Permissions for @turbot/aws-rds
Taking a look at permissions and associated grant levels for each permission for RDS:
Permission | Grant Level | Help |
---|---|---|
cloudwatch:DescribeAlarms | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
cloudwatch:GetMetricData | Metadata | |
cloudwatch:GetMetricStatistics | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
dbqms:CreateFavoriteQuery | Admin | |
dbqms:CreateQueryHistory | Admin | |
dbqms:CreateTab | Admin | |
dbqms:DeleteFavoriteQueries | Admin | |
dbqms:DeleteQueryHistory | Admin | |
dbqms:DeleteTab | Admin | |
dbqms:DescribeFavoriteQueries | Metadata | |
dbqms:DescribeQueryHistory | Metadata | |
dbqms:DescribeTabs | Metadata | |
dbqms:GetQueryString | Metadata | |
dbqms:UpdateFavoriteQuery | Admin | |
dbqms:UpdateQueryHistory | Admin | |
dbqms:UpdateTab | Admin | |
ec2:DescribeAccountAttributes | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
ec2:DescribeAvailabilityZones | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
ec2:DescribeSecurityGroups | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
ec2:DescribeSubnets | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
ec2:DescribeVpcs | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
iam:ListRoles | Metadata | |
iam:PassRole | Admin | Required to attach rds-monitoring-role while creating new rds clusters. |
kms:ListAliases | Metadata | |
pi:CreatePerformanceAnalysisReport | Admin | Performance Insights |
pi:DeletePerformanceAnalysisReport | Admin | |
pi:DescribeDimensionKeys | Metadata | |
pi:GetDimensionKeyDetails | Metadata | |
pi:GetPerformanceAnalysisReport | Metadata | |
pi:GetResourceMetadata | Metadata | |
pi:GetResourceMetrics | Metadata | |
pi:ListAvailableResourceDimensions | Metadata | |
pi:ListAvailableResourceMetrics | Metadata | |
pi:ListPerformanceAnalysisReports | Metadata | |
pi:ListTagsForResource | Metadata | |
pi:TagResource | Operator | |
pi:UntagResource | Operator | |
ram:GetResourceShares | Metadata | |
ram:ListResources | Metadata | |
rds-data:BatchExecuteStatement | Admin | |
rds-data:BeginTransaction | Admin | |
rds-data:CommitTransaction | Admin | |
rds-data:ExecuteSql | Admin | |
rds-data:ExecuteStatement | Admin | |
rds-data:RollbackTransaction | Admin | |
rds-db:connect | Admin | |
rds:AddRoleToDBCluster | Admin | |
rds:AddRoleToDBInstance | Admin | |
rds:AddSourceIdentifierToSubscription | Operator | |
rds:AddTagsToResource | Operator | |
rds:ApplyPendingMaintenanceAction | Operator | |
rds:AuthorizeDBSecurityGroupIngress | Admin | You can't authorize ingress from an EC2 security group in one AWS Region to an Amazon RDS DB instance in another. You can't authorize ingress from a VPC security group in one VPC to an Amazon RDS DB instance in another. |
rds:BacktrackDBCluster | Admin | |
rds:CancelExportTask | Admin | |
rds:CopyDBClusterParameterGroup | Admin | |
rds:CopyDBClusterSnapshot | Operator | |
rds:CopyDBParameterGroup | Admin | |
rds:CopyDBSnapshot | Operator | |
rds:CopyOptionGroup | Admin | |
rds:CreateCustomAvailabilityZone | Admin | |
rds:CreateCustomDBEngineVersion | Admin | |
rds:CreateDBCluster | Admin | |
rds:CreateDBClusterEndpoint | Admin | |
