dbsubnetgroups

https://aws.amazon.com/premiumsupport/knowledge-center/rds-iam-least-privileges/

https://aws.amazon.com/blogs/security/a-primer-on-rds-resource-level-permissions/

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeSubnets",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "rds:CreateDBInstance",
                "rds:CreateDBSubnetGroup"
            ],
            "Resource": "*"
        }
    ]
}






{
    "Version" : "2012-10-17",
    "Statement" : [{
       "Effect" : "Allow",
       "Action" : [ "rds:AddTagsToResource", "rds:RemoveTagsFromResource" 
       ],
       "Resource" : "*",
       "Condition" : { "streq" : { "rds:req-tag/stage" : [ "test", "qa", 
       "production" ] } }
  }
 ]
}