Reputation: 605
Creating RDS instance from exported snapshot on S3
I want to give an intern a snapshot of my RDS DB (MySQL) so that he can play around and do some analytics with the copy. He has a valid IAM user on my AWS account.
I don't want to use a read replica; I want this to be an isolated copy of my DB.
I'm thinking the flow could be:
- Create a snapshot of my RDS and export it to an S3 bucket
- Give him access to the S3 bucket
- Somehow, give him access to create his own (isolated) RDS instances, but not be able to see or modify my RDS instances (production)
- That way, he might be able to create a new RDS from the snapshot in the S3 bucket
I think this is a viable sequence of events (correct me if I'm wrong!) but where I'm fuzzy is the last 2 steps, giving him just enough RDS access (not sure what the permissions/ACLs would be) to create his own RDS instances, and how to create those instances from the exported snapshots stored on S3. Does anybody have any ideas here? Ideally, I could limit the size of the RDS instances he can create as well, or limit them in other ways so that he can't send billing through the roof.
Upvotes: 0
Views: 567
Answers (1)
Reputation: 3377
- You can't conditionally allow the internee to see their database and not yours. Conditional listing policy is not applicable here.
- You can set Tags on your RDS and set IAM policy to not modify/delete specific tags, or vice versa. Reference
- You may skip exporting snapshot to your S3 all along and allow your internee to create DB from the snapshot available on RDS dashboard.
- You can set limits on instance class by adding conditions for RDS available here. But you won't be able to limit the size and number of DB's they may create.
For the sake of safety and ease, if it's a one time effort, I would suggest you to create DB from production snapshot once for yourself and provide admin credentials for this new DB to the intern. If it's repetitive effort, create an aws cli bash script that creates new DB with latest snapshot and deletes previous one if it exists, that script will be executed by you.
But if you choose to provide AWS Access:
- Don't provide any Delete access.
- Provide Conditional Create, Modify access based on
aws:ResourceTag/${TagKey},rds:DatabaseClass. - Provide limited List, Read access.
Upvotes: 3
Related Questions
- Unable to export RDS snapshot to S3: The Principal export.rds.amazonaws.com isn't allowed to assume the IAM role
- getting a local copy of an aws rds snapshot
- Amazon RDS: Restore snapshot to existing instance
- How to restore exported RDS snapshot from S3 to RDS cluster
- Export RDS snapshot to s3 Using Cloudformation
- How to export AWS RDS snapshot to your own S3 bucket?
- Unable to export RDS snapshot to S3: "This operation is not currently supported"
- RDS Snapshot mysql restore
- Create Amazon RDS instance from snapshot
- RDS - Export Data from MYSQL Snapshot