G'day!
I have IAM Authentication turned on for my RDS databases.
I can successfully connect using an authorised role and am denied when using an unauthorised role.
However, I have a role that I would like to be able to connect to some databases but not others and I'd like to avoid having to list the databases explicitly in the IAM Policy.
The policy already restricts several rds:? Actions using a Condition clause that checks for the existence of a tag on the RDS Resource. So I thought I could try the same thing for the rds-db:connect Action:
- Sid: DenyRDSLogin
Action: 'rds-db:connect'
Effect: Deny
Resource: 'arn:aws:rds-db:*'
Condition:
StringEquals:
'rds:db-tag/restricted-access':
- 'true'
But it doesn't work because, I assume, the Resource is arn:aws:rds-db:* which doesn't have any tags as it's not a "physical" resource.
Am I barking up the wrong tree?
Thanks!
