Postgresql – Creating a read only account for AWS RDS PostgreSQL

amazon-rdsamazon-web-servicespostgresql

I would like to create a read only account for all of our RDS instances in AWS (PostGreSQL). I started by creating an IAM group and attached the AmazonRDSReadOnlyAccess policy. I created a new IAM user and put him in this group. I cannot connect to our database with this new read only user (tested successfully with our admin account just fine). I now realize I don't have a read only user in the database itself. Which begs me three questions:

Is there any sense in creating a read-only IAM user for our RDS
instances when I can create a read only DB user inside the database?
When I access the db via the commandline, ex. psql –host=servername –port=portnumber –username=username –password –dbname=databasename. This is the name of the DB user as I understand, so is there a point in creating a separate RDS IAM read
only user?
If I have a read only IAM user for RDS, is there any danger they could still have write access if say someone else created a DB write
account for them?

Best Answer

IAM users and DB users are 100% separated. One never affects the other and each serves different purposes.

IAM users

These users read/change/delete the servers using the AWS APIs. They cannot access or otherwise do anything with the database via the psql application.

IAM users can do the following:

Create RDS instances
Read information from the RDS instance
Delete RDS instances
Create and restore snapshots
Modify RDS options and parameters

All the above are done using the AWS SDKs and CLI.

DB users

These users read/change/delete data in the database. They cannot manage or otherwise do anything with the RDS instance.

DB users can do the following:

Select data
Insert data
Update data
Delete data
Create databases
Managed other DB users

All the above are done using psql for example.

Related Solutions

AWS RDS CLI: AccessDenied on CreateDBSnapshot

It is indeed strange, but it appears that the CreateDBSnapshot permission also has to be assigned to the destination snapshot.

This policy works:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxxxxxxxx",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBSnapshot"
            ],
            "Resource": [
                "arn:aws:rds:eu-west-1:xxxxxxxxxxxxxx:db:my-database",
                "arn:aws:rds:eu-west-1:xxxxxxxxxxxxxx:snapshot:*"
            ]
        }
    ]
}

How to improve AWS RDS Performance – Heavy read write updates

I'm going to turn my comments above into an answer.

T2 instances only get a fraction of a CPU - 10% for a t2.micro, 40% for a t2.medium. You get CPU credits that build up, but once you use them you get throttled for CPU. You also get lower network and IO performance as you have to share physical machine resources.

What I suspect is happening is your testing has run out of CPU credits so you're being throttled. You can monitor CPU credits in CloudWatch, this will tell you whether or not my guess is correct.

Whether I'm right or not, t2 instances aren't suitable for systems that get work coming in constantly. A C4 or other general instance would probably be your best bet. You can monitor your database memory and CPU usage in CloudWatch to help work out what database instance size you need.

Best Answer

Related Solutions

AWS RDS CLI: AccessDenied on CreateDBSnapshot

How to improve AWS RDS Performance – Heavy read write updates

Related Topic