Actions, resources, and condition keys for Amazon RDS
Amazon RDS (service prefix: rds
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon RDS
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AddRoleToDBCluster | Grants permission to associate an Identity and Access Management (IAM) role from an Aurora DB cluster | Write |
iam:PassRole |
||
AddRoleToDBInstance | Grants permission to associate an AWS Identity and Access Management (IAM) role with a DB instance | Write |
iam:PassRole |
||
AddSourceIdentifierToSubscription | Grants permission to add a source identifier to an existing RDS event notification subscription | Write | |||
AddTagsToResource | Grants permission to add metadata tags to an Amazon RDS resource | Tagging | |||
ApplyPendingMaintenanceAction | Grants permission to apply a pending maintenance action to a resource | Write | |||
AuthorizeDBSecurityGroupIngress | Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization | Permissions management | |||
BacktrackDBCluster | Grants permission to backtrack a DB cluster to a specific time, without creating a new DB cluster | Write | |||
CancelExportTask | Grants permission to cancel an export task in progress | Write | |||
CopyCustomDBEngineVersion [permission only] | Grants permission to copy a custom engine version | Write | |||
CopyDBClusterParameterGroup | Grants permission to copy the specified DB cluster parameter group | Write |
rds:AddTagsToResource |
||
CopyDBClusterSnapshot | Grants permission to create a snapshot of a DB cluster | Write |
rds:AddTagsToResource |
||
CopyDBParameterGroup | Grants permission to copy the specified DB parameter group | Write |
rds:AddTagsToResource |
||
CopyDBSnapshot | Grants permission to copy the specified DB snapshot | Write |
rds:AddTagsToResource rds:CopyCustomDBEngineVersion |
||
CopyOptionGroup | Grants permission to copy the specified option group | Write |
rds:AddTagsToResource |
||
CreateBlueGreenDeployment | Grants permission to create a blue-green deployment for a given source cluster or instance | Write |
rds:AddTagsToResource rds:CreateDBCluster rds:CreateDBClusterEndpoint rds:CreateDBInstance rds:CreateDBInstanceReadReplica |
||
CreateCustomDBEngineVersion | Grants permission to create a custom engine version | Write |
iam:CreateServiceLinkedRole mediaimport:CreateDatabaseBinarySnapshot rds:AddTagsToResource |
||
CreateDBCluster | Grants permission to create a new DB cluster | Write |
iam:PassRole kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey rds:AddTagsToResource rds:CreateDBInstance secretsmanager:CreateSecret secretsmanager:TagResource |
||
CreateDBClusterEndpoint | Grants permission to create a new custom endpoint and associates it with an Amazon Aurora DB cluster or Amazon DocumentDB cluster | Write |
rds:AddTagsToResource |
||
CreateDBClusterParameterGroup | Grants permission to create a new DB cluster parameter group | Write |
rds:AddTagsToResource |
||
CreateDBClusterSnapshot | Grants permission to create a snapshot of a DB cluster | Write |
rds:AddTagsToResource |
||
CreateDBInstance | Grants permission to create a new DB instance | Write |
iam:PassRole kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey rds:AddTagsToResource rds:CreateTenantDatabase secretsmanager:CreateSecret secretsmanager:TagResource |
||
CreateDBInstanceReadReplica | Grants permission to create a DB instance that acts as a Read Replica of a source DB instance | Write |
iam:PassRole rds:AddTagsToResource |
||
CreateDBParameterGroup | Grants permission to create a new DB parameter group | Write |
rds:AddTagsToResource |
||
CreateDBProxy | Grants permission to create a database proxy | Write |
iam:PassRole |
||
CreateDBProxyEndpoint | Grants permission to create a database proxy endpoint | Write | |||
CreateDBSecurityGroup | Grants permission to create a new DB security group. DB security groups control access to a DB instance | Write |
rds:AddTagsToResource |
||
CreateDBShardGroup | Grants permission to create a new Aurora Limitless Database DB shard group | Write | |||
CreateDBSnapshot | Grants permission to create a DBSnapshot | Write |
rds:AddTagsToResource |
||
CreateDBSubnetGroup | Grants permission to create a new DB subnet group | Write |
rds:AddTagsToResource |
||
CreateEventSubscription | Grants permission to create an RDS event notification subscription | Write |
rds:AddTagsToResource |
||
CreateGlobalCluster | Grants permission to create an Aurora global database or DocumentDB global database spread across multiple regions | Write | |||
