# Resource-based policies for Aurora DSQL Resource-based policies Use resource-based policies for Aurora DSQL to restrict or grant access to your clusters through JSON policy documents that attach directly to your cluster resources. These policies provide fine-grained control over who can access your cluster and under what conditions. Aurora DSQL clusters are accessible from the public internet by default, with IAM authentication as the primary security control. Resource-based policies enable you to add access restrictions, particularly to block access from the public internet. Resource-based policies work alongside IAM identity-based policies. AWS evaluates both types of policies to determine the final permissions for any access request to your cluster. By default, Aurora DSQL clusters are accessible within an account. If an IAM user or role has Aurora DSQL permissions, they can access clusters with no resource-based policy attached. **Note** Changes to resource-based policies are eventually consistent and typically take effect within one minute. For more information about the differences between identity-based and resource-based policies, see [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *IAM User Guide*. ## When to use resource-based policies When to Use Resource-based policies are particularly useful in these scenarios: + *Network-based access control* — Restrict access based on the VPC or IP address that requests originate from, or block public internet access entirely. Use condition keys like `aws:SourceVpc` and `aws:SourceIp` to control network access. + *Multiple teams or applications* — Grant access to the same cluster for multiple teams or applications. Rather than managing individual IAM policies for each principal, you define access rules once on the cluster. + *Complex conditional access* — Control access based on multiple factors like network attributes, request context, and user attributes. You can combine multiple conditions in a single policy. + *Centralized security governance* — Enable cluster owners to control access using familiar AWS policy syntax that integrates with your existing security practices. **Note** Cross-account access is not yet supported for Aurora DSQL resource-based policies but will be available in future releases. When someone tries to connect to your Aurora DSQL cluster, AWS evaluates your resource-based policy as part of the authorization context, along with any relevant IAM policies, to determine whether the request should be allowed or rejected. Resource-based policies can grant access to principals within the same AWS account as the cluster. For multi-Region clusters, each regional cluster has its own resource-based policy, allowing for Region-specific access controls when needed. **Note** Condition context keys may vary between Regions (such as VPC IDs). **Topics** + [When to Use](#rbp-when-to-use) + [Create with policies](rbp-create-cluster.md) + [Add and edit policies](rbp-attach-policy.md) + [View Policy](rbp-view-policy.md) + [Remove Policy](rbp-remove-policy.md) + [Policy examples](rbp-examples.md) + [Block public access](rbp-block-public-access.md) + [API Operations](rbp-api-operations.md) # Creating clusters with resource-based policies Create with policies You can attach resource-based policies when creating a new cluster to ensure access controls are in place from the start. Each cluster can have a single inline policy attached directly to the cluster. ## AWS Management Console Console **To add a resource-based policy during cluster creation** 1. Sign in to the AWS Management Console and open the Aurora DSQL console at [https://console.aws.amazon.com/dsql/](https://console.aws.amazon.com/dsql). 1. Choose **Create cluster**. 1. Configure your cluster name, tags, and multi-region settings as needed. 1. In the **Cluster settings** section, locate the **Resource-based policy** option. 1. Turn on **Add resource-based policy**. 1. Enter your policy document in the JSON editor. For example, to block public internet access: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": "*", "Action": [ "dsql:DbConnect", "dsql:DbConnectAdmin" ], "Condition": { "Null": { "aws:SourceVpc": "true" } } } ] } ``` 1. You can use **Edit statement** or **Add new statement** to build your policy. 1. Complete the remaining cluster configuration and choose **Create cluster**. ## AWS CLI CLI Use the `--policy` parameter when creating a cluster to attach an inline policy: ``` aws dsql create-cluster --policy '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": {"AWS": "*"}, "Resource": "*", "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"], "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } } }] }' ``` ## AWS SDKs SDKs ------ #### [ Python ] ``` import boto3 import json client = boto3.client('dsql') policy = { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": {"AWS": "*"}, "Resource": "*", "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"], "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } } }] } response = client.create_cluster( policy=json.dumps(policy) ) print(f"Cluster created: {response['identifier']}") ``` ------ #### [ Java ] ``` import software.amazon.awssdk.services.dsql.DsqlClient; import software.amazon.awssdk.services.dsql.model.CreateClusterRequest; import software.amazon.awssdk.services.dsql.model.CreateClusterResponse; DsqlClient client = DsqlClient.create(); String policy = """ { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": {"AWS": "*"}, "Resource": "*", "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"], "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } } }] } """; CreateClusterRequest request = CreateClusterRequest.builder() .policy(policy) .build(); CreateClusterResponse response = client.createCluster(request); System.out.println("Cluster created: " + response.identifier()); ``` ------ # Adding and editing resource-based policies for clusters Add and edit policies ## AWS Management Console **To add a resource-based policy to an existing cluster** 1. Sign in to the AWS Management Console and open the Aurora DSQL console at [https://console.aws.amazon.com/dsql/](https://console.aws.amazon.com/dsql). 