Creating clusters with resource-based policies - Amazon Aurora DSQL
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

Creating clusters with resource-based policies

You can attach resource-based policies when creating a new cluster to ensure access controls are in place from the start. Each cluster can have a single inline policy attached directly to the cluster.

To add a resource-based policy during cluster creation

  1. Sign in to the AWS Management Console and open the Aurora DSQL console at https://console.aws.amazon.com/dsql/.

  2. Choose Create cluster.

  3. Configure your cluster name, tags, and multi-region settings as needed.

  4. In the Cluster settings section, locate the Resource-based policy option.

  5. Turn on Add resource-based policy.

  6. Enter your policy document in the JSON editor. For example, to block public internet access:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Action": [
        "dsql:DbConnect",
        "dsql:DbConnectAdmin"
      ],
      "Condition": {
        "Null": {
          "aws:SourceVpc": "true"
        }
      }
    }
  ]
}

  7. You can use Edit statement or Add new statement to build your policy.

  8. Complete the remaining cluster configuration and choose Create cluster.

Use the --policy parameter when creating a cluster to attach an inline policy:

aws dsql create-cluster --policy '{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Deny",
        "Principal": {"AWS": "*"},
        "Resource": "*",
        "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"],
        "Condition": { 
            "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } 
        }
    }]
}'
Python
import boto3
import json

client = boto3.client('dsql')

policy = {
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Deny",
        "Principal": {"AWS": "*"},
        "Resource": "*",
        "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"],
        "Condition": { 
            "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } 
        }
    }]
}

response = client.create_cluster(
    policy=json.dumps(policy)
)

print(f"Cluster created: {response['identifier']}")
Java
import software.amazon.awssdk.services.dsql.DsqlClient;
import software.amazon.awssdk.services.dsql.model.CreateClusterRequest;
import software.amazon.awssdk.services.dsql.model.CreateClusterResponse;

DsqlClient client = DsqlClient.create();

String policy = """
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": {"AWS": "*"},
    "Resource": "*",
    "Action": ["dsql:DbConnect", "dsql:DbConnectAdmin"],
    "Condition": { 
      "StringNotEquals": { "aws:SourceVpc": "vpc-123456" } 
    }
  }]
}
""";

CreateClusterRequest request = CreateClusterRequest.builder()
    .policy(policy)
    .build();

CreateClusterResponse response = client.createCluster(request);
System.out.println("Cluster created: " + response.identifier());