CreateIntegration | Grants permission to create an Aurora zero-ETL integration with Redshift | Write |
kms:CreateGrant kms:DescribeKey rds:AddTagsToResource |
||
CreateOptionGroup | Grants permission to create a new option group | Write |
rds:AddTagsToResource |
||
CreateTenantDatabase | Grants permission to create a new tenant database | Write |
rds:AddTagsToResource |
||
CrossRegionCommunication [permission only] | Grants permission to access a resource in the remote Region when executing cross-Region operations, such as cross-Region snapshot copy or cross-Region read replica creation | Write | |||
DeleteBlueGreenDeployment | Grants permission to delete blue green deployments | Write |
rds:DeleteDBCluster rds:DeleteDBClusterEndpoint rds:DeleteDBInstance rds:PromoteReadReplica rds:PromoteReadReplicaDBCluster |
||
DeleteCustomDBEngineVersion | Grants permission to delete an existing custom engine version | Write | |||
DeleteDBCluster | Grants permission to delete a previously provisioned DB cluster | Write |
rds:AddTagsToResource rds:CreateDBClusterSnapshot rds:DeleteDBInstance |
||
DeleteDBClusterAutomatedBackup | Grants permission to delete cluster automated backups based on the source cluster's DbClusterResourceId value or the restorable cluster's resource ID | Write | |||
DeleteDBClusterEndpoint | Grants permission to delete a custom endpoint and removes it from an Amazon Aurora DB cluster or Amazon DocumentDB cluster | Write | |||
DeleteDBClusterParameterGroup | Grants permission to delete a specified DB cluster parameter group | Write | |||
DeleteDBClusterSnapshot | Grants permission to delete a DB cluster snapshot | Write | |||
DeleteDBInstance | Grants permission to delete a previously provisioned DB instance | Write |
rds:AddTagsToResource rds:CreateDBSnapshot rds:DeleteTenantDatabase |
||
DeleteDBInstanceAutomatedBackup | Grants permission to delete automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID | Write | |||
DeleteDBParameterGroup | Grants permission to delete a specified DBParameterGroup | Write | |||
DeleteDBProxy | Grants permission to delete a database proxy | Write | |||
DeleteDBProxyEndpoint | Grants permission to delete a database proxy endpoint | Write | |||
DeleteDBSecurityGroup | Grants permission to delete a DB security group | Write | |||
DeleteDBShardGroup | Grants permission to delete an Aurora Limitless Database DB shard group | Write | |||
DeleteDBSnapshot | Grants permission to delete a DBSnapshot | Write | |||
DeleteDBSubnetGroup | Grants permission to delete a DB subnet group | Write | |||
DeleteEventSubscription | Grants permission to delete an RDS event notification subscription | Write | |||
DeleteGlobalCluster | Grants permission to delete a global database cluster | Write | |||
DeleteIntegration | Grants permission to delete an Aurora zero-ETL integration with Redshift | Write | |||
DeleteOptionGroup | Grants permission to delete an existing option group | Write | |||
DeleteTenantDatabase | Grants permission to delete a tenant database | Write |
rds:AddTagsToResource rds:CreateDBSnapshot |
||
DeregisterDBProxyTargets | Grants permission to remove targets from a database proxy target group | Write | |||
DescribeAccountAttributes | Grants permission to list all of the attributes for a customer account | List | |||
DescribeBlueGreenDeployments | Grants permission to describe blue green deployments | List | |||
DescribeCertificates | Grants permission to list the set of CA certificates provided by Amazon RDS for this AWS account | List | |||
DescribeDBClusterAutomatedBackups | Grants permission to return a list of cluster automated backups for both current and deleted clusters | List | |||
DescribeDBClusterBacktracks | Grants permission to return information about backtracks for a DB cluster | List | |||
DescribeDBClusterEndpoints | Grants permission to return information about endpoints for an Amazon Aurora DB cluster | List | |||
DescribeDBClusterParameterGroups | Grants permission to return a list of DBClusterParameterGroup descriptions | List | |||
DescribeDBClusterParameters | Grants permission to return the detailed parameter list for a particular DB cluster parameter group | List | |||
DescribeDBClusterSnapshotAttributes | Grants permission to return a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot | List | |||
DescribeDBClusterSnapshots | Grants permission to return information about DB cluster snapshots | List | |||
DescribeDBClusters | Grants permission to return information about provisioned Aurora DB clusters or DocumentDB clusters | List | |||
