Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About Amazon Relational Database Service (RDS)

The Amazon RDS connector collects instance and Aurora cluster settings, parameter groups, subnet groups, snapshots, backups, and encryption posture without connecting to databases or running queries. Authentication is a cross-account IAM role with sts:AssumeRole and an external ID.

How it works

Attach AmazonRDSReadOnlyAccess for simplicity, or paste the inline JSON below for a narrower rds:Describe* footprint.
DetailValue
CategoryDatabases
AuthenticationCross-account IAM role
References: AmazonRDSReadOnlyAccess, RDS IAM.

Prerequisites

  • IAM rights to create roles and policies.
  • Live principal + external ID from your connector tab.

Connect AWS RDS to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS RDS

Find AWS RDS (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Attach RDS read permissions

Attach AmazonRDSReadOnlyAccess, or attach this inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:Describe*",
        "rds:ListTagsForResource"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy the ARN

Name the role (for example IruRDSReadOnly), create it, and copy the Role ARN.
5

Verify the trust relationship

Confirm Trust relationships matches the wizard JSON.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS RDS turns Active when validation succeeds.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Fix external ID / principal typos.
Ensure rds:DescribeDBClusters is allowed (Describe* covers it).
Confirm DescribeDBSnapshots / cluster snapshot APIs match your engine types.

Considerations

RDS APIs are Regional: inventory spans enabled…

RDS APIs are Regional; inventory spans enabled Regions.

Evidence is infrastructure metadata, not SQL result…

Evidence is infrastructure metadata, not SQL result sets.

See also