Amazon Web Services User Permissions for RDS Backups and Restores
You can assign Amazon user permissions by creating a policy as described in Overview of IAM Policies. You can download the amazon_permission_backup_restore.json file and use it on the AWS command line to apply all of the permissions listed in this topic.
For non-admin users, you must set the following permissions in the Amazon Web Services (AWS) user policy to enable support for backups and restores of Amazon instances.
To perform backup and restore operations of an Amazon RDS instance, you must have the following permissions
For RDS, the following permissions are required:
- rds:CopyDBClusterSnapshot - copies a database cluster snapshot
- rds:CopyDBSnapshot - copies a database snapshot that is in an available state.
- rds:CreateDBClusterSnapshot - creates a snapshot of a database cluster
- rds:CreateDBInstance - creates a database instance
- rds:DeleteDBClusterSnapshot - deletes a database cluster snapshot
- rds:DescribeDBClusters - provides information about the provisioned database clusters
- rds:DescribeDBClusterSnapshots - provides information about the database cluster snapshots
- rds:DeleteDBInstance - deletes a database instance
- rds:DeleteDBSnapshot - delete the database snapshot
- rds:DescribeDBInstances - provides information about the database instances
- rds:DescribeDBSnapshots - provides information about the database snapshots
- rds:RestoreDBInstanceFromDBSnapshot - restores the database from the snapshot
- rds:RestoreDBClusterFromSnapshot - creates a new database cluster from a database cluster snapshot
- ec2:DescribeAccountAttributes - get information about attributes of the AWS account
- ec2:DescribeAvailabilityZones - get information about availability zones
- ec2:DescribeRegions - get information about available regions
- ec2:DescribeSecurityGroups - get information about security groups for the AWS account
- ec2:DescribeSnapshotAttribute - To get information about attributes of a snapshot
- ec2:DescribeSubnets - To get information about subnets
- ec2:DescribeVpcs - get information about VPCs.
- sns:ListSubscriptions - To get the subscriptions
- sns:ListTopics - To get a list of the topics
For CloudWatch Logs (logs), the following permissions are required:
- logs:DescribeLogStreams - To get the log streams that are associated with the group
- logs:GetLogEvents - To get the log events for the specified stream
- iam:GetAccountAuthorizationDetails - get IAM information
Create a custom policy that has the permissions.