Menu
I'm working on a script to automatically take an RDS snapshot every day and give it a name based on an appropriate pattern (e.g. mydb-snapshot-20141031). The script itself is pretty straightforward but I ran into issues trying to lock things down so that if the key pair associated with the script is compromised, the attacker can only damage my snapshots and not the database itself.
Searching the web and looking at the RDS IAM policy guide hasn't turned up much to help me (at least not that I've been able to reproduce) so I'm hoping someone here has solved this before (or can understand that manual better than I can). Here's what I want:
Here's what I'm trying to protect against:
Maybe this can't be done (I can't find documentation for a "delete" companion to the rds:CreateDBSnapshot policy). It would be nice if the DeleteDBSnapshot documentation actually included a list of permissions required to use it.
309
IAM starts with no permission, unless you defined explicitly, this IAM user will not be able to see other resources, like EC2. 3. Tagging Amazon RDS Resources: You will need to tag your RDS resources, so they can be used with IAM policies. For what Amazon RDS resources can be tagged.
You can activate IAM database authentication by using the Amazon RDS console, AWS Command Line Interface (AWS CLI), or the Amazon RDS API. If you use the Amazon RDS console to modify the DB instance, then choose Apply Immediately to activate IAM database authentication right away.
Using AWS Console 03 In the left navigation panel, under RDS Dashboard, click Snapshots. 04 Select Manual Snapshots from the Filter dropdown menu to display only manual database snapshots. 05 Select the RDS snapshot that you want to make private (see Audit section part I to identify the right resource).
I eventually found the DeleteDBSnapshot permission but later realized that what I really wanted to do was restrict actions to a specific DB Instance Identifier, which I am now convinced is not possible because of how the AWS commands actually work. Thus, you must create a policy that looks something like this:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:DeleteDBSnapshot"
],
"Condition": {
"streq": {
"rds:snapshot-tag/MY_TAG_KEY": [
"MY_TAG_VALUE"
]
}
},
"Resource": "arn:aws:rds:us-west-2::snapshot:mydb-snapshot-*"
},
{
"Effect": "Allow",
"Action": [
"rds:ListTagsForResource",
"rds:CreateDBSnapshot"
],
"Resource": "arn:aws:rds:us-west-2:*"
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots"
],
"Resource": "*"
}
]
}
A few notes/caveats:
Resource property of the
policy is a check against DBSnapshotIdentifier, but for CreateDBSnapshot
it appears to refer to DBInstanceIdentifier (RDS database name).DescribeDBSnapshots always operates globally so it must also be granted
on all resource values. You can't even restrict this by region.ListTagsForResource throws a permissions error if you try to restrict it
to the full snapshot resource path.Condition block for those
who wish to further (or alternately) restrict by tags. As with limiting by
Resource, ListTagsForResource and CreateDBSnapshot do not work if you
try to limit them to specific tags.This solves my primary concern of limiting the damage if keys attached to this policy are compromised -- the attacker could only delete my rolling snapshots, not any manually-created snapshots or the database instances themselves. Unfortunately, it still allows the creation of an unlimited number of snapshots in the specific zone, but there doesn't seem to be any way at all to restrict CreateDBSnapshot.
71
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With