Jan 19, 2022

Allow Tag Owners Access to Tagged AWS RDS Resources

Amazon Web Services Amazon RDS
0
0
Ivan Dwyer
Ivan DwyerFounder at IAM Pulse
{{ }} Substitute variables

Adjust the variable values according to your preference.

Policy Code

Referenced from: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_rds_tag-owner.html

1{
2    "Version": "2012-10-17",
3    "Statement": [
4        {
5            "Action": [
6                "rds:Describe*",
7                "rds:List*"
8            ],
9            "Effect": "Allow",
10            "Resource": "*"
11        },
12        {
13            "Action": [
14                "rds:DeleteDBInstance",
15                "rds:RebootDBInstance",
16                "rds:ModifyDBInstance"
17            ],
18            "Effect": "Allow",
19            "Resource": "*",
20            "Condition": {
21                "StringEqualsIgnoreCase": {"rds:db-tag/Owner": "${aws:username}"}
22            }
23        },
24        {
25            "Action": [
26                "rds:ModifyOptionGroup",
27                "rds:DeleteOptionGroup"
28            ],
29            "Effect": "Allow",
30            "Resource": "*",
31            "Condition": {
32                "StringEqualsIgnoreCase": {"rds:og-tag/Owner": "${aws:username}"}
33            }
34        },
35        {
36            "Action": [
37                "rds:ModifyDBParameterGroup",
38                "rds:ResetDBParameterGroup"
39            ],
40            "Effect": "Allow",
41            "Resource": "*",
42            "Condition": {
43                "StringEqualsIgnoreCase": {"rds:pg-tag/Owner": "${aws:username}"}
44            }
45        },
46        {
47            "Action": [
48                "rds:AuthorizeDBSecurityGroupIngress",
49                "rds:RevokeDBSecurityGroupIngress",
50                "rds:DeleteDBSecurityGroup"
51            ],
52            "Effect": "Allow",
53            "Resource": "*",
54            "Condition": {
55                "StringEqualsIgnoreCase": {"rds:secgrp-tag/Owner": "${aws:username}"}
56            }
57        },
58        {
59            "Action": [
60                "rds:DeleteDBSnapshot",
61                "rds:RestoreDBInstanceFromDBSnapshot"
62            ],
63            "Effect": "Allow",
64            "Resource": "*",
65            "Condition": {
66                "StringEqualsIgnoreCase": {"rds:snapshot-tag/Owner": "${aws:username}"}
67            }
68        },
69        {
70            "Action": [
71                "rds:ModifyDBSubnetGroup",
72                "rds:DeleteDBSubnetGroup"
73            ],
74            "Effect": "Allow",
75            "Resource": "*",
76            "Condition": {
77                "StringEqualsIgnoreCase": {"rds:subgrp-tag/Owner": "${aws:username}"}
78            }
79        },
80        {
81            "Action": [
82                "rds:ModifyEventSubscription",
83                "rds:AddSourceIdentifierToSubscription",
84                "rds:RemoveSourceIdentifierFromSubscription",
85                "rds:DeleteEventSubscription"
86            ],
87            "Effect": "Allow",
88            "Resource": "*",
89            "Condition": {
90                "StringEqualsIgnoreCase": {"rds:es-tag/Owner": "${aws:username}"}
91            }
92        }
93    ]
94}

    Get the IAM Pulse Check Newsletter

    We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.

    Checkout past issues for a sampling of the goods.