Creating clusters with resource-based policies

You can attach resource-based policies when creating a new cluster to ensure access controls are in place from the start. Each cluster can have a single inline policy attached directly to the cluster.

To add a resource-based policy during cluster creation

Sign in to the AWS Management Console and open the Aurora DSQL console at https://console.aws.amazon.com/dsql/.
Choose Create cluster.
Configure your cluster name, tags, and multi-region settings as needed.
In the Cluster settings section, locate the Resource-based policy option.
Turn on Add resource-based policy.

Enter your policy document in the JSON editor. For example, to block public internet access:


{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}

You can use Edit statement or Add new statement to build your policy.
Complete the remaining cluster configuration and choose Create cluster.

Use the --policy parameter when creating a cluster to attach an inline policy:


aws dsql create-cluster --policy '{
    "Version": "2012-10-17",		 	 	 
    "Statement": [{
        "Effect": "Deny",
        "Principal": {"AWS": "*"},
        "Resource": "*",
        "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"],
        "Condition": { 
            "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } 
        }
    }]
}'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Resource-based policies

Add and edit policies