An IAM policy that allows tag owners full access to RDS resources that they have tagged (Tag key: Owner, Tag Value: <IAM username>). This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:Describe*",
                "rds:List*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:DeleteDBInstance",
                "rds:RebootDBInstance",
                "rds:ModifyDBInstance"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:db-tag/Owner": "${aws:username}"
                }
            }
        },
        {
            "Action": [
                "rds:ModifyOptionGroup",
                "rds:DeleteOptionGroup"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:og-tag/Owner": "${aws:username}"
                }
            }
        },
        {
            "Action": [
                "rds:ModifyDBParameterGroup",
                "rds:ResetDBParameterGroup"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:pg-tag/Owner": "${aws:username}"
                }
            }
        },
        {
            "Action": [
                "rds:AuthorizeDBSecurityGroupIngress",
                "rds:RevokeDBSecurityGroupIngress",
                "rds:DeleteDBSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:secgrp-tag/Owner": "${aws:username}"
                }
            }
        },
        {
            "Action": [
                "rds:DeleteDBSnapshot",
                "rds:RestoreDBInstanceFromDBSnapshot"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:snapshot-tag/Owner": "${aws:username}"
                }
            }
        },
        {
            "Action": [
                "rds:ModifyDBSubnetGroup",
                "rds:DeleteDBSubnetGroup"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:subgrp-tag/Owner": "${aws:username}"
                }
            }
        },
        {
            "Action": [
                "rds:ModifyEventSubscription",
                "rds:AddSourceIdentifierToSubscription",
                "rds:RemoveSourceIdentifierFromSubscription",
                "rds:DeleteEventSubscription"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:es-tag/Owner": "${aws:username}"
                }
            }
        }
    ]
}

Actions



Customize Template

No policy variables to customize
* Required field