AWS Policy to Read/write RDS

Question

In my scenario , I want a policy that will allow reading and writing of abc-database-backups/rds/postgresql-backup on S3? We'll want the my servers to have that access added.

Is creating a role and attaching it to the servers is best or adding a key to the server?

I tried this :

aws iam create-policy \
     --policy-name rds-s3-integration-policy \
     --policy-document '{
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "s3:ListAllMyBuckets",
                    "Resource": "*"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:ListBucket",
                        "s3:GetBucketACL",
                        "s3:GetBucketLocation"
                    ],
                    "Resource": "arn:aws:s3:::bucket_name"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:GetObject",
                        "s3:PutObject",
                        "s3:ListMultipartUploadParts",
                        "s3:AbortMultipartUpload"
                    ],
                    "Resource": "arn:aws:s3:::bucket_name/key_prefix/*"
                }
            ]
        }' 

I would be very grateful for any help, as my experience in this field is somewhat limited.

Answer 1

Use a service linked role for RDS to provide access to S3 and any other named resources you require. Ensure the RDS instance has this role. You should also read this doc about importing S3 data into RDS PostgreSQL using an extension.

I've adapted some CloudFormation infrastructure as code I have which should set up a role. You'll want to modify the permissions and bucket name to suit your requirements. It should work as-is but I did have to massage my existing code so if it doesn't work 100% please edit the post or comment so I can edit it.

AWSTemplateFormatVersion: '2010-09-09'
Description: Role for RDS

Resources:    
    RdsS3IntegrationRole:
        Type: AWS::IAM::Role
        Properties:
            RoleName: RdsS3IntegrationRole
            AssumeRolePolicyDocument:
                Version: 2012-10-17
                Statement:
                    -
                        Effect: Allow
                        Principal:
                            Service:
                                - rds.amazonaws.com
                        Action:
                            - sts:AssumeRole
                
    RDSS3IntegrationPolicy:
        Type: AWS::IAM::Policy
        Properties:
            Roles:
                - !Ref 'RdsS3IntegrationRole'
            PolicyName: RDSS3IntegrationPolicy
            PolicyDocument:
                Statement:
                    - Effect: Allow
                        Action:
                            - s3:GetObject
                            - s3:ListBucket 
                            - s3:PutObject 
                        Resource:
                            - !Sub 'arn:aws:s3:::bucketname/*'
                            - !Sub 'arn:aws:s3:::bucketname'
                    - Effect: Allow
                        Action:
                            - kms:Decrypt
                            - kms:Encrypt
                            - kms:GenerateDataKey
                            - kms:ReEncryptTo
                            - kms:DescribeKey
                            - kms:ReEncryptFrom
                        Resource:
                            - !Sub 'arn:aws:kms:ap-southeast-2:${AWS::AccountId}:key/*'