# Identity-based policy examples for Amazon Aurora Identity-based policy examples By default, permission sets and roles don't have permission to create or modify Aurora resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An administrator must create IAM policies that grant permission sets and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the permission sets or roles that require those permissions. To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*. **Topics** + [ ## Policy best practices ](#security_iam_service-with-iam-policy-best-practices) + [ ## Using the Aurora console ](#security_iam_id-based-policy-examples-console) + [ ## Permissions required to use the console ](#UsingWithRDS.IAM.RequiredPermissions.Console) + [ ## Allow users to view their own permissions ](#security_iam_id-based-policy-examples-view-own-permissions) + [ # Permission policies to create, modify and, delete resources in Aurora ](security_iam_id-based-policy-examples-create-and-modify-examples.md) + [ # Example policies: Using condition keys ](UsingWithRDS.IAM.Conditions.Examples.md) + [ # Specifying conditions: Using custom tags ](UsingWithRDS.IAM.SpecifyingCustomTags.md) + [ # Grant permission to tag Aurora resources during creation ](security_iam_id-based-policy-examples-grant-permissions-tags-on-create.md) ## Policy best practices Identity-based policies determine whether someone can create, access, or delete Amazon RDS resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Using the Aurora console Using the console To access the Amazon Aurora console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Amazon Aurora resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy. You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform. To ensure that those entities can still use the Aurora console, also attach the following AWS managed policy to the entities. ``` AmazonRDSReadOnlyAccess ``` For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ## Permissions required to use the console For a user to work with the console, that user must have a minimum set of permissions. These permissions allow the user to describe the Amazon Aurora resources for their AWS account and to provide other related information, including Amazon EC2 security and network information. If you create an IAM policy that is more restrictive than the minimum required permissions, the console doesn't function as intended for users with that IAM policy. To ensure that those users can still use the console, also attach the `AmazonRDSReadOnlyAccess` managed policy to the user, as described in [Managing access using policies](UsingWithRDS.IAM.md#security_iam_access-manage). You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the Amazon RDS API. The following policy grants full access to all Amazon Aurora resources for the root AWS account: ``` AmazonRDSFullAccess ``` ## Allow users to view their own permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] } ``` # Permission policies to create, modify and, delete resources in Aurora The following sections present examples of permission policies that grant and restrict access to resources: ## Allow a user to create DB instances in an AWS account The following is an example policy that allows the account with the ID `123456789012` to create DB instances for your AWS account. The policy requires that the name of the new DB instance begin with `test`. The new DB instance must also use the MySQL database engine and the `db.t2.micro` DB instance class. In addition, the new DB instance must use an option group and a DB parameter group that starts with `default`, and it must use the `default` subnet group. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowCreateDBInstanceOnly", "Effect": "Allow", "Action": [ "rds:CreateDBInstance" ], "Resource": [ "arn:aws:rds:*:123456789012:db:test*", "arn:aws:rds:*:123456789012:og:default*", "arn:aws:rds:*:123456789012:pg:default*", "arn:aws:rds:*:123456789012:subgrp:default" ], "Condition": { "StringEquals": { "rds:DatabaseEngine": "mysql", "rds:DatabaseClass": "db.t2.micro" } } } ] } ``` ------ The policy includes a single statement that specifies the following permissions for the user: + The policy allows the account to create a DB instance using the [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) API operation (this also applies to the [create-db-instance](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html) AWS CLI command and the AWS Management Console). + The `Resource` element specifies that the user can perform actions on or with resources. You specify resources using an Amazon Resources Name (ARN). This ARN includes the name of the service that the resource belongs to (`rds`), the AWS Region (`*` indicates any region in this example), the AWS account number (`123456789012` is the account number in this example), and the type of resource. For more information about creating ARNs, see [Amazon Resource Names (ARNs) in Amazon RDS](USER_Tagging.ARN.md). The `Resource` element in the example specifies the following policy constraints on resources for the user: + The DB instance identifier for the new DB instance must begin with `test` (for example, `testCustomerData1`, `test-region2-data`). + The option group for the new DB instance must begin with `default`. + The DB parameter