rds:CreateDBClusterParameterGroup | Admin | |
rds:CreateDBClusterSnapshot | Operator | |
rds:CreateDBInstance | Admin | |
rds:CreateDBInstanceReadReplica | Admin | |
rds:CreateDBParameterGroup | Admin | |
rds:CreateDBProxy | Admin | |
rds:CreateDBProxyEndpoint | Admin | |
rds:CreateDBSecurityGroup | Admin | Admin can manage DB security group controls access to EC2-Classic DB instances that are not in a VPC. |
rds:CreateDBSnapshot | Operator | |
rds:CreateDBSubnetGroup | Whitelist | Permission controlled by AWS > RDS > Subnet Group Management |
rds:CreateEventSubscription | Operator | |
rds:CreateGlobalCluster | Admin | |
rds:CreateOptionGroup | Admin | |
rds:CrossRegionCommunication | Admin | |
rds:DeleteCustomAvailabilityZone | Admin | |
rds:DeleteCustomDBEngineVersion | Admin | |
rds:DeleteDBCluster | Admin | |
rds:DeleteDBClusterEndpoint | Admin | |
rds:DeleteDBClusterParameterGroup | Admin | |
rds:DeleteDBClusterSnapshot | Admin | Deletion of snapshots is limited to Admins even though Operators can create them. |
rds:DeleteDBInstance | Admin | |
rds:DeleteDBInstanceAutomatedBackup | Admin | Admins can delete automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID. |
rds:DeleteDBParameterGroup | Admin | |
rds:DeleteDBProxy | Admin | |
rds:DeleteDBProxyEndpoint | Admin | |
rds:DeleteDBSecurityGroup | Admin | |
rds:DeleteDBSnapshot | Admin | Deletion of snapshots is limited to Admins even though Operators can create them. |
rds:DeleteDBSubnetGroup | Whitelist | Permission controlled by AWS > RDS > Subnet Group Management |
rds:DeleteEventSubscription | Operator | |
rds:DeleteGlobalCluster | Admin | |
rds:DeleteInstallationMedia | Admin | |
rds:DeleteOptionGroup | Admin | |
rds:DeregisterDBProxyTargets | Admin | |
rds:DescribeAccountAttributes | Metadata | |
rds:DescribeCertificates | Metadata | |
rds:DescribeCustomAvailabilityZones | Metadata | |
rds:DescribeDBClusterBacktracks | Metadata | |
rds:DescribeDBClusterEndpoints | Metadata | |
rds:DescribeDBClusterParameterGroups | Metadata | |
rds:DescribeDBClusterParameters | Metadata | |
rds:DescribeDBClusters | Metadata | |
rds:DescribeDBClusterSnapshotAttributes | Metadata | |
rds:DescribeDBClusterSnapshots | Metadata | |
rds:DescribeDBEngineVersions | Metadata | |
rds:DescribeDBInstanceAutomatedBackups | Metadata | |
rds:DescribeDBInstances | Metadata | |
rds:DescribeDBLogFiles | Metadata | |
rds:DescribeDBParameterGroups | Metadata | |
rds:DescribeDBParameters | Metadata | |
rds:DescribeDBProxies | Metadata | |
rds:DescribeDBProxyEndpoints | Metadata | |
rds:DescribeDBProxyTargetGroups | Metadata | |
rds:DescribeDBProxyTargets | Metadata | |
rds:DescribeDBSecurityGroups | Metadata | |
rds:DescribeDBSnapshotAttributes | Metadata | |
rds:DescribeDBSnapshots | Metadata | |
rds:DescribeDBSubnetGroups | Metadata | |
rds:DescribeEngineDefaultClusterParameters | Metadata | |
rds:DescribeEngineDefaultParameters | Metadata | |
rds:DescribeEventCategories | Metadata | |
rds:DescribeEvents | Metadata | |
rds:DescribeEventSubscriptions | Metadata | |
rds:DescribeExportTasks | Metadata | |
rds:DescribeGlobalClusters | Metadata | |
