Using Identity-Based Policies (IAM Policies) for Amazon DocumentDB

    Important

    For certain management features, Amazon DocumentDB uses operational technology that is shared with Amazon Relational Database Service (Amazon RDS). Amazon DocumentDB console, AWS CLI, and API calls are logged as calls made to the Amazon RDS API.

    We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon DocumentDB resources. For more information, see Overview of Managing Access Permissions to Your Amazon DocumentDB Resources.

    The sections in this topic cover the following:

    The following is an example of an IAM policy.

    The policy includes a single statement that specifies the following permissions for the IAM user:

    • The policy allows the IAM user to create an instance using the CreateDBInstance action (this also applies to the AWS CLI operation and the AWS Management Console).

    • The Resource element in the example specifies the following policy constraints on resources for the user:

      • The cluster parameter group for the new instance must begin with default.

      • The subnet group for the new instance must be the default subnet group.

    The policy doesn’t specify the element because in an identity-based policy you don’t specify the principal who gets the permission. When you attach policy to a user, the user is the implicit principal. When you attach a permissions policy to an IAM role, the principal identified in the role’s trust policy gets the permissions.

    For a table showing all of the Amazon DocumentDB API operations and the resources that they apply to, see Amazon DocumentDB API Permissions: Actions, Resources, and Conditions Reference.

    For a user to work with the Amazon DocumentDB console, that user must have a minimum set of permissions. These permissions allow the user to describe the Amazon DocumentDB resources for their AWS account and to provide other related information, including Amazon EC2 security and network information.

    If you create an IAM policy that is more restrictive than the minimum required permissions, the console won’t function as intended for users with that IAM policy. To ensure that those users can still use the Amazon DocumentDB console, also attach the AmazonDocDBConsoleFullAccess managed policy to the user, as described in .

    You don’t need to allow minimum console permissions for users that are making calls only to the AWS CLI or the Amazon DocumentDB API.

    AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

    • AmazonDocDBReadOnlyAccess – Grants read-only access to all Amazon DocumentDB resources for the root AWS account.

    • AmazonDocDBFullAccess – Grants full access to all Amazon DocumentDB resources for the root AWS account.

    • AmazonDocDBConsoleFullAccess – Grants full access to manage Amazon DocumentDB resources using the AWS Management Console.

    You can also create custom IAM policies that allow users to access the required Amazon DocumentDB API actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

    In this section, you can find example user policies that grant permissions for various Amazon DocumentDB actions. These policies work when you are using Amazon DocumentDB API actions, AWS SDKs, or the AWS CLI. When you are using the console, you need to grant additional permissions specific to the console, which is discussed in .

    For certain management features, Amazon DocumentDB uses operational technology that is shared with Amazon Relational Database Service (Amazon RDS) and Amazon Neptune.

    Note

    All examples use the US East (N. Virginia) Region (us-east-1) and contain fictitious account IDs.

    The following permissions policy grants permissions to a user to run all of the actions that begin with Describe. These actions show information about an Amazon DocumentDB resource, such as an instance. The wildcard character (*) in the Resource element indicates that the actions are allowed for all Amazon DocumentDB resources that are owned by the account.

    The following permissions policy grants permissions to prevent a user from deleting a specific instance. For example, you might want to deny the ability to delete your production instances to any user that is not an administrator.