diff --git a/rds/iam.tf b/rds/iam.tf
index 62076298..1d9fab91 100644
--- a/rds/iam.tf
+++ b/rds/iam.tf
@@ -6,6 +6,7 @@ locals {
 }
 
 # Readonly access to database
+# We allow `ListPolicies` to allow filtering all describable instances by those we can connect to
 resource "aws_iam_group" "rds-db-connect" {
   for_each = toset(local.db_roles)
   name     = "${var.project}-${var.environment}-rds-db-connect-${each.key}"
@@ -28,6 +29,16 @@ resource "aws_iam_policy" "rds-db-connect" {
       "Resource": [
         "arn:aws:rds-db:${var.region}:${var.account_id}:dbuser:${aws_db_instance.main.resource_id}/${var.project}_${var.environment}_${each.key}"
       ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicies"
+      ],
+      "Resource": [
+        "arn:aws:iam::${var.account_id}:policy/${var.project}-${var.environment}-rds-db-connect-*",
+        "arn:aws:iam::${var.account_id}:policy/${var.project}-${var.environment}-rds-view"
+      ]
     }
   ]
 }