How to change RDS Security Group using boto3?

Question

I am restoring (=creating a new instance) an RDS MySQL Snapshot using boto3 . Unfortunately the Security Group does not get copied over instead it gets assigned the default Security Group which is has no limitations on incoming traffic.

Looking at the source RDS instance I can see the correct Security Group (sg-a247eec5) attached to the RDS instance. This Security Group is visible under EC2 - Security Groups and VPC - Security Groups but not under RDS - Security Groups .

I am using restore_db_instance_from_db_snapshot but I can't see where I would attach that Security Group to the new instance.

I can easily attach the correct Security Group by using the AWS UI (modifying my RDS Instance).

There is modify_instance_attribute on the EC2 client which can change Security Groups, but it requires an InstanceId which I don't get from my RDS instance. The only thing I can find is DBInstanceIdentifier .

Trying to set the correct IAM permissions confuses me too. I have an RDS ARN: arn:aws:rds:ap-southeast-2:<account_id>:db:<db_instance_name> but ModifyInstanceAttribute is listed under Amazon EC2. Selecting both in the policy editor gives me an error saying the ARN is invalid (which makes sense).

Answer 1

Whenever you use restore_db_instance_from_db_snapshot api, the default behavior is to apply default security group and default parameter group . The same is documented in RDS API reference .

The target database is created from the source database restore point with the most of original configuration with the default security group and the default DB parameter group.

The workaround is to use modify_db_instance api once the restore is complete. DBInstanceIdentifier is to an RDS instance, what an InstanceId is to an EC2 instance .

Pass the same DBInstanceIdentifier which you used above, as an input to this api.

response = client.modify_db_instance(
    DBInstanceIdentifier='string',
    DBSecurityGroups=[
        'string',
    ], /* If you are using ec2 security groups then remove this and use VpcSecurityGroupIds. */

    VpcSecurityGroupIds=[
        'string',
    ],
    DBParameterGroupName='string',
    ApplyImmediately=True,

)

I believe you need to change both the security-group as well as parameter-group(unless you are fine with the default one). If you are changing the parameter-group, then you need to reboot the db instance as well for the settings to take effect.

response = client.reboot_db_instance(
    DBInstanceIdentifier='string',
)

Also, you need the role performing the above db operations to have the below policy permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1507879517000",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBInstance",
                "rds:ModifyDBInstance",
                "rds:RebootDBInstance",
                "rds:RestoreDBInstanceFromDBSnapshot"
            ],
            "Resource": [
                "arn:aws:rds:*:XXXXXXXXXX:db:*"
            ]
        }
    ]
}