When you are trying to create an RDS database and you get the dreaded error message:

IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING

Then you need to make sure that you are assuming the correct service principle:

1

monitoring.rds.amazonaws.com

Your code should look something like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudwatch.amazonaws.com"
      }
    },
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "monitoring.rds.amazonaws.com"
      }
    }
  ]
}