- Newest
- Most votes
- Most comments
Hi,
From the description, it looks like you want to use RDS API RestoreDBClusterToPointInTime to restore a cluster to a specific time in the past to be a new stand alone cluster.
You want to know how to make the rds: RestoreDBClusterToPointInTime one way by defining source and target policy. Correct me if I understand wrong.
Based on what I have researched so far, we do not have a way to define such source and target in the policy. One question I have is that when restore from a source cluster to be a new cluster, target should have not been created right? Thus there is only source need access, for the target it is creating a new cluster.
If above is correct then you might be able to define the policy separately.
For example:
For action: "rds:CreateDBInstance", attach only resources needed to be attached, you may exclude the source cluster as you only need to restore from it.
For action: "rds:RestoreDBClusterToPointInTime", attach only the instance that you need to restore from.
You may also add tag to the cluster and define it in the policy.
Some links I found helpful:
[] Amazon RDS identity-based policy examples - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/security_iam_id-based-policy-examples.html
[] Controlling access to AWS resources using tags - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
[] Amazon RDS identity-based policy examples - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/security_iam_id-based-policy-examples.html
Best practice would be Grant least privilege following:
[] Security best practices in IAM - Grant least privilege - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege
Relevant content
- Accepted Answerasked 6 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago