Leaving this here so I can point people to it later - and because I suspect others will search for it.
DocumentDB does not have its own IAM namespace and is covered under the rds IAM namespace, as explained in the DocumentDB documentation on IAM.
As such, DocumentDB is compliant wherever RDS is compliant - which is across the board. Therefore, DocumentDB will be allowed under any SCP AllowList generated with aws-allowlister.
Leaving this here so I can point people to it later - and because I suspect others will search for it.
DocumentDB does not have its own IAM namespace and is covered under the
rds
IAM namespace, as explained in the DocumentDB documentation on IAM.As such, DocumentDB is compliant wherever RDS is compliant - which is across the board. Therefore, DocumentDB will be allowed under any SCP AllowList generated with
aws-allowlister
.We implemented this mapping here.