AWS uses role rdsadmin for tasks like this with limited default permissions for other roles.
That seems irrelevant to the fact that you cannot accomplish a task using create database that you can accomplish via alter database. Whatever the mechanism, that inconsistency doesn't make sense. Both should work or both should fail.