Permissions for @turbot/aws-rds
Taking a look at permissions and associated grant levels for each permission for RDS:
| Permission | Grant Level | Help |
|---|---|---|
| cloudwatch:DescribeAlarms | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
| cloudwatch:GetMetricData | Metadata | |
| cloudwatch:GetMetricStatistics | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
| dbqms:CreateFavoriteQuery | Admin | |
| dbqms:CreateQueryHistory | Admin | |
| dbqms:CreateTab | Admin | |
| dbqms:DeleteFavoriteQueries | Admin | |
| dbqms:DeleteQueryHistory | Admin | |
| dbqms:DeleteTab | Admin | |
| dbqms:DescribeFavoriteQueries | Metadata | |
| dbqms:DescribeQueryHistory | Metadata | |
| dbqms:DescribeTabs | Metadata | |
| dbqms:GetQueryString | Metadata | |
| dbqms:UpdateFavoriteQuery | Admin | |
| dbqms:UpdateQueryHistory | Admin | |
| dbqms:UpdateTab | Admin | |
| ec2:DescribeAccountAttributes | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
| ec2:DescribeAvailabilityZones | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
| ec2:DescribeSecurityGroups | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
| ec2:DescribeSubnets | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
| ec2:DescribeVpcs | Metadata | http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html |
| iam:ListRoles | Metadata | |
| iam:PassRole | Admin | Required to attach rds-monitoring-role while creating new rds clusters. |
| kms:ListAliases | Metadata | |
| pi:CreatePerformanceAnalysisReport | Admin | Performance Insights |
| pi:DeletePerformanceAnalysisReport | Admin | |
| pi:DescribeDimensionKeys | Metadata | |
| pi:GetDimensionKeyDetails | Metadata | |
| pi:GetPerformanceAnalysisReport | Metadata | |
| pi:GetResourceMetadata | Metadata | |
| pi:GetResourceMetrics | Metadata | |
| pi:ListAvailableResourceDimensions | Metadata | |
| pi:ListAvailableResourceMetrics | Metadata | |
| pi:ListPerformanceAnalysisReports | Metadata | |
| pi:ListTagsForResource | Metadata | |
| pi:TagResource | Operator | |
| pi:UntagResource | Operator | |
| ram:GetResourceShares | Metadata | |
| ram:ListResources | Metadata | |
| rds-data:BatchExecuteStatement | Admin | |
| rds-data:BeginTransaction | Admin | |
| rds-data:CommitTransaction | Admin | |
| rds-data:ExecuteSql | Admin | |
| rds-data:ExecuteStatement | Admin | |
| rds-data:RollbackTransaction | Admin | |
| rds-db:connect | Admin | |
| rds:AddRoleToDBCluster | Admin | |
| rds:AddRoleToDBInstance | Admin | |
| rds:AddSourceIdentifierToSubscription | Operator | |
| rds:AddTagsToResource | Operator | |
| rds:ApplyPendingMaintenanceAction | Operator | |
| rds:AuthorizeDBSecurityGroupIngress | Admin | You can't authorize ingress from an EC2 security group in one AWS Region to an Amazon RDS DB instance in another. You can't authorize ingress from a VPC security group in one VPC to an Amazon RDS DB instance in another. |
| rds:BacktrackDBCluster | Admin | |
| rds:CancelExportTask | Admin | |
| rds:CopyDBClusterParameterGroup | Admin | |
| rds:CopyDBClusterSnapshot | Operator | |
| rds:CopyDBParameterGroup | Admin | |
| rds:CopyDBSnapshot | Operator | |
| rds:CopyOptionGroup | Admin | |
| rds:CreateCustomAvailabilityZone | Admin | |
| rds:CreateCustomDBEngineVersion | Admin | |
| rds:CreateDBCluster | Admin | |
| rds:CreateDBClusterEndpoint | Admin | |
