Follow dba-ninja.com

Subscribe to RSS feed  Follow @jackvamvas - Twitter

*Use the Comments section for questions

dba-ninja.com Links

Dba_db2_button

Sqlserver_dba_button

IAM Deny permissions for restores on RDS - DocumentDB - DynamoDB

11 June,2024 by Rambler

Question: What IAM changes need to occur to deny certain roles having restore privileges for RDS , DynamoDB & DynamoDB ?  This relates to Deny restores from the service native backups , not for backups taken by AWS Backup

Answer:  To cover the restore functionality on RDS  , DynamoDB, & DocumentDB , these are the Actions on each particular service requiring Deny. Please review each one and decide on whether a Deny is warranted and will be typically defined by the Organization Security and Operation Standards . 

Here is a brief description of every action 

rds:RestoreDBInstanceFromDBSnapshot - Grants permission to create a new DB instance from a DB snapshot
rds:RestoreDBInstanceToPointInTime - Grants permission to restore a DB instance to an arbitrary point in time
rds: RestoreDBClusterFromS3 - Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket
dynamodb:RestoreTableFromAwsBackup - Grants permission to create a new table from recovery point on AWS Backup
dynamodb:RestoreTableFromBackup - Grants permission to create a new table from an existing backup
dynamodb:RestoreTableToPointInTime - Grants permission to restore a table to a point in time
rds:RestoreDBClusterFromSnapshot - Grants permission to create a new DB cluster from a DB cluster snapshot
rds:RestoreDBClusterToPointInTime - Grants permission to restore a DB cluster to an arbitrary point in time

 

Some sample detail of a Policy document is JSON format . 

 

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:RestoreDBInstanceToPointInTime",
"rds: RestoreDBClusterFromS3", "dynamodb:RestoreTableFromBackup", "dynamodb:RestoreTableToPointInTime",
"dynamodb:RestoreTableFromAwsBackup" "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime"
], "Resource": "*" } ] }

Author: Rambler (http://www.dba-ninja.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on IAM Deny permissions for restores on RDS - DocumentDB - DynamoDB


dba-ninja.com