group for the new DB instance must begin with `default`. + The subnet group for the new DB instance must be the `default` subnet group. + The `Condition` element specifies that the DB engine must be MySQL and the DB instance class must be `db.t2.micro`. The `Condition` element specifies the conditions when a policy should take effect. You can add additional permissions or restrictions by using the `Condition` element. For more information about specifying conditions, see [Policy condition keys for Aurora](security_iam_service-with-iam.md#UsingWithRDS.IAM.Conditions). This example specifies the `rds:DatabaseEngine` and `rds:DatabaseClass` conditions. For information about the valid condition values for `rds:DatabaseEngine`, see the list under the `Engine` parameter in [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html). For information about the valid condition values for `rds:DatabaseClass`, see [Supported DB engines for DB instance classes](Concepts.DBInstanceClass.SupportAurora.md). The policy doesn't specify the `Principal` element because in an identity-based policy you don't specify the principal who gets the permission. When you attach policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions. To see a list of Aurora actions, see [Actions Defined by Amazon RDS](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html#amazonrds-actions-as-permissions) in the *Service Authorization Reference*. ## Allow a user to perform any describe action on any RDS resource The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe`. These actions show information about an RDS resource, such as a DB instance. The wildcard character (\$1) in the `Resource` element indicates that the actions are allowed for all Amazon Aurora resources owned by the account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowRDSDescribe", "Effect": "Allow", "Action": "rds:Describe*", "Resource": "*" } ] } ``` ------ ## Allow a user to create a DB instance that uses the specified DB parameter group and subnet group The following permissions policy grants permissions to allow a user to only create a DB instance that must use the `mydbpg` DB parameter group and the `mydbsubnetgroup` DB subnet group. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": [ "arn:aws:rds:*:*:pg:mydbpg", "arn:aws:rds:*:*:subgrp:mydbsubnetgroup" ] } ] } ``` ------ ## Grant permission for actions on a resource with a specific tag with two different values You can use conditions in your identity-based policy to control access to Aurora resources based on tags. The following policy allows permission to perform the `CreateDBSnapshot` API operation on DB instances with either the `stage` tag set to `development` or `test`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"AllowAnySnapshotName", "Effect":"Allow", "Action":[ "rds:CreateDBSnapshot" ], "Resource":"arn:aws:rds:*:123456789012:snapshot:*" }, { "Sid":"AllowDevTestToCreateSnapshot", "Effect":"Allow", "Action":[ "rds:CreateDBSnapshot" ], "Resource":"arn:aws:rds:*:123456789012:db:*", "Condition":{ "StringEquals":{ "rds:db-tag/stage":[ "development", "test" ] } } } ] } ``` ------ The following policy allows permission to perform the `ModifyDBInstance` API operation on DB instances with either the `stage` tag set to `development` or `test`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"AllowChangingParameterOptionSecurityGroups", "Effect":"Allow", "Action":[ "rds:ModifyDBInstance" ], "Resource": [ "arn:aws:rds:*:123456789012:pg:*", "arn:aws:rds:*:123456789012:secgrp:*", "arn:aws:rds:*:123456789012:og:*" ] }, { "Sid":"AllowDevTestToModifyInstance", "Effect":"Allow", "Action":[ "rds:ModifyDBInstance" ], "Resource":"arn:aws:rds:*:123456789012:db:*", "Condition":{ "StringEquals":{ "rds:db-tag/stage":[ "development", "test" ] } } } ] } ``` ------ ## Prevent a user from deleting a DB instance The following permissions policy grants permissions to prevent a user from deleting a specific DB instance. For example, you might want to deny the ability to delete your production DB instances to any user that is not an administrator. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyDelete1", "Effect": "Deny", "Action": "rds:DeleteDBInstance", "Resource": "arn:aws:rds:us-west-2:123456789012:db:my-mysql-instance" } ] } ``` ------ ## Deny all access to a resource You can explicitly deny access to a resource. Deny policies take precedence over allow policies. The following policy explicitly denies a user the ability to manage a resource: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "rds:*", "Resource": "arn:aws:rds:us-east-1:123456789012:db:mydb" } ] } ``` ------ # Example policies: Using condition keys Following are examples of how you can use condition keys in Amazon Aurora IAM permissions policies. ## Example 1: Grant permission to create a DB instance that uses a specific DB engine and isn't MultiAZ The following policy uses an RDS condition key and allows a user to create only DB instances that use the MySQL database engine and don't use MultiAZ. The `Condition` element indicates the requirement that the database engine is MySQL. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowMySQLCreate", "Effect": "Allow", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "StringEquals": { "rds:DatabaseEngine": "mysql" }, "Bool": { "rds:MultiAz": false } } } ] } ``` ------ ## Example 2: Explicitly deny permission to create DB instances for certain DB instance classes and create DB instances that use Provisioned IOPS The following policy explicitly denies permission to create DB instances that use the DB instance classes `r3.8xlarge` and `m4.10xlarge`, which are the largest and most expensive DB instance classes. This policy also prevents users from creating DB instances that use Provisioned IOPS, which incurs an additional cost. Explicitly denying permission supersedes any other permissions granted. This ensures that identities to not accidentally get permission that you never want to grant. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyLargeCreate", "Effect": "Deny", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "StringEquals": { "rds:DatabaseClass": [ "db.r3.8xlarge", "db.m4.10xlarge" ] } } }, { "Sid": "DenyPIOPSCreate", "Effect": "Deny", "Action": "rds:CreateDBInstance", "Resource": "*", "Condition": { "NumericNotEquals": { "rds:Piops": "0" } } } ] } ``` ------ ## Example 3: Limit the set of tag keys and values that can be used to tag a resource The following policy uses an RDS condition key and allows the addition of a tag with the key `stage` to be added to a resource with the values `test`, `qa`, and `production`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowTagEdits", "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource": "arn:aws:rds:us-east-1:123456789012:db:db-123456", "Condition": { "StringEquals": { "rds:req-tag/stage": [ "test", "qa", "production" ] } } } ] } ``` ------ # Specifying conditions: Using custom tags Using custom tags Amazon Aurora supports specifying conditions in an IAM policy using custom tags. For example, suppose that you add a tag named `environment` to your DB instances with values such as `beta`, `staging`, `production`, and so on. If you do, you can create a policy that restricts certain users to DB instances based on the `environment` tag value. **Note** Custom tag identifiers are case-sensitive. The following table lists the RDS tag identifiers that you can use in a `Condition` element. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAM.SpecifyingCustomTags.html) The syntax for a custom tag condition is as follows: `"Condition":{"StringEquals":{"rds:rds-tag-identifier/tag-name": ["value"]} }` For example, the following `Condition` element applies to DB instances with a tag named `environment` and a tag value of `production`. ` "Condition":{"StringEquals":{"rds:db-tag/environment": ["production"]} } ` For information about creating tags, see [Tagging Amazon Aurora andAmazon RDS resources](USER_Tagging.md). **Important** If you manage access to your RDS resources using tagging, we recommend that you secure access to the tags for your RDS resources. You can manage access to tags by creating policies for the `AddTagsToResource` and `RemoveTagsFromResource` actions. For example, the following policy denies users the ability to add or remove tags for all resources. You can then create policies to allow specific users to add or remove tags. **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"DenyTagUpdates", "Effect":"Deny", "Action":[ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource":"*" } ] } ``` To see a list of Aurora actions, see [Actions Defined by Amazon RDS](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html#amazonrds-actions-as-permissions) in the *Service Authorization Reference*. ## Example policies: Using custom tags Following are examples of how you can use custom tags in Amazon Aurora IAM permissions policies. For more information about adding tags to an Amazon Aurora resource, see [Amazon Resource Names (ARNs) in Amazon RDS](USER_Tagging.ARN.md). **Note** All examples use the us-west-2 region and contain fictitious account IDs. ### Example 1: Grant permission for actions on a resource with a specific tag with two different values The following policy allows permission to perform the `CreateDBSnapshot` API operation on DB instances with either the `stage` tag set to `development` or `test`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"AllowAnySnapshotName", "Effect":"Allow", "Action":[ "rds:CreateDBSnapshot" ], "Resource":"arn:aws:rds:*:123456789012:snapshot:*" }, { "Sid":"AllowDevTestToCreateSnapshot", "Effect":"Allow", "Action":[ "rds:CreateDBSnapshot" ], "Resource":"arn:aws:rds:*:123456789012:db:*", "Condition":{ "StringEquals":{ "rds:db-tag/stage":[ "development", "test" ] } } } ] } ``` ------ The following policy allows permission to perform the `ModifyDBInstance` API operation on DB instances with either the `stage` tag set to `development` or `test`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"AllowChangingParameterOptionSecurityGroups", "Effect":"Allow", "Action":[ "rds:ModifyDBInstance" ], "Resource": [ "arn:aws:rds:*:123456789012:pg:*", "arn:aws:rds:*:123456789012:secgrp:*", "arn:aws:rds:*:123456789012:og:*" ] }, { "Sid":"AllowDevTestToModifyInstance", "Effect":"Allow", "Action":[ "rds:ModifyDBInstance" ], "Resource":"arn:aws:rds:*:123456789012:db:*", "Condition":{ "StringEquals":{ "rds:db-tag/stage":[ "development", "test" ] } } } ] } ``` ------ ### Example 2: Explicitly deny permission to create a DB instance that uses specified DB parameter groups The following policy explicitly denies permission to create a DB instance that uses DB parameter groups with specific tag values. You might apply this policy if you require that a specific customer-created DB parameter group always be used when creating DB instances. Policies that use `Deny` are most often used to restrict access that was granted by a broader policy. Explicitly denying permission supersedes any other permissions granted. This ensures that identities to not accidentally get permission that you never want to grant. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"DenyProductionCreate", "Effect":"Deny", "Action":"rds:CreateDBInstance", "Resource":"arn:aws:rds:*:123456789012:pg:*", "Condition":{ "StringEquals":{ "rds:pg-tag/usage":"prod" } } } ] } ``` ------ ### Example 3: Grant permission for actions on a DB instance with an instance name that is prefixed with a user name The following policy allows permission to call any API (except to `AddTagsToResource` or `RemoveTagsFromResource`) on a DB instance that has a DB instance name that is prefixed with the user's name and that has a tag called `stage` equal to `devo` or that has no tag called `stage`. The `Resource` line in the policy identifies a resource by its Amazon Resource Name (ARN). For more information about using ARNs with Amazon Aurora resources, see [Amazon Resource Names (ARNs) in Amazon RDS](USER_Tagging.ARN.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Sid":"AllowFullDevAccessNoTags", "Effect":"Allow", "NotAction":[ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], "Resource":"arn:aws:rds:*:123456789012:db:${aws:username}*", "Condition":{ "StringEqualsIfExists":{ "rds:db-tag/stage":"devo" } } } ] } ``` ------ # Grant permission to tag Aurora resources during creation Tagging on creation Some RDS API operations allow you to specify tags when you create the resource. You can use resource tags to implement attribute-based control (ABAC). For more information, see [What is ABAC for AWS?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) and [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html). To enable users to tag resources on creation, they must have permissions to use the action that creates the resource, such as `rds:CreateDBCluster`. If tags are specified in the create action, RDS performs additional authorization on the `rds:AddTagsToResource` action to verify if users have permissions to create tags. Therefore, users must also have explicit permissions to use the `rds:AddTagsToResource` action. In the IAM policy definition for the `rds:AddTagsToResource` action, you can use the `aws:RequestTag` condition key to require tags in a request to tag a resource. For example, the following policy allows users to create DB instances and apply tags during DB instance creation, but only with specific tag keys (`environment` or `project`): ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:CreateDBInstance" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:AddTagsToResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/environment": ["production", "development"], "aws:RequestTag/project": ["dataanalytics", "webapp"] }, "ForAllValues:StringEquals": { "aws:TagKeys": ["environment", "project"] } } } ] } ``` ------ This policy denies any create DB instance request that includes tags other than the `environment` or `project` tags, or that doesn't specify either of these tags. Additionally, users must specify values for the tags that match the allowed values in the policy. The following policy allows users to create DB clusters and apply any tags during creation except the `environment=prod` tag: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:CreateDBCluster" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "rds:AddTagsToResource" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestTag/environment": "prod" } } } ] } ``` ------ ## Supported RDS API actions for tagging on creation The following RDS API actions support tagging when you create a resource. For these actions, you can specify tags when you create the resource: + `CreateBlueGreenDeployment` + `CreateCustomDBEngineVersion` + `CreateDBCluster` + `CreateDBClusterEndpoint` + `CreateDBClusterParameterGroup` + `CreateDBClusterSnapshot` + `CreateDBInstance` + `CreateDBInstanceReadReplica` + `CreateDBParameterGroup` + `CreateDBProxy` + `CreateDBProxyEndpoint` + `CreateDBSecurityGroup` + `CreateDBShardGroup` + `CreateDBSnapshot` + `CreateDBSubnetGroup` + `CreateEventSubscription` + `CreateGlobalCluster` + `CreateIntegration` + `CreateOptionGroup` + `CreateTenantDatabase` + `CopyDBClusterParameterGroup` + `CopyDBClusterSnapshot` + `CopyDBParameterGroup` + `CopyDBSnapshot` + `CopyOptionGroup` + `RestoreDBClusterFromS3` + `RestoreDBClusterFromSnapshot` + `RestoreDBClusterToPointInTime` + `RestoreDBInstanceFromDBSnapshot` + `RestoreDBInstanceFromS3` + `RestoreDBInstanceToPointInTime` + `PurchaseReservedDBInstancesOffering` If you use the AWS CLI or API to create a resource with tags, the `Tags` parameter is used to apply tags to resources during creation. For these API actions, if tagging fails, the resource is not created, and the request fails with an error. This ensures that resources are either created with tags or not created at all, preventing resources from being created without the intended tags.