| rds:CreateDBClusterParameterGroup | Admin | |
| rds:CreateDBClusterSnapshot | Operator | |
| rds:CreateDBInstance | Admin | |
| rds:CreateDBInstanceReadReplica | Admin | |
| rds:CreateDBParameterGroup | Admin | |
| rds:CreateDBProxy | Admin | |
| rds:CreateDBProxyEndpoint | Admin | |
| rds:CreateDBSecurityGroup | Admin | Admin can manage DB security group controls access to EC2-Classic DB instances that are not in a VPC. |
| rds:CreateDBSnapshot | Operator | |
| rds:CreateDBSubnetGroup | Whitelist | Permission controlled by AWS > RDS > Subnet Group Management |
| rds:CreateEventSubscription | Operator | |
| rds:CreateGlobalCluster | Admin | |
| rds:CreateOptionGroup | Admin | |
| rds:CrossRegionCommunication | Admin | |
| rds:DeleteCustomAvailabilityZone | Admin | |
| rds:DeleteCustomDBEngineVersion | Admin | |
| rds:DeleteDBCluster | Admin | |
| rds:DeleteDBClusterEndpoint | Admin | |
| rds:DeleteDBClusterParameterGroup | Admin | |
| rds:DeleteDBClusterSnapshot | Admin | Deletion of snapshots is limited to Admins even though Operators can create them. |
| rds:DeleteDBInstance | Admin | |
| rds:DeleteDBInstanceAutomatedBackup | Admin | Admins can delete automated backups based on the source instance's DbiResourceId value or the restorable instance's resource ID. |
| rds:DeleteDBParameterGroup | Admin | |
| rds:DeleteDBProxy | Admin | |
| rds:DeleteDBProxyEndpoint | Admin | |
| rds:DeleteDBSecurityGroup | Admin | |
| rds:DeleteDBSnapshot | Admin | Deletion of snapshots is limited to Admins even though Operators can create them. |
| rds:DeleteDBSubnetGroup | Whitelist | Permission controlled by AWS > RDS > Subnet Group Management |
| rds:DeleteEventSubscription | Operator | |
| rds:DeleteGlobalCluster | Admin | |
| rds:DeleteInstallationMedia | Admin | |
| rds:DeleteOptionGroup | Admin | |
| rds:DeregisterDBProxyTargets | Admin | |
| rds:DescribeAccountAttributes | Metadata | |
| rds:DescribeCertificates | Metadata | |
| rds:DescribeCustomAvailabilityZones | Metadata | |
| rds:DescribeDBClusterBacktracks | Metadata | |
| rds:DescribeDBClusterEndpoints | Metadata | |
| rds:DescribeDBClusterParameterGroups | Metadata | |
| rds:DescribeDBClusterParameters | Metadata | |
| rds:DescribeDBClusters | Metadata | |
| rds:DescribeDBClusterSnapshotAttributes | Metadata | |
| rds:DescribeDBClusterSnapshots | Metadata | |
| rds:DescribeDBEngineVersions | Metadata | |
| rds:DescribeDBInstanceAutomatedBackups | Metadata | |
| rds:DescribeDBInstances | Metadata | |
| rds:DescribeDBLogFiles | Metadata | |
| rds:DescribeDBParameterGroups | Metadata | |
| rds:DescribeDBParameters | Metadata | |
| rds:DescribeDBProxies | Metadata | |
| rds:DescribeDBProxyEndpoints | Metadata | |
| rds:DescribeDBProxyTargetGroups | Metadata | |
| rds:DescribeDBProxyTargets | Metadata | |
| rds:DescribeDBSecurityGroups | Metadata | |
| rds:DescribeDBSnapshotAttributes | Metadata | |
| rds:DescribeDBSnapshots | Metadata | |
| rds:DescribeDBSubnetGroups | Metadata | |
| rds:DescribeEngineDefaultClusterParameters | Metadata | |
| rds:DescribeEngineDefaultParameters | Metadata | |
| rds:DescribeEventCategories | Metadata | |
| rds:DescribeEvents | Metadata | |
| rds:DescribeEventSubscriptions | Metadata | |
| rds:DescribeExportTasks | Metadata | |
| rds:DescribeGlobalClusters | Metadata | |
