Using IAM condition keys with Amazon Aurora DSQL
The Condition element (or Condition block) specifies the
conditions under which a policy statement is in effect. You build conditional expressions
using condition
operators such as StringEquals or StringLike to match
keys in the policy against values in the request. Condition keys are different from resource
ARN scoping, which restricts actions to specific resources using the Resource
element.
Amazon Aurora DSQL supports both service-specific condition keys and AWS global condition keys. You can use these keys to refine the conditions under which your IAM policy statements apply. For more information about AWS global condition keys, see AWS global condition context keys in the IAM User Guide.
Available condition keys for Amazon Aurora DSQL
Amazon Aurora DSQL supports the service-specific condition keys
dsql:WitnessRegion, dsql:FisActionId, and
dsql:FisTargetArns. You can also use AWS global condition keys such as
aws:RequestTag, aws:ResourceTag, and aws:TagKeys.
For a complete list of Amazon Aurora DSQL actions, condition keys, and resources that you can
specify in policies, see Actions, resources, and condition keys for Amazon Aurora DSQL in the
Service Authorization Reference.
Example: Restrict the witness Region for multi-Region clusters
The following policy uses the dsql:WitnessRegion condition key to restrict
multi-Region cluster creation to cases where the witness Region is US West (Oregon).
Without this condition, you can specify any Region as the witness Region.
The first statement applies the dsql:WitnessRegion condition to the actions
that support it (dsql:CreateCluster and dsql:PutWitnessRegion). The
second statement grants dsql:PutMultiRegionProperties and
dsql:AddPeerCluster without the condition, because the
dsql:WitnessRegion condition key applies only to
dsql:CreateCluster and dsql:PutWitnessRegion.
Example: Require tags when creating clusters
The following policy uses the aws:RequestTag and aws:TagKeys
condition keys to require an Environment tag when you create clusters.
This policy uses two condition keys together. The aws:RequestTag/Environment
condition requires that the Environment tag has one of the allowed values. The
aws:TagKeys condition with the ForAllValues set operator ensures
that the request includes only the Environment and Owner tag
keys.
Example: Restrict fault injection to specific clusters
The following policy uses the dsql:FisActionId and
dsql:FisTargetArns condition keys to restrict AWS FIS fault injection to a
specific action and target cluster.
The dsql:FisActionId condition restricts the fault injection actions that
you can perform. The dsql:FisTargetArns condition uses the
ForAllValues set operator and the ArnLike operator. Together, they
ensure that every cluster ARN in the request matches the allowed pattern. This blocks any
request that includes cluster ARNs outside the intended scope.