1. Choose your cluster from the cluster list to open the cluster details page. 1. Choose the **Permissions** tab. 1. In the **Resource-based policy** section, choose **Add policy**. 1. Enter your policy document in the JSON editor. You can use **Edit statement** or **Add new statement** to build your policy. 1. Choose **Add policy**. **To edit an existing resource-based policy** 1. Sign in to the AWS Management Console and open the Aurora DSQL console at [https://console.aws.amazon.com/dsql/](https://console.aws.amazon.com/dsql). 1. Choose your cluster from the cluster list to open the cluster details page. 1. Choose the **Permissions** tab. 1. In the **Resource-based policy** section, choose **Edit**. 1. Modify the policy document in the JSON editor. You can use **Edit statement** or **Add new statement** to update your policy. 1. Choose **Save changes**. ## AWS CLI Use the `put-cluster-policy` command to attach a new policy or update an existing policy on a cluster: ``` aws dsql put-cluster-policy --identifier your_cluster_id --policy '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": {"AWS": "*"}, "Resource": "*", "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"], "Condition": { "Null": { "aws:SourceVpc": "true" } } }] }' ``` ## AWS SDKs ------ #### [ Python ] ``` import boto3 import json client = boto3.client('dsql') policy = { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": {"AWS": "*"}, "Resource": "*", "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"], "Condition": { "Null": {"aws:SourceVpc": "true"} } }] } response = client.put_cluster_policy( identifier='your_cluster_id', policy=json.dumps(policy) ) ``` ------ #### [ Java ] ``` import software.amazon.awssdk.services.dsql.DsqlClient; import software.amazon.awssdk.services.dsql.model.PutClusterPolicyRequest; DsqlClient client = DsqlClient.create(); String policy = """ { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": {"AWS": "*"}, "Resource": "*", "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"], "Condition": { "Null": {"aws:SourceVpc": "true"} } }] } """; PutClusterPolicyRequest request = PutClusterPolicyRequest.builder() .identifier("your_cluster_id") .policy(policy) .build(); client.putClusterPolicy(request); ``` ------ # Viewing resource-based policies View Policy You can view resource-based policies attached to your clusters to understand the current access controls in place. ## AWS Management Console **To view resource-based policies** 1. Sign in to the AWS Management Console and open the Aurora DSQL console at [https://console.aws.amazon.com/dsql/](https://console.aws.amazon.com/dsql). 1. Choose your cluster from the cluster list to open the cluster details page. 1. Choose the **Permissions** tab. 1. View the attached policy in the **Resource-based policy** section. ## AWS CLI Use the `get-cluster-policy` command to view a cluster's resource-based policy: ``` aws dsql get-cluster-policy --identifier your_cluster_id ``` ## AWS SDKs ------ #### [ Python ] ``` import boto3 import json client = boto3.client('dsql') response = client.get_cluster_policy( identifier='your_cluster_id' ) # Parse and pretty-print the policy policy = json.loads(response['policy']) print(json.dumps(policy, indent=2)) ``` ------ #### [ Java ] ``` import software.amazon.awssdk.services.dsql.DsqlClient; import software.amazon.awssdk.services.dsql.model.GetClusterPolicyRequest; import software.amazon.awssdk.services.dsql.model.GetClusterPolicyResponse; DsqlClient client = DsqlClient.create(); GetClusterPolicyRequest request = GetClusterPolicyRequest.builder() .identifier("your_cluster_id") .build(); GetClusterPolicyResponse response = client.getClusterPolicy(request); System.out.println("Policy: " + response.policy()); ``` ------ # Removing resource-based policies Remove Policy You can remove resource-based policies from clusters to change access controls. **Important** When you remove all resource-based policies from a cluster, access will be controlled entirely by IAM identity-based policies. ## AWS Management Console **To remove a resource-based policy** 1. Sign in to the AWS Management Console and open the Aurora DSQL console at [https://console.aws.amazon.com/dsql/](https://console.aws.amazon.com/dsql). 1. Choose your cluster from the cluster list to open the cluster details page. 1. Choose the **Permissions** tab. 1. In the **Resource-based policy** section, choose **Delete**. 1. In the confirmation dialog, type **confirm** to confirm the deletion. 1. Choose **Delete**. ## AWS CLI Use the `delete-cluster-policy` command to remove a policy from a cluster: ``` aws dsql delete-cluster-policy --identifier your_cluster_id ``` ## AWS SDKs ------ #### [ Python ] ``` import boto3 client = boto3.client('dsql') response = client.delete_cluster_policy( identifier='your_cluster_id' ) print("Policy deleted successfully") ``` ------ #### [ Java ] ``` import software.amazon.awssdk.services.dsql.DsqlClient; import software.amazon.awssdk.services.dsql.model.DeleteClusterPolicyRequest; DsqlClient client = DsqlClient.create(); DeleteClusterPolicyRequest request = DeleteClusterPolicyRequest.builder() .identifier("your_cluster_id") .build(); client.deleteClusterPolicy(request); System.out.println("Policy deleted successfully"); ``` ------ # Common resource-based policy examples Policy examples These examples show common patterns for controlling access to your Aurora DSQL clusters. You can combine and modify these patterns to meet your specific access requirements. ## Block public internet access Block public access This policy blocks connections to your Aurora DSQL clusters from the public internet (non-VPC). The policy doesn't specify which VPC customers can connect from—only that they must connect from a VPC. To limit access to a specific VPC, use `aws:SourceVpc` with the `StringEquals` condition operator. