IAM permissions required for rds:RestoreDBClusterToPointInTime

Question

Hi there,

I am trying to figure out the required permissions for a role to call rds:RestoreDBClusterToPointInTime. https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBClusterToPointInTime.html gives me some clue but I am not sure what I came up with is safe. I am trying to clone an Aurora MySQL 2 cluster. Via RDS API, I use rds:RestoreDBClusterToPointInTime and then rds:CreateDBInstance. By try and fail, I got it working with the policy expcert below:

{
          Effect = "Allow"
          Action = [
            "rds:AddTagsToResource",
            "rds:CreateDBInstance",
            "rds:DeleteDBInstance",
            "rds:DeleteDBCluster",
            "rds:DescribeDBClusters",
            "rds:DescribeDBInstances",
            "rds:RestoreDBClusterToPointInTime"
          ]
          Resource = [
            "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:cluster:${var.destination_cluster_identifier}",
            "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:cluster:${var.source_cluster_identifier}",
            "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:cluster-pg:${aws_rds_cluster_parameter_group.this.name}",
            "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:subgrp:${aws_db_subnet_group.this.name}",
            "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:secgrp:${aws_security_group.rds.name}",
            "arn:aws:rds:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:db:${local.rds_instance_name}"
          ]
        }

Where I am uncertain is how can we make rds:RestoreDBClusterToPointInTime one way. That is, being able to limit what is the source and what is the destination.
It looks like both source and destination clusters must be in the Resource block. Therefore, we can't limit what cluster is source and what cluster is destination.
Is there a way to do so?

Answer

Hi,

From the description, it looks like you want to use RDS API RestoreDBClusterToPointInTime to restore a cluster to a specific time in the past to be a new stand alone cluster.

You want to know how to make the rds: RestoreDBClusterToPointInTime one way by defining source and target policy. Correct me if I understand wrong.

Based on what I have researched so far, we do not have a way to define such source and target in the policy. One question I have is that when restore from a source cluster to be a new cluster, target should have not been created right? Thus there is only source need access, for the target it is creating a new cluster.

If above is correct then you might be able to define the policy separately.

For example:

For action: "rds:CreateDBInstance", attach only resources needed to be attached, you may exclude the source cluster as you only need to restore from it.

For action: "rds:RestoreDBClusterToPointInTime", attach only the instance that you need to restore from.

You may also add tag to the cluster and define it in the policy.

Some links I found helpful:

[] Amazon RDS identity-based policy examples - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/security_iam_id-based-policy-examples.html

[] Controlling access to AWS resources using tags - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

[] Amazon RDS identity-based policy examples - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/security_iam_id-based-policy-examples.html

Best practice would be Grant least privilege following:

[] Security best practices in IAM - Grant least privilege - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege

IAM permissions required for rds:RestoreDBClusterToPointInTime

Relevant content