DescribeDBEngineVersions | Grants permission to return a list of the available DB engines | List | |||
DescribeDBInstanceAutomatedBackups | Grants permission to return a list of automated backups for both current and deleted instances | List | |||
DescribeDBInstances | Grants permission to return information about provisioned RDS instances | List | |||
DescribeDBLogFiles | Grants permission to return a list of DB log files for the DB instance | List | |||
DescribeDBParameterGroups | Grants permission to return a list of DBParameterGroup descriptions | List | |||
DescribeDBParameters | Grants permission to return the detailed parameter list for a particular DB parameter group | List | |||
DescribeDBProxies | Grants permission to view proxies | List | |||
DescribeDBProxyEndpoints | Grants permission to view proxy endpoints | List | |||
DescribeDBProxyTargetGroups | Grants permission to view database proxy target group details | List | |||
DescribeDBProxyTargets | Grants permission to view database proxy target details | List | |||
DescribeDBRecommendations | Grants permission to list recommendation details | List | |||
DescribeDBSecurityGroups | Grants permission to return a list of DBSecurityGroup descriptions | List | |||
DescribeDBShardGroups | Grants permission to return information about all Aurora Limitless Database DB shard groups for this account. You can filter by shard group(s) | List | |||
DescribeDBSnapshotAttributes | Grants permission to return a list of DB snapshot attribute names and values for a manual DB snapshot | List | |||
DescribeDBSnapshotTenantDatabases | Grants permission to return information about tenant databases in DB snapshots. You can filter by Region or snapshot | List | |||
DescribeDBSnapshots | Grants permission to return information about DB snapshots | List | |||
DescribeDBSubnetGroups | Grants permission to return a list of DBSubnetGroup descriptions | List | |||
DescribeEngineDefaultClusterParameters | Grants permission to return the default engine and system parameter information for the cluster database engine | List | |||
DescribeEngineDefaultParameters | Grants permission to return the default engine and system parameter information for the specified database engine | List | |||
DescribeEventCategories | Grants permission to display a list of categories for all event source types, or, if specified, for a specified source type | List | |||
DescribeEventSubscriptions | Grants permission to list all the subscription descriptions for a customer account | List | |||
DescribeEvents | Grants permission to return events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days | List | |||
DescribeExportTasks | Grants permission to return information about the export tasks | List | |||
DescribeGlobalClusters | Grants permission to return information about Aurora global database clusters or DocumentDB global database clusters | List | |||
DescribeIntegrations | Grants permission to describe an Aurora zero-ETL integration with Redshift | List | |||
DescribeOptionGroupOptions | Grants permission to describe all available options | List | |||
DescribeOptionGroups | Grants permission to describe the available option groups | List | |||
DescribeOrderableDBInstanceOptions | Grants permission to return a list of orderable DB instance options for the specified engine | List | |||
DescribePendingMaintenanceActions | Grants permission to return a list of resources (for example, DB instances) that have at least one pending maintenance action | List | |||
DescribeRecommendationGroups [permission only] | Grants permission to return information about recommendation groups | Read | |||
DescribeRecommendations [permission only] | Grants permission to return information about recommendations | Read | |||
DescribeReservedDBInstances | Grants permission to return information about reserved DB instances for this account, or about a specified reserved DB instance | List | |||
DescribeReservedDBInstancesOfferings | Grants permission to list available reserved DB instance offerings | List | |||
DescribeSourceRegions | Grants permission to return a list of the source AWS Regions where the current AWS Region can create a Read Replica or copy a DB snapshot from | List | |||
DescribeTenantDatabases | Grants permission to return information about provisioned tenant databases. You can filter by Region or snapshot | List | |||
DescribeValidDBInstanceModifications | Grants permission to list available modifications you can make to your DB instance | List | |||
DisableHttpEndpoint | Grants permission to disable http endpoint for a DB cluster | Write | |||
DownloadCompleteDBLogFile | Grants permission to download specified log file | Read | |||
DownloadDBLogFilePortion | Grants permission to download all or a portion of the specified log file, up to 1 MB in size | Read | |||
EnableHttpEndpoint | Grants permission to enable http endpoint for a DB cluster | Write | |||
FailoverDBCluster | Grants permission to force a failover for a DB cluster | Write | |||
FailoverGlobalCluster | Grants permission to failover a global cluster | Write | |||
ListTagsForResource | Grants permission to list all tags on an Amazon RDS resource | Read | |||
ModifyActivityStream | Grants permission to modify a database activity stream | Write | |||
ModifyCertificates | Grants permission to modify the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances | Write | |||
ModifyCurrentDBClusterCapacity | Grants permission to modify current cluster capacity for an Amazon Aurora Serverless DB cluster | Write | |||
ModifyCustomDBEngineVersion | Grants permission to modify an existing custom engine version | Write | |||
ModifyDBCluster | Grants permission to modify a setting for an Amazon Aurora DB cluster or Amazon DocumentDB cluster | Write |
iam:PassRole kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey rds:ModifyDBInstance secretsmanager:CreateSecret secretsmanager:RotateSecret secretsmanager:TagResource |
||
ModifyDBClusterEndpoint | Grants permission to modify the properties of an endpoint in an Amazon Aurora DB cluster or Amazon DocumentDB cluster | Write | |||
ModifyDBClusterParameterGroup | Grants permission to modify the parameters of a DB cluster parameter group | Write | |||
ModifyDBClusterSnapshotAttribute | Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot | Write | |||
ModifyDBInstance | Grants permission to modify settings for a DB instance | Write |
iam:PassRole kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey rds:AddTagsToResource rds:CreateTenantDatabase secretsmanager:CreateSecret secretsmanager:RotateSecret secretsmanager:TagResource |
||
ModifyDBParameterGroup | Grants permission to modify the parameters of a DB parameter group | Write | |||
ModifyDBProxy | Grants permission to modify database proxy | Write |
iam:PassRole |
||
ModifyDBProxyEndpoint | Grants permission to modify database proxy endpoint | Write | |||
ModifyDBProxyTargetGroup | Grants permission to modify target group for a database proxy | Write | |||
ModifyDBRecommendation | Grants permission to modify recommendation | Write | |||
ModifyDBShardGroup | Grants permission to modify properties of an Aurora Limitless Database DB shard group | Write | |||
ModifyDBSnapshot | Grants permission to update a manual DB snapshot, which can be encrypted or not encrypted, with a new engine version | Write | |||
ModifyDBSnapshotAttribute | Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot | Write | |||
ModifyDBSubnetGroup | Grants permission to modify an existing DB subnet group | Write | |||
ModifyEventSubscription | Grants permission to modify an existing RDS event notification subscription | Write | |||
ModifyGlobalCluster | Grants permission to modify a setting for an Amazon Aurora global cluster or Amazon DocumentDB global cluster | Write | |||
ModifyIntegration | Grants permission to modify an Aurora zero-ETL integration with Redshift | Write | |||
ModifyOptionGroup | Grants permission to modify an existing option group | Write |
iam:PassRole |
||
ModifyRecommendation [permission only] | Grants permission to modify recommendation | Write | |||
ModifyTenantDatabase | Grants permission to modify a tenant database | Write | |||
PromoteReadReplica | Grants permission to promote a Read Replica DB instance to a standalone DB instance | Write | |||
PromoteReadReplicaDBCluster | Grants permission to promote a Read Replica DB cluster to a standalone DB cluster | Write | |||
PurchaseReservedDBInstancesOffering | Grants permission to purchase a reserved DB instance offering | Write | |||
RebootDBCluster | Grants permission to reboot a previously provisioned DB cluster | Write |
rds:RebootDBInstance |
||
RebootDBInstance | Grants permission to restart the database engine service | Write | |||
RebootDBShardGroup | Grants permission to reboot an Aurora Limitless Database DB shard group | Write | |||
RegisterDBProxyTargets | Grants permission to add targets to a database proxy target group | Write | |||
RemoveFromGlobalCluster | Grants permission to detach an Aurora secondary cluster from an Aurora global database cluster or DocumentDB global cluster | Write | |||