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": "*", "Action": [ "dsql:DbConnect", "dsql:DbConnectAdmin" ], "Condition": { "Null": { "aws:SourceVpc": "true" } } } ] } ``` **Note** This example uses only `aws:SourceVpc` to check for VPC connections. The `aws:VpcSourceIp` and `aws:SourceVpce` condition keys provide additional granularity but are not required for basic VPC-only access control. To provide an exception for specific roles, use this policy instead: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessFromOutsideVPC", "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": "*", "Action": [ "dsql:DbConnect", "dsql:DbConnectAdmin" ], "Condition": { "Null": { "aws:SourceVpc": "true" }, "StringNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::123456789012:role/ExceptionRole", "arn:aws:iam::123456789012:role/AnotherExceptionRole" ] } } } ] } ``` ## Restrict access to AWS Organization Organization access This policy restricts access to principals within an AWS Organization: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": [ "dsql:DbConnect", "dsql:DbConnectAdmin" ], "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/mydsqlclusterid0123456789a", "Condition": { "StringNotEquals": { "aws:PrincipalOrgID": "o-exampleorgid" } } } ] } ``` ## Restrict access to specific Organizational Unit OU access This policy restricts access to principals within a specific Organizational Unit (OU) in an AWS Organization, providing more granular control than organization-wide access: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": [ "dsql:DbConnect" ], "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/mydsqlclusterid0123456789a", "Condition": { "StringNotLike": { "aws:PrincipalOrgPaths": "o-exampleorgid/r-examplerootid/ou-exampleouid/*" } } } ] } ``` ## Multi-Region cluster policies Multi-Region For multi-Region clusters, each regional cluster maintains its own resource policy, allowing for Region-specific controls. Here's an example with different policies per region: *us-east-1 policy:* ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Resource": "*", "Action": [ "dsql:DbConnect" ], "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-east1-id" }, "Null": { "aws:SourceVpc": "true" } } } ] } ``` *us-east-2 policy:* ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Resource": "*", "Action": [ "dsql:DbConnect" ], "Condition": { "StringEquals": { "aws:SourceVpc": "vpc-east2-id" } } } ] } ``` **Note** Condition context keys may vary between AWS Regions (such as VPC IDs). # Blocking public access with resource-based policies in Aurora DSQL Block public access Block Public Access (BPA) is a feature that identifies and prevents the attaching of resource-based policies that grant public access to your Aurora DSQL clusters across your AWS accounts. With BPA, you can prevent public access to your Aurora DSQL resources. BPA performs checks during the creation or modification of a resource-based policy and helps improve your security posture with Aurora DSQL. BPA uses [automated reasoning](https://aws.amazon.com/what-is/automated-reasoning/) to analyze the access granted by your resource-based policy and alerts you if such permissions are found at the time of administering a resource-based policy. The analysis verifies access across all resource-based policy statements, actions, and the set of condition keys used in your policies. **Important** BPA helps protect your resources by preventing public access from being granted through the resource-based policies that are directly attached to your Aurora DSQL resources, such as clusters. In addition to using BPA, carefully inspect the following policies to confirm that they do not grant public access: Identity-based policies attached to associated AWS principals (for example, IAM roles) Resource-based policies attached to associated AWS resources (for example, AWS Key Management Service (KMS) keys) You must ensure that the [principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) doesn't include a `*` entry or that one of the specified condition keys restrict access from principals to the resource. If the resource-based policy grants public access to your cluster across AWS accounts, Aurora DSQL will block you from creating or modifying the policy until the specification within the policy is corrected and deemed non-public. You can make a policy non-public by specifying one or more principals inside the `Principal` block. The following resource-based policy example blocks public access by specifying two principals. ``` { "Effect": "Allow", "Principal": { "AWS": [ "123456789012", "111122223333" ] }, "Action": "dsql:*", "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/cluster-id" } ``` Policies that restrict access by specifying certain condition keys are also not considered public. Along with evaluation of the principal specified in the resource-based policy, the following [trusted condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) are used to complete the evaluation of a resource-based