I am trying to restrict the user to have access to only the resources starting with a particular string. For example, I would like to restrict the user with all permissions to only RDS instances starting with "new-database-change". Basically, in regex it would be "new-database-change-*". The application is far ahead and we missed using tags. Is there anyway we could do this without tags? Something of the following would do.

 {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:AddTagsToResource",
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "rds:RestoreDBClusterToPointInTime",
                "rds-db:connect",
                "rds:CreateDBInstance",
                "rds:DeleteDBInstance"
            ],
            "Resource": "new-database-change-*"
        }

The AWS currently takes the literal "*" and not the regex.

CodePudding user response：

You should be able to do this with a wildcard resource and a restricted policy condition, for example:

"Resource": "*",
"Condition": {"StringLike": {"rds:DatabaseName": "new-database-change-*"}}

CodePudding user response：

I don't think you can do this.

In reviewing Actions, resources, and condition keys for Amazon RDS - Service Authorization Reference:

• AddTagsToResource does not take rds:DatabaseName as a Condition
• DescribeDBInstances and DescribeDBClusters do not take any conditions -- they always returns ALL results
• RestoreDBClusterToPointInTime does not take rds:DatabaseName as a Condition

Not sure about rds-db:connect -- it can accept an ARN, but not sure if it can accept a database name.