RemoveRoleFromDBCluster | Grants permission to disassociate an AWS Identity and Access Management (IAM) role from an Amazon Aurora DB cluster | Write |
iam:PassRole |
||
RemoveRoleFromDBInstance | Grants permission to disassociate an AWS Identity and Access Management (IAM) role from a DB instance | Write |
iam:PassRole |
||
RemoveSourceIdentifierFromSubscription | Grants permission to remove a source identifier from an existing RDS event notification subscription | Write | |||
RemoveTagsFromResource | Grants permission to remove metadata tags from an Amazon RDS resource | Tagging | |||
ResetDBClusterParameterGroup | Grants permission to modify the parameters of a DB cluster parameter group to the default value | Write | |||
ResetDBParameterGroup | Grants permission to modify the parameters of a DB parameter group to the engine/system default value | Write | |||
RestoreDBClusterFromS3 | Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket | Write |
iam:PassRole kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey rds:AddTagsToResource secretsmanager:CreateSecret secretsmanager:TagResource |
||
RestoreDBClusterFromSnapshot | Grants permission to create a new DB cluster from a DB cluster snapshot | Write |
iam:PassRole rds:AddTagsToResource rds:CreateDBInstance |
||
RestoreDBClusterToPointInTime | Grants permission to restore a DB cluster to an arbitrary point in time | Write |
iam:PassRole rds:AddTagsToResource rds:CreateDBInstance |
||
RestoreDBInstanceFromDBSnapshot | Grants permission to create a new DB instance from a DB snapshot | Write |
iam:PassRole rds:AddTagsToResource rds:CreateTenantDatabase |
||
RestoreDBInstanceFromS3 | Grants permission to create a new DB instance from an Amazon S3 bucket | Write |
iam:PassRole kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey rds:AddTagsToResource secretsmanager:CreateSecret secretsmanager:TagResource |
||
RestoreDBInstanceToPointInTime | Grants permission to restore a DB instance to an arbitrary point in time | Write |
iam:PassRole rds:AddTagsToResource rds:CreateTenantDatabase |
||
RevokeDBSecurityGroupIngress | Grants permission to revoke ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups | Write | |||
StartActivityStream | Grants permission to start Activity Stream | Write | |||
StartDBCluster | Grants permission to start the DB cluster | Write | |||
StartDBInstance | Grants permission to start the DB instance | Write | |||
StartDBInstanceAutomatedBackupsReplication | Grants permission to start replication of automated backups to a different AWS Region | Write | |||
StartExportTask | Grants permission to start a new Export task for a DB snapshot | Write |
iam:PassRole |
||
StopActivityStream | Grants permission to stop Activity Stream | Write | |||
StopDBCluster | Grants permission to stop the DB cluster | Write | |||
StopDBInstance | Grants permission to stop the DB instance | Write |
rds:AddTagsToResource rds:CreateDBSnapshot |
||
StopDBInstanceAutomatedBackupsReplication | Grants permission to stop automated backup replication for a DB instance | Write | |||
SwitchoverBlueGreenDeployment | Grants permission to switch a blue-green deployment from source instance or cluster to target | Write |
rds:ModifyDBCluster rds:ModifyDBInstance rds:PromoteReadReplica rds:PromoteReadReplicaDBCluster |
||
SwitchoverGlobalCluster | Grants permission to switchover a global cluster | Write | |||
SwitchoverReadReplica | Grants permission to switch over a read replica, making it the new primary database | Write |
Resource types defined by Amazon RDS
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
cluster |
arn:${Partition}:rds:${Region}:${Account}:cluster:${DbClusterInstanceName}
|
|
shardgrp |
arn:${Partition}:rds:${Region}:${Account}:shard-group:${DbShardGroupResourceId}
|
|
cluster-auto-backup |
arn:${Partition}:rds:${Region}:${Account}:cluster-auto-backup:${DbClusterAutomatedBackupId}
|
|
auto-backup |
arn:${Partition}:rds:${Region}:${Account}:auto-backup:${DbInstanceAutomatedBackupId}
|
|
cluster-endpoint |
arn:${Partition}:rds:${Region}:${Account}:cluster-endpoint:${DbClusterEndpoint}
|
|
cluster-pg |
arn:${Partition}:rds:${Region}:${Account}:cluster-pg:${ClusterParameterGroupName}
|
|
cluster-snapshot |
arn:${Partition}:rds:${Region}:${Account}:cluster-snapshot:${ClusterSnapshotName}
|
|
db |
arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}
|
|
es |
arn:${Partition}:rds:${Region}:${Account}:es:${SubscriptionName}
|
|
global-cluster |
arn:${Partition}:rds::${Account}:global-cluster:${GlobalCluster}
|
|
og |
arn:${Partition}:rds:${Region}:${Account}:og:${OptionGroupName}
|
|
pg |
