amazon-rds - 如何为 AWS Aurora 提供粒度 IAM 控制？

Question

我想提供最低权限 IAM 策略来控制 AWS Aurora 实例的创建和删除。数据库实例的权限工作正常，但无法删除数据库集群对象：

User xxxxxxx is not authorized to perform: rds:DeleteDBCluster

这是我想要的权利：

{
  "Sid": "313",
  "Effect": "Allow",
  "Action": [
    "rds:ModifyDBCluster",
    "rds:DeleteDBCluster"
  ],
  "Resource": "arn:aws:rds:eu-west-1:123456789101:cluster:*",
  "Condition": {
    "StringEquals": {
      "rds:cluster-tag/author": "qa"
    }
  }
}

但据我测试，只有这个有效：

{
  "Sid": "313",
  "Effect": "Allow",
  "Action": [
    "rds:ModifyDBCluster",
    "rds:DeleteDBCluster"
  ],
  "Resource": "*"
}