Currently, in order to create and provision an instance of Aurora, a series of IAM permissions are required. (e.g rds:CreateCluster). Currently, to get around this, the RDSAllAccess policy has been assigned. In order to be compliant with the concept of least privilege, we need to narrow the access to the database and the associated resources.
Ordinarily, a solution would be to apply a resource-based policy to the database. However, aurora doesn't support resource-based IAM policies. One way to get around that is to add certain permissions to a tag and tag the database accordingly.
Testing
Log into the AWS console and confirm that you are able to:
see the "wic-prp-db-access" role in the IAM console
Ticket
https://wicmtdp.atlassian.net/browse/PRP-76
Changes
Context for reviewers
Testing
Log into the AWS console and confirm that you are able to:
"wic-prp-db-access"
role in the IAM console