
rds:pg-tag/${TagKey} Filters access by the tag attached to a DB parameter group String
rds:req-tag/${TagKey} Filters access by the set of tag keys and values that can be used to tag a resource String
rds:ri-tag/${TagKey} Filters access by the tag attached to a reserved DB instance String
rds:secgrp-tag/${TagKey} Filters access by the tag attached to a DB security group String
rds:snapshot-tag/${TagKey} Filters access by the tag attached to a DB snapshot String
rds:subgrp-tag/${TagKey} Filters access by the tag attached to a DB subnet group String