Amazon RDS - DB Access Control

To access the Amazon RDS DB instance the user needs specific permissions. This is configured using AWS IAM (Identity and Access management). In this tutorial we will see how this configuration is done.

The configuration involves two parts.

• Authentication

• Access Control

Authentication

It involves creating the username, password and generating the access keys for the user. With help of access key, it is possible to make programmatic access to the AWS RDS service. The SDK and CLI tools use the access keys to cryptographically sign in with the request.

We can aslo use an IAM Role to authenticate a user. But the role is not attached to any specific user, rather any user can assume the role temporarily and complete the required task. After the task is over the role can be revoked and the user loses the authentication ability.

Access Control

After a user is authenticated, a policy attached to that user determines the type of tasks the uer can carry on. Below is an example of policy which allows the creation of a RDS DB instance, on a t2.micro instance for the DB Engine MySQL.

{
    "Version": "2018-09-11",
    "Statement": [
        {
            "Sid": "AllowCreateDBInstanceOnly",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBInstance"
            ],
            "Resource": [
                "arn:aws:rds:*:123456789012:db:test*",
                "arn:aws:rds:*:123456789012:og:default*",
                "arn:aws:rds:*:123456789012:pg:default*",
                "arn:aws:rds:*:123456789012:subgrp:default"
            ],
            "Condition": {
                "StringEquals": {
                    "rds:DatabaseEngine": "mysql",
                    "rds:DatabaseClass": "db.t2.micro"
                }
            }
        }
    ]
}

Action on Any RDS Resource

In the below example we see a policy that allows any describe action on any RDS resource. The * symbol is used to represent any resource.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"AllowRDSDescribe",
         "Effect":"Allow",
         "Action":"rds:Describe*",
         "Resource":"*"
      }
   ]
}

Disallow deleting a DB Instance

The below policy disallows a user from deleting a specific DB instance.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyDelete1",
         "Effect":"Deny",
         "Action":"rds:DeleteDBInstance",
         "Resource":"arn:aws:rds:us-west-2:123456789012:db:my-mysql-instance"
      }
   ]
}