| rds:DescribeInstallationMedia | Metadata | |
| rds:DescribeOptionGroupOptions | Metadata | |
| rds:DescribeOptionGroups | Metadata | |
| rds:DescribeOrderableDBInstanceOptions | Metadata | |
| rds:DescribePendingMaintenanceActions | Metadata | |
| rds:DescribeRecommendationGroups | Metadata | |
| rds:DescribeRecommendations | Metadata | |
| rds:DescribeReservedDBInstances | Metadata | |
| rds:DescribeReservedDBInstancesOfferings | Metadata | |
| rds:DescribeSourceRegions | Metadata | |
| rds:DescribeValidDBInstanceModifications | Metadata | |
| rds:DownloadCompleteDBLogFile | ReadOnly | |
| rds:DownloadDBLogFilePortion | ReadOnly | |
| rds:FailoverDBCluster | Operator | |
| rds:FailoverGlobalCluster | Operator | |
| rds:ImportInstallationMedia | Admin | |
| rds:ListTagsForResource | Metadata | |
| rds:ModifyCertificates | Admin | |
| rds:ModifyCurrentDBClusterCapacity | Admin | Admins can set the capacity of an Aurora Serverless DB cluster to a specific value. |
| rds:ModifyCustomDBEngineVersion | Admin | |
| rds:ModifyDBCluster | Admin | |
| rds:ModifyDBClusterEndpoint | Admin | Admins can modify the properties of an endpoint in an Amazon Aurora DB cluster. |
| rds:ModifyDBClusterParameterGroup | Admin | |
| rds:ModifyDBClusterSnapshotAttribute | Admin | Allows for cross-account access. |
| rds:ModifyDBInstance | Admin | |
| rds:ModifyDBParameterGroup | Admin | |
| rds:ModifyDBProxy | Admin | |
| rds:ModifyDBProxyEndpoint | Admin | |
| rds:ModifyDBProxyTargetGroup | Admin | |
| rds:ModifyDBSnapshot | Operator | Can update a manual DB snapshot's engine version. Currently only supports MySQL. |
| rds:ModifyDBSnapshotAttribute | Admin | Allows for cross-account access. |
| rds:ModifyDBSubnetGroup | Whitelist | Permission controlled by AWS > RDS > Subnet Group Management |
| rds:ModifyEventSubscription | Operator | |
| rds:ModifyGlobalCluster | Admin | |
| rds:ModifyOptionGroup | Admin | |
| rds:ModifyRecommendation | Admin | |
| rds:PromoteReadReplica | Operator | |
| rds:PromoteReadReplicaDBCluster | Operator | |
| rds:PurchaseReservedDBInstancesOffering | Owner | |
| rds:RebootDBCluster | Operator | |
| rds:RebootDBInstance | Operator | |
| rds:RegisterDBProxyTargets | Admin | |
| rds:RemoveFromGlobalCluster | Admin | |
| rds:RemoveRoleFromDBCluster | Admin | |
| rds:RemoveRoleFromDBInstance | Admin | |
| rds:RemoveSourceIdentifierFromSubscription | Operator | |
| rds:RemoveTagsFromResource | Operator | |
| rds:ResetDBClusterParameterGroup | Admin | |
| rds:ResetDBParameterGroup | Admin | |
| rds:RestoreDBClusterFromS3 | Admin | |
| rds:RestoreDBClusterFromSnapshot | Admin | |
| rds:RestoreDBClusterToPointInTime | Admin | |
| rds:RestoreDBInstanceFromDBSnapshot | Admin | |
| rds:RestoreDBInstanceFromS3 | Admin | Admin can create backup of there database and store it in s3. |
| rds:RestoreDBInstanceToPointInTime | Admin | |
| rds:RevokeDBSecurityGroupIngress | Admin | |
| rds:StartActivityStream | Operator | |
| rds:StartDBCluster | Operator | |
| rds:StartDBInstance | Operator | |
| rds:StartDBInstanceAutomatedBackupsReplication | Operator | |
| rds:StartExportTask | Operator | |
| rds:StopActivityStream | Operator | |
| rds:StopDBCluster | Operator | |
| rds:StopDBInstance | Operator | |
| rds:StopDBInstanceAutomatedBackupsReplication | Operator |