V11 SP8
Loading...

Amazon Web Services User Permissions for RDS Backups and Restores

You can assign Amazon user permissions by creating a policy as described in Overview of IAM Policies. You can download the amazon_permission_backup_restore.json file and use it on the AWS command line to apply all of the permissions listed in this topic.

For more information about Amazon permissions, see Amazon RDS API Reference, Amazon Elastic Compute Cloud API Reference or Amazon Simple Storage Service API Reference.

For non-admin users, you must set the following permissions in the Amazon Web Services (AWS) user policy to enable support for backups and restores of Amazon instances.

To perform backup and restore operations of an Amazon RDS instance, you must have the following permissions

For RDS, the following permissions are required:

  • rds:CopyDBClusterSnapshot - copies a database cluster snapshot
  • rds:CopyDBSnapshot - copies a database snapshot that is in an available state.
  • rds:CreateDBClusterSnapshot - creates a snapshot of a database cluster
  • rds:CreateDBInstance - creates a database instance
  • rds:DeleteDBClusterSnapshot - deletes a database cluster snapshot
  • rds:DescribeDBClusters - provides information about the provisioned database clusters
  • rds:DescribeDBClusterSnapshots - provides information about the database cluster snapshots
  • rds:DeleteDBInstance - deletes a database instance
  • rds:DeleteDBSnapshot - delete the database snapshot
  • rds:DescribeDBInstances - provides information about the database instances
  • rds:DescribeDBSnapshots - provides information about the database snapshots
  • rds:RestoreDBInstanceFromDBSnapshot - restores the database from the snapshot
  • rds:RestoreDBClusterFromSnapshot - creates a new database cluster from a database cluster snapshot
For Elastic Compute Cloud (EC2) operations, the following permissions are required:
  • ec2:DescribeAccountAttributes - get information about attributes of the AWS account
  • ec2:DescribeAvailabilityZones - get information about availability zones
  • ec2:DescribeRegions - get information about available regions
  • ec2:DescribeSecurityGroups - get information about security groups for the AWS account
  • ec2:DescribeSnapshotAttribute - To get information about attributes of a snapshot
  • ec2:DescribeSubnets - To get information about subnets
  • ec2:DescribeVpcs - get information about VPCs.
For Simple Notification Services (SNS) operations, the following permissions are required:
  • sns:ListSubscriptions - To get the subscriptions
  • sns:ListTopics - To get a list of the topics

For CloudWatch Logs (logs), the following permissions are required:

  • logs:DescribeLogStreams - To get the log streams that are associated with the group
  • logs:GetLogEvents - To get the log events for the specified stream
  • iam:GetAccountAuthorizationDetails - get IAM information

Example

Create a custom policy that has the permissions.

{
  "Version": "2012-10-17",
  "Statement": [
   {
    "Action": [
     "rds:CopyDBSnapshot",
     "rds:CreateDBSnapshot",
     "rds:DeleteDBInstance",
     "rds:DeleteDBSnapshot",
     "rds:DescribeDBInstances",
     "rds:DescribeDBSnapshots",
     "rds:RestoreDBInstanceFromDBSnapshot",
     "rds:CopyDBClusterSnapshot",
     "rds:DeleteDBClusterSnapshot",
     "rds:DescribeDBClusters",
     "rds:DescribeDBClusterSnapshots",
     "rds:RestoreDBClusterFromSnapshot",
     "rds:CreateDBInstance",
     "rds:CreateDBClusterSnapshot",
     "ec2:DescribeAccountAttributes",
     "ec2:DescribeAvailabilityZones",
     "ec2:DescribeRegions",
     "ec2:DescribeSecurityGroups",
     "ec2:DescribeSubnets",
     "ec2:DescribeVpcs",
     "sns:ListSubscriptions",
     "sns:GetLogEvents",
     "Logs:DescribeLogStreams",
     "Logs:GetLogEvents", 
     "iam:GetAccountAuthorizationDetails"
   ],
   "Effect": "Allow",
   "Resource": "*"
  }
 ]
}