rds:DescribeInstallationMedia | Metadata | |
rds:DescribeOptionGroupOptions | Metadata | |
rds:DescribeOptionGroups | Metadata | |
rds:DescribeOrderableDBInstanceOptions | Metadata | |
rds:DescribePendingMaintenanceActions | Metadata | |
rds:DescribeRecommendationGroups | Metadata | |
rds:DescribeRecommendations | Metadata | |
rds:DescribeReservedDBInstances | Metadata | |
rds:DescribeReservedDBInstancesOfferings | Metadata | |
rds:DescribeSourceRegions | Metadata | |
rds:DescribeValidDBInstanceModifications | Metadata | |
rds:DownloadCompleteDBLogFile | ReadOnly | |
rds:DownloadDBLogFilePortion | ReadOnly | |
rds:FailoverDBCluster | Operator | |
rds:FailoverGlobalCluster | Operator | |
rds:ImportInstallationMedia | Admin | |
rds:ListTagsForResource | Metadata | |
rds:ModifyCertificates | Admin | |
rds:ModifyCurrentDBClusterCapacity | Admin | Admins can set the capacity of an Aurora Serverless DB cluster to a specific value. |
rds:ModifyCustomDBEngineVersion | Admin | |
rds:ModifyDBCluster | Admin | |
rds:ModifyDBClusterEndpoint | Admin | Admins can modify the properties of an endpoint in an Amazon Aurora DB cluster. |
rds:ModifyDBClusterParameterGroup | Admin | |
rds:ModifyDBClusterSnapshotAttribute | Admin | Allows for cross-account access. |
rds:ModifyDBInstance | Admin | |
rds:ModifyDBParameterGroup | Admin | |
rds:ModifyDBProxy | Admin | |
rds:ModifyDBProxyEndpoint | Admin | |
rds:ModifyDBProxyTargetGroup | Admin | |
rds:ModifyDBSnapshot | Operator | Can update a manual DB snapshot's engine version. Currently only supports MySQL. |
rds:ModifyDBSnapshotAttribute | Admin | Allows for cross-account access. |
rds:ModifyDBSubnetGroup | Whitelist | Permission controlled by AWS > RDS > Subnet Group Management |
rds:ModifyEventSubscription | Operator | |
rds:ModifyGlobalCluster | Admin | |
rds:ModifyOptionGroup | Admin | |
rds:ModifyRecommendation | Admin | |
rds:PromoteReadReplica | Operator | |
rds:PromoteReadReplicaDBCluster | Operator | |
rds:PurchaseReservedDBInstancesOffering | Owner | |
rds:RebootDBCluster | Operator | |
rds:RebootDBInstance | Operator | |
rds:RegisterDBProxyTargets | Admin | |
rds:RemoveFromGlobalCluster | Admin | |
rds:RemoveRoleFromDBCluster | Admin | |
rds:RemoveRoleFromDBInstance | Admin | |
rds:RemoveSourceIdentifierFromSubscription | Operator | |
rds:RemoveTagsFromResource | Operator | |
rds:ResetDBClusterParameterGroup | Admin | |
rds:ResetDBParameterGroup | Admin | |
rds:RestoreDBClusterFromS3 | Admin | |
rds:RestoreDBClusterFromSnapshot | Admin | |
rds:RestoreDBClusterToPointInTime | Admin | |
rds:RestoreDBInstanceFromDBSnapshot | Admin | |
rds:RestoreDBInstanceFromS3 | Admin | Admin can create backup of there database and store it in s3. |
rds:RestoreDBInstanceToPointInTime | Admin | |
rds:RevokeDBSecurityGroupIngress | Admin | |
rds:StartActivityStream | Operator | |
rds:StartDBCluster | Operator | |
rds:StartDBInstance | Operator | |
rds:StartDBInstanceAutomatedBackupsReplication | Operator | |
rds:StartExportTask | Operator | |
rds:StopActivityStream | Operator | |
rds:StopDBCluster | Operator | |
rds:StopDBInstance | Operator | |
rds:StopDBInstanceAutomatedBackupsReplication | Operator |