Question 108034 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Restrict access to resources in AWS based on name

I am trying to restrict the user to have access to only the resources starting with a particular string. For example, I would like to restrict the user with all permissions to only RDS instances starting with "new-database-change". Basically, in regex it would be "new-database-change-*". The application is far ahead and we missed using tags. Is there anyway we could do this without tags?
Something of the following would do.

 {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:AddTagsToResource",
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "rds:RestoreDBClusterToPointInTime",
                "rds-db:connect",
                "rds:CreateDBInstance",
                "rds:DeleteDBInstance"
            ],
            "Resource": "new-database-change-*"
        }

The AWS currently takes the literal "*" and not the regex.

Tags:

2

Answers


  1. 0

    You should be able to do this with a wildcard resource and a restricted policy condition, for example:

    "Resource": "*",
"Condition": {"StringLike": {"rds:DatabaseName": "new-database-change-*"}}
    Login or Signup to reply.
  2. 0

    I don’t think you can do this.

    In reviewing Actions, resources, and condition keys for Amazon RDS – Service Authorization Reference:

    • AddTagsToResource does not take rds:DatabaseName as a Condition
    • DescribeDBInstances and DescribeDBClusters do not take any conditions — they always returns ALL results
    • RestoreDBClusterToPointInTime does not take rds:DatabaseName as a Condition

    Not sure about rds-db:connect — it can accept an ARN, but not sure if it can accept a database name.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search