Using Identity-Based Policies (IAM Policies) for Amazon DocumentDB

This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).

Important

For certain management features, Amazon DocumentDB uses operational technology that is shared with Amazon Relational Database Service (Amazon RDS). Amazon DocumentDB console, AWS CLI, and API calls are logged as calls made to the Amazon RDS API.

We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon DocumentDB resources. For more information, see Overview of Managing Access Permissions to Your Amazon DocumentDB Resources.

The sections in this topic cover the following:

The following is an example of an IAM policy.

  1. {
  2. "Version": "2012-10-17",
  3. "Statement": [
  4. {
  5. "Sid": "AllowCreateDBInstanceOnly",
  6. "Effect": "Allow",
  7. "Action": [
  8. "rds:CreateDBInstance"
  9. ],
  10. "Resource": [
  11. "arn:aws:rds:*:123456789012:db:test*",
  12. "arn:aws:rds:*:123456789012:pg:cluster-pg:default*",
  13. "arn:aws:rds:*:123456789012:subgrp:default"
  14. ]
  15. }
  16. ]
  17. }

The policy includes a single statement that specifies the following permissions for the IAM user:

  • The policy allows the IAM user to create an instance using the CreateDBInstance action (this also applies to the create-db-instance AWS CLI operation and the AWS Management Console).

  • The Resource element specifies that the user can perform actions on or with resources. You specify resources using an Amazon Resource Name (ARN). This ARN includes the name of the service that the resource belongs to (rds), the AWS Region (* indicates any Region in this example), the user account number (123456789012 is the user ID in this example), and the type of resource.

    The Resource element in the example specifies the following policy constraints on resources for the user:

    • The instance identifier for the new instance must begin with test (for example, testCustomerData1, test-region2-data).

    • The cluster parameter group for the new instance must begin with default.

    • The subnet group for the new instance must be the default subnet group.

The policy doesn’t specify the Principal element because in an identity-based policy you don’t specify the principal who gets the permission. When you attach policy to a user, the user is the implicit principal. When you attach a permissions policy to an IAM role, the principal identified in the role’s trust policy gets the permissions.

For a table showing all of the Amazon DocumentDB API operations and the resources that they apply to, see Amazon DocumentDB API Permissions: Actions, Resources, and Conditions Reference.

Permissions Required to Use the Amazon DocumentDB Console

For a user to work with the Amazon DocumentDB console, that user must have a minimum set of permissions. These permissions allow the user to describe the Amazon DocumentDB resources for their AWS account and to provide other related information, including Amazon EC2 security and network information.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won’t function as intended for users with that IAM policy. To ensure that those users can still use the Amazon DocumentDB console, also attach the AmazonDocDBConsoleFullAccess managed policy to the user, as described in AWS Managed (Predefined) Policies for Amazon DocumentDB.

You don’t need to allow minimum console permissions for users that are making calls only to the AWS CLI or the Amazon DocumentDB API.

AWS Managed (Predefined) Policies for Amazon DocumentDB

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to Amazon DocumentDB:

  • AmazonDocDBReadOnlyAccess – Grants read-only access to all Amazon DocumentDB resources for the root AWS account.

  • AmazonDocDBFullAccess – Grants full access to all Amazon DocumentDB resources for the root AWS account.

  • AmazonDocDBConsoleFullAccess – Grants full access to manage Amazon DocumentDB resources using the AWS Management Console.

You can also create custom IAM policies that allow users to access the required Amazon DocumentDB API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Customer Managed Policy Examples

In this section, you can find example user policies that grant permissions for various Amazon DocumentDB actions. These policies work when you are using Amazon DocumentDB API actions, AWS SDKs, or the AWS CLI. When you are using the console, you need to grant additional permissions specific to the console, which is discussed in Permissions Required to Use the Amazon DocumentDB Console.

For certain management features, Amazon DocumentDB uses operational technology that is shared with Amazon Relational Database Service (Amazon RDS) and Amazon Neptune.

Note

All examples use the US East (N. Virginia) Region (us-east-1) and contain fictitious account IDs.

Example 1: Allow a User to Perform Any Describe Action on Any Amazon DocumentDB Resource

The following permissions policy grants permissions to a user to run all of the actions that begin with Describe. These actions show information about an Amazon DocumentDB resource, such as an instance. The wildcard character (*) in the Resource element indicates that the actions are allowed for all Amazon DocumentDB resources that are owned by the account.

  1. {
  2. "Version":"2012-10-17",
  3. "Statement":[
  4. {
  5. "Sid":"AllowRDSDescribe",
  6. "Effect":"Allow",
  7. "Action":"rds:Describe*",
  8. "Resource":"*"
  9. }
  10. ]
  11. }

Example 2: Prevent a User from Deleting an Instance

The following permissions policy grants permissions to prevent a user from deleting a specific instance. For example, you might want to deny the ability to delete your production instances to any user that is not an administrator.

  1. {
  2. "Version":"2012-10-17",
  3. "Statement":[
  4. {
  5. "Sid":"DenyDelete1",
  6. "Effect":"Deny",
  7. "Action":"rds:DeleteDBInstance",
  8. "Resource":"arn:aws:rds:us-east-1:123456789012:db:my-db-instance"
  9. }
  10. ]
  11. }

Example 3: Prevent a User from Creating a Cluster unless Storage Encryption is Enabled

The following permissions policy denies permissions to a user from creating an Amazon DocumentDB cluster unless storage encryption is enabled.

  1. {
  2. "Version": "2012-10-17",
  3. "Statement": [
  4. {
  5. "Sid": "PreventUnencryptedDocumentDB",
  6. "Effect": "Deny",
  7. "Action": "RDS:CreateDBCluster",
  8. "Condition": {
  9. "Bool": {
  10. "rds:StorageEncrypted": "false"
  11. },
  12. "StringEquals": {
  13. "rds:DatabaseEngine": "docdb"
  14. }
  15. },
  16. "Resource": "*"
  17. }
  18. ]
  19. }