- Amazon RDS - Home
- Amazon RDS - Overview
- Amazon RDS - Environment
- Amazon RDS - Interfaces
- Amazon RDS - DB Instances
- Amazon RDS - DB Storages
- Amazon RDS - MS SQL features
- Amazon RDS - MS SQL creating DB
- Amazon RDS - MS SQL Connecting to DB
- Amazon RDS - MS SQL DB Export Import
- Amazon RDS - MS SQL DB with SSL
- Amazon RDS - MS SQL DBA Tasks
- Amazon RDS - Oracle Features
- Amazon RDS - Oracle Creating DB
- Amazon RDS - Oracle Connecting to DB
- Amazon RDS - Oracle DB Data Import
- Amazon RDS - Oracle DBA Tasks
- Amazon RDS - MariaDB Features
- Amazon RDS - MariaDB Creating DB
- Amazon RDS - MariaDB Connecting to DB
- Amazon RDS - MariaDB Data Import
- Amazon RDS - PostgreSQL Features
- Amazon RDS - PostgreSQL creating DB
- Amazon RDS - PostgreSQL Connecting to DB
- Amazon RDS - PostgreSQL Data Import
- Amazon RDS - MySQL Features
- Amazon RDS - MySQL Creating DB
- Amazon RDS - MySQL Connecting to DB
- Amazon RDS - MySQL DB Export Import
- Amazon RDS - MySQL DBA Tasks
- Amazon RDS - Multi-AZ Deployments
- Amazon RDS - DB Snapshots
- Amazon RDS - DB Monitoring
- Amazon RDS - Event Notifications
- Amazon RDS - DB Access Control
Amazon RDS - DB Access Control
To access the Amazon RDS DB instance the user needs specific permissions. This is configured using AWS IAM (Identity and Access management). In this tutorial we will see how this configuration is done.
The configuration involves two parts.
Authentication
Access Control
Authentication
It involves creating the username, password and generating the access keys for the user. With help of access key, it is possible to make programmatic access to the AWS RDS service. The SDK and CLI tools use the access keys to cryptographically sign in with the request.
We can aslo use an IAM Role to authenticate a user. But the role is not attached to any specific user, rather any user can assume the role temporarily and complete the required task. After the task is over the role can be revoked and the user loses the authentication ability.
Access Control
After a user is authenticated, a policy attached to that user determines the type of tasks the uer can carry on. Below is an example of policy which allows the creation of a RDS DB instance, on a t2.micro instance for the DB Engine MySQL.
{
"Version": "2018-09-11",
"Statement": [
{
"Sid": "AllowCreateDBInstanceOnly",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance"
],
"Resource": [
"arn:aws:rds:*:123456789012:db:test*",
"arn:aws:rds:*:123456789012:og:default*",
"arn:aws:rds:*:123456789012:pg:default*",
"arn:aws:rds:*:123456789012:subgrp:default"
],
"Condition": {
"StringEquals": {
"rds:DatabaseEngine": "mysql",
"rds:DatabaseClass": "db.t2.micro"
}
}
}
]
}
Action on Any RDS Resource
In the below example we see a policy that allows any describe action on any RDS resource. The * symbol is used to represent any resource.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowRDSDescribe",
"Effect":"Allow",
"Action":"rds:Describe*",
"Resource":"*"
}
]
}
Disallow deleting a DB Instance
The below policy disallows a user from deleting a specific DB instance.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyDelete1",
"Effect":"Deny",
"Action":"rds:DeleteDBInstance",
"Resource":"arn:aws:rds:us-west-2:123456789012:db:my-mysql-instance"
}
]
}