search

aws-solutions / instance-scheduler-on-aws

A cross-account and cross-region solution that allows customers to automatically start and stop EC2 and RDS Instances
https://aws.amazon.com/solutions/implementations/instance-scheduler-on-aws/
Apache License 2.0
546 stars 265 forks source link

RDS permissions needed starting 30.10.2024 #572

Open gmergulhao opened 3 weeks ago

gmergulhao commented 3 weeks ago

AWS Announced that starting 30.10.2024 some new RDS API permissions will be needed.

On August 15, 2024, we implemented a change to database snapshot creation when using the "DeleteDBCluster" [1], "DeleteDBInstance" [2] , "DeleteTenantDatabase" [3] and "StopDBInstance" APIs [4].

If you want to create a final snapshot of the database when calling "DeleteDBInstance" or "DeleteTenantDatabase" or "StopDBInstance", you must have an IAM Allow effect for the "rds:CreateDBSnapshot" permission.

Similarly, if you want to create a final snapshot of a database cluster when calling "DeleteDBCluster", you must have an IAM Allow effect for the "rds:CreateDBClusterSnapshot" permission.

Additionally, if the database instance or database cluster has CopyTagsToSnapshot enabled and you are calling “DeleteDBInstance” or “DeleteDBCluster” or “StopDBInstance”, you must have an IAM allow effect “rds:AddTagsToResource” permission for the "DBSnapshot" resource.

In case of “DeleteTenantDatabase” you must have an IAM allow effect "rds:AddTagsToResource" permission for "DBSnapshot" and "Snapshot-tenant-database" resources.

following permissions are not included as of v3.0.4

rds:CreateDBSnapshot rds:CreateDBClusterSnapshot

CrypticCabub commented 3 weeks ago

Thanks for letting us know @gmergulhao!

We'll add this to the backlog for inclusion in a patch release.