Change log of AWS IAM permissions

2023-11-11

8 new actions, 4 new resources, 2 new conditions | 13 updated actions

Additions

Actions

CreateIntegration
- Description: Grants permission to create an Aurora zero-ETL integration with Redshift
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
  
  Name: integration
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  rds:req-tag/${TagKey}
- Dependents:
  kms:CreateGrant
  
  kms:DescribeKey
  
  rds:AddTagsToResource
CreateTenantDatabase
- Description: Grants permission to create a new tenant database
- Access: Write
- Resources:
  Name: db
  
  Required: Yes
  
  Name: tenant-database
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
  
  rds:TenantDatabaseName
- Dependents:
  rds:AddTagsToResource
DeleteIntegration
- Description: Grants permission to delete an Aurora zero-ETL integration with Redshift
- Access: Write
- Resources:
  Name: integration
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DeleteTenantDatabase
- Description: Grants permission to delete a tenant database
- Access: Write
- Resources:
  Name: db
  
  Required: Yes
  
  Name: tenant-database
  
  Required: Yes
DescribeDbSnapshotTenantDatabases
- Description: Grants permission to return information about tenant databases in DB snapshots. You can filter by Region or snapshot
- Access: List
- Resources:
  Name: snapshot-tenant-database
  
  Required: Yes
  
  Name: db
  
  Required: No
  
  Name: snapshot
  
  Required: No
DescribeIntegrations
- Description: Grants permission to describe an Aurora zero-ETL integration with Redshift
- Access: List
- Resources:
  Name: integration
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
DescribeTenantDatabases
- Description: Grants permission to return information about provisioned tenant databases. You can filter by Region or snapshot
- Access: List
- Resources:
  Name: tenant-database
  
  Required: Yes
  
  Name: db
  
  Required: No
ModifyTenantDatabase
- Description: Grants permission to modify a tenant database
- Access: Write
- Resources:
  Name: db
  
  Required: Yes
  
  Name: tenant-database
  
  Required: Yes
- Conditions:
  rds:TenantDatabaseName

Resources

auto-backup
- Arn: arn:${Partition}:rds:${Region}:${Account}:auto-backup:${DbInstanceAutomatedBackupId}
integration
- Arn: arn:${Partition}:rds:${Region}:${Account}:integration:${IntegrationIdentifier}
- Conditions:
  aws:ResourceTag/${TagKey}
snapshot-tenant-database
- Arn: arn:${Partition}:rds:${Region}:${Account}:snapshot-tenant-database:${SnapshotName}:${TenantResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
tenant-database
- Arn: arn:${Partition}:rds:${Region}:${Account}:tenant-database:${TenantResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

rds:MultiTenant
- Description: Filters access by the value that specifies whether the DB instance is in the multi-tenant configuration
- Type: String
rds:TenantDatabaseName
- Description: Filters access by the tenant database name in CreateTenantDatabase and by the new tenant database name in ModifyTenantDatabase
- Type: String

Updates

Actions

CreateDBInstance
- ＋ rds:CreateTenantDatabase
- ＋ rds:MultiTenant
ModifyDBInstance
- ＋ rds:AddTagsToResource
- ＋ rds:CreateTenantDatabase
- ＋ rds:MultiTenant
AddTagsToResource
- ＋ integration
- ＋ snapshot-tenant-database
- ＋ tenant-database
CreateDBInstanceReadReplica
- ＋ cluster
- ＋ pg
CreateDBSnapshot
- ＋ snapshot-tenant-database
DeleteDBInstance
- ＋ rds:DeleteTenantDatabase
DeleteDBInstanceAutomatedBackup
- ＋ auto-backup
DescribeDBInstanceAutomatedBackups
- ＋ auto-backup
ListTagsForResource
- ＋ integration
- ＋ snapshot-tenant-database
- ＋ tenant-database
RemoveTagsFromResource
- ＋ integration
- ＋ snapshot-tenant-database
- ＋ tenant-database
RestoreDBInstanceFromDBSnapshot
- ＋ rds:CreateTenantDatabase
RestoreDBInstanceToPointInTime
- ＋ auto-backup
- ＋ rds:CreateTenantDatabase
StartDBInstanceAutomatedBackupsReplication
- ＋ auto-backup

Amazon RDS (rds)

Additions

Updates