arn:${Partition}:rds:${Region}:${Account}:pg:${ParameterGroupName}
|
|
proxy |
arn:${Partition}:rds:${Region}:${Account}:db-proxy:${DbProxyId}
|
|
proxy-endpoint |
arn:${Partition}:rds:${Region}:${Account}:db-proxy-endpoint:${DbProxyEndpointId}
|
|
ri |
arn:${Partition}:rds:${Region}:${Account}:ri:${ReservedDbInstanceName}
|
|
secgrp |
arn:${Partition}:rds:${Region}:${Account}:secgrp:${SecurityGroupName}
|
|
snapshot |
arn:${Partition}:rds:${Region}:${Account}:snapshot:${SnapshotName}
|
|
subgrp |
arn:${Partition}:rds:${Region}:${Account}:subgrp:${SubnetGroupName}
|
|
target-group |
arn:${Partition}:rds:${Region}:${Account}:target-group:${TargetGroupId}
|
|
cev |
arn:${Partition}:rds:${Region}:${Account}:cev:${Engine}/${EngineVersion}/${CustomDbEngineVersionId}
|
|
deployment |
arn:${Partition}:rds:${Region}:${Account}:deployment:${BlueGreenDeploymentIdentifier}
|
|
integration |
arn:${Partition}:rds:${Region}:${Account}:integration:${IntegrationIdentifier}
|
|
snapshot-tenant-database |
arn:${Partition}:rds:${Region}:${Account}:snapshot-tenant-database:${SnapshotName}:${TenantResourceId}
|
|
tenant-database |
arn:${Partition}:rds:${Region}:${Account}:tenant-database:${TenantResourceId}
|
Condition keys for Amazon RDS
Amazon RDS defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by the set of tag key-value pairs in the request | String |
aws:ResourceTag/${TagKey} | Filters access by the set of tag key-value pairs attached to the resource | String |
aws:TagKeys | Filters access by the set of tag keys in the request | ArrayOfString |
rds:BackupTarget | Filters access by the type of backup target. One of: region, outposts | String |
rds:CopyOptionGroup | Filters access by the value that specifies whether the CopyDBSnapshot action requires copying the DB option group | Bool |
rds:DatabaseClass | Filters access by the type of DB instance class | String |
rds:DatabaseEngine | Filters access by the database engine. For possible values refer to the engine parameter in CreateDBInstance API | String |
rds:DatabaseName | Filters access by the user-defined name of the database on the DB instance | String |
rds:EndpointType | Filters access by the type of the endpoint. One of: READER, WRITER, CUSTOM | String |
rds:ManageMasterUserPassword | Filters access by the value that specifies whether RDS manages master user password in AWS Secrets Manager for the DB instance or cluster | Bool |
rds:MultiAz | Filters access by the value that specifies whether the DB instance runs in multiple Availability Zones. To indicate that the DB instance is using Multi-AZ, specify true | Bool |
rds:Piops | Filters access by the value that contains the number of Provisioned IOPS (PIOPS) that the instance supports. To indicate a DB instance that does not have PIOPS enabled, specify 0 | Numeric |
rds:StorageEncrypted | Filters access by the value that specifies whether the DB instance storage should be encrypted. To enforce storage encryption, specify true | Bool |
rds:StorageSize | Filters access by the storage volume size (in GB) | Numeric |
rds:TenantDatabaseName | Filters access by the tenant database name in CreateTenantDatabase and by the new tenant database name in ModifyTenantDatabase | String |
rds:Vpc | Filters access by the value that specifies whether the DB instance runs in an Amazon Virtual Private Cloud (Amazon VPC). To indicate that the DB instance runs in an Amazon VPC, specify true | Bool |
rds:cluster-pg-tag/${TagKey} | Filters access by the tag attached to a DB cluster parameter group | String |
rds:cluster-snapshot-tag/${TagKey} | Filters access by the tag attached to a DB cluster snapshot | String |
rds:cluster-tag/${TagKey} | Filters access by the tag attached to a DB cluster | String |
rds:db-tag/${TagKey} | Filters access by the tag attached to a DB instance | String |
rds:es-tag/${TagKey} | Filters access by the tag attached to an event subscription | String |
rds:og-tag/${TagKey} | Filters access by the tag attached to a DB option group | String |
rds:pg-tag/${TagKey} | Filters access by the tag attached to a DB parameter group | String |
rds:req-tag/${TagKey} | Filters access by the set of tag keys and values that can be used to tag a resource | String |
rds:ri-tag/${TagKey} | Filters access by the tag attached to a reserved DB instance | String |
rds:secgrp-tag/${TagKey} | Filters access by the tag attached to a DB security group | String |
rds:snapshot-tag/${TagKey} | Filters access by the tag attached to a DB snapshot | String |
rds:subgrp-tag/${TagKey} | Filters access by the tag attached to a DB subnet group | String |