I am trying to restrict the user to have access to only the resources starting with a particular string. For example, I would like to restrict the user with all permissions to only RDS instances starting with "new-database-change". Basically, in regex it would be "new-database-change-*". The application is far ahead and we missed using tags. Is there anyway we could do this without tags?
Something of the following would do.
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:RestoreDBClusterToPointInTime",
"rds-db:connect",
"rds:CreateDBInstance",
"rds:DeleteDBInstance"
],
"Resource": "new-database-change-*"
}
The AWS currently takes the literal "*" and not the regex.
I don't think you can do this.
In reviewing Actions, resources, and condition keys for Amazon RDS - Service Authorization Reference:
AddTagsToResource does not take rds:DatabaseName as a ConditionDescribeDBInstances and DescribeDBClusters do not take any conditions -- they always returns ALL resultsRestoreDBClusterToPointInTime does not take rds:DatabaseName as a ConditionNot sure about rds-db:connect -- it can accept an ARN, but not sure if it can accept a database name.