RDS Database Restore IAM Permissions

To perform RDS database restore operations, IAM roles specified in the restore settings must be granted the following permissions:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:AuthorizeSecurityGroupEgress",

"ec2:AuthorizeSecurityGroupIngress",

"ec2:CreateKeyPair",

"ec2:CreateSecurityGroup",

"ec2:CreateTags",

"ec2:DeleteKeyPair",

"ec2:DeleteSecurityGroup",

"ec2:DescribeAccountAttributes",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeImages",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeInstances",

"ec2:DescribeInternetGateways",

"ec2:DescribeKeyPairs",

"ec2:DescribeRegions",

"ec2:DescribeRouteTables",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets",

"ec2:DescribeVpcEndpoints",

"ec2:ModifyInstanceAttribute",

"ec2:RevokeSecurityGroupEgress",

"ec2:RevokeSecurityGroupIngress",

"ec2:RunInstances",

"ec2:StartInstances",

"ec2:TerminateInstances",

"iam:GetContextKeysForPrincipalPolicy",

"iam:GetInstanceProfile",

"iam:GetRole",

"iam:ListInstanceProfilesForRole",

"iam:PassRole",

"iam:SimulatePrincipalPolicy",

"rds:DescribeDBInstances",

"rds:DescribeDBSubnetGroups",

"rds:ModifyDBInstance",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteQueue",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"ssm:GetCommandInvocation",

"ssm:GetParameter",

"ssm:SendCommand"

"Resource": "*"

}

]

}

To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.