RDS Database Restore IAM Permissions
To perform RDS database restore operations, IAM roles specified in the restore settings must be granted the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateKeyPair", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteKeyPair", "ec2:DeleteSecurityGroup", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:ModifyInstanceAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:StartInstances", "ec2:TerminateInstances", "iam:GetContextKeysForPrincipalPolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:PassRole", "iam:SimulatePrincipalPolicy", "rds:DescribeDBInstances", "rds:DescribeDBSubnetGroups", "rds:ModifyDBInstance", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage", "ssm:GetCommandInvocation", "ssm:GetParameter", "ssm:SendCommand" ], "Resource": "*" } ] } |
To learn how to create IAM roles and assign them the required permissions, see Appendix A. Creating IAM Roles in AWS.