policy for non-public access: + `aws:PrincipalAccount` + `aws:PrincipalArn` + `aws:PrincipalOrgID` + `aws:PrincipalOrgPaths` + `aws:SourceAccount` + `aws:SourceArn` + `aws:SourceVpc` + `aws:SourceVpce` + `aws:UserId` + `aws:PrincipalServiceName` + `aws:PrincipalServiceNamesList` + `aws:PrincipalIsAWSService` + `aws:Ec2InstanceSourceVpc` + `aws:SourceOrgID` + `aws:SourceOrgPaths` Additionally, for a resource-based policy to be non-public, the values for Amazon Resource Name (ARN) and string keys must not contain wildcards or variables. If your resource-based policy uses the `aws:PrincipalIsAWSService` key, you must make sure that you've set the key value to true. The following policy limits access to the user `Ben` in the specified account. The condition makes the `Principal` constrained and not be considered as public. ``` { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "dsql:*", "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/cluster-id", "Condition": { "StringEquals": { "aws:PrincipalArn": "arn:aws:iam::123456789012:user/Ben" } } } ``` The following example of a non-public resource-based policy constrains `sourceVPC` using the `StringEquals` operator. ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "dsql:*", "Resource": "arn:aws:dsql:us-east-1:123456789012:cluster/cluster-id", "Condition": { "StringEquals": { "aws:SourceVpc": [ "vpc-91237329" ] } } } ] } ``` # Aurora DSQL API Operations and Resource-Based Policies API Operations Resource-based policies in Aurora DSQL control access to specific API operations. The following sections list all Aurora DSQL API operations organized by category, with an indication of which ones support resource-based policies. The *Supports RBP* column indicates whether the API operation is subject to resource-based policy evaluation when a policy is attached to the cluster. ## Tag APIs Tags | API Operation | Description | Supports RBP | | --- | --- | --- | | [ListTagsForResource](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_ListTagsForResource.html) | Lists the tags for a Aurora DSQL resource | Yes | | [TagResource](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_TagResource.html) | Adds tags to a Aurora DSQL resource | Yes | | [UntagResource](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_UntagResource.html) | Removes tags from a Aurora DSQL resource | Yes | ## Cluster management APIs Cluster management | API Operation | Description | Supports RBP | | --- | --- | --- | | [CreateCluster](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_CreateCluster.html) | Creates a new cluster | No | | [DeleteCluster](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_DeleteCluster.html) | Deletes a cluster | Yes | | [GetCluster](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_GetCluster.html) | Retrieves information about a cluster | Yes | | [GetVpcEndpointServiceName](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_GetVpcEndpointServiceName.html) | Retrieves the VPC endpoint service name for a cluster | Yes | | [ListClusters](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_ListClusters.html) | Lists clusters in your account | No | | [UpdateCluster](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_UpdateCluster.html) | Updates the configuration of a cluster | Yes | ## Multi-Region property APIs Multi-Region property | API Operation | Description | Supports RBP | | --- | --- | --- | | [AddPeerCluster](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_AddPeerCluster.html) | Adds a peer cluster to a multi-region configuration | Yes | | [PutMultiRegionProperties](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_PutMultiRegionProperties.html) | Sets multi-region properties for a cluster | Yes | | [PutWitnessRegion](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_PutWitnessRegion.html) | Sets the witness region for a multi-region cluster | Yes | ## Resource-based policy APIs Resource-based policy | API Operation | Description | Supports RBP | | --- | --- | --- | | [DeleteClusterPolicy](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_DeleteClusterPolicy.html) | Deletes the resource-based policy from a cluster | Yes | | [GetClusterPolicy](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_GetClusterPolicy.html) | Retrieves the resource-based policy for a cluster | Yes | | [PutClusterPolicy](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_PutClusterPolicy.html) | Creates or updates the resource-based policy for a cluster | Yes | ## AWS Fault Injection Service APIs AWS FIS | API Operation | Description | Supports RBP | | --- | --- | --- | | [InjectError](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_InjectError.html) | Injects errors for fault injection testing | No | ## Backup and restore APIs Backup and restore | API Operation | Description | Supports RBP | | --- | --- | --- | | [GetBackupJob](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_GetBackupJob.html) | Retrieves information about a backup job | No | | [GetRestoreJob](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_GetRestoreJob.html) | Retrieves information about a restore job | No | | [StartBackupJob](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_StartBackupJob.html) | Starts a backup job for a cluster | Yes | | [StartRestoreJob](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_StartRestoreJob.html) | Starts a restore job from a backup | No | | [StopBackupJob](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_StopBackupJob.html) | Stops a running backup job | No | | [StopRestoreJob](https://docs.aws.amazon.com/aurora-dsql/latest/APIReference/API_StopRestoreJob.html) | Stops a running restore job | No |