Exemplos de políticas para sub-redes privadas que acessam o Amazon S3 - Amazon EMR
Regiões disponíveis

Exemplos de políticas para sub-redes privadas que acessam o Amazon S3

Para sub-redes privadas, você precisará ao menos fornecer a capacidade para o Amazon EMR acessar repositórios do Amazon Linux. A política de sub-rede privada faz parte das políticas de endpoint da VPC para acessar o Amazon S3. Com o Amazon EMR 5.25.0 ou versões posteriores, para habilitar o acesso com um clique ao servidor de histórico persistente do Spark, você deve permitir o acesso do Amazon EMR ao bucket do sistema que coleta logs de eventos do Spark. Se você habilitar o registro em log, forneça permissões PUT para um bucket aws157-logs-*. Para obter mais informações, consulte One-click access to persistent Spark History Server.

Cabe a você determinar as restrições da política que atendam às suas necessidades comerciais. A política de exemplo a seguir fornece permissões para acessar repositórios do Amazon Linux e o bucket do sistema Amazon EMR para coleta de logs de eventos do Spark. Ela mostra alguns exemplos de nomes de recursos para os buckets.

Para obter mais informações sobre o uso de políticas do IAM com endpoints da Amazon VPC, consulte Endpoint policies for Amazon S3.

O exemplo de política a seguir contém exemplos de recursos na região us-east-1.

{
   "Version": "2008-10-17",
   "Statement": [
       {
           "Sid": "AmazonLinuxAMIRepositoryAccess",
           "Effect": "Allow",
           "Principal": "*",
           "Action": "s3:GetObject",
           "Resource": [
           	"arn:aws:s3:::packages.us-east-1.amazonaws.com/*",
           	"arn:aws:s3:::repo.us-east-1.amazonaws.com/",
           	"arn:aws:s3:::repo.us-east-1.amazonaws.com/*"
           ]
       },
       {
           "Sid": "EnableApplicationHistory",
           "Effect": "Allow",
           "Principal": "*",
           "Action": [
               "s3:Put*",
               "s3:Get*",
               "s3:Create*",
               "s3:Abort*",
               "s3:List*"
           ],
           "Resource": [
           	"arn:aws:s3:::prod.us-east-1.appinfo.src/*"
           ]
       }
   ]
}

O exemplo de política a seguir fornece as permissões necessárias para acessar repositórios do Amazon Linux 2. A AMI do Amazon Linux 2 é o padrão.

{
   "Statement": [
       {
           "Sid": "AmazonLinux2AMIRepositoryAccess",
           "Effect": "Allow",
           "Principal": "*",
           "Action": "s3:GetObject",
           "Resource": [
           	"arn:aws:s3:::amazonlinux.us-east-1.amazonaws.com/*",
           	"arn:aws:s3:::amazonlinux-2-repos-us-east-1/*"
           ]
       }
   ]
}

Regiões disponíveis

A tabela a seguir contém uma lista de buckets por região e inclui um nome do recurso da Amazon (ARN) para o repositório e uma string que representa o ARN para appinfo.src. O ARN, ou nome do recurso da Amazon, é uma string que identifica exclusivamente um recurso da AWS.

Região Buckets do repositório Bucket do AppInfo
Leste dos EUA (Ohio) "arn:aws:s3:::packages.us-east-2.amazonaws.com/","arn:aws:s3:::repo.us-east-2.amazonaws.com/","arn:aws:s3:::repo.us-east-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.us-east-2.appinfo.src/*"
Leste dos EUA (Norte da Virgínia) "arn:aws:s3:::packages.us-east-1.amazonaws.com/","arn:aws:s3:::repo.us-east-1.amazonaws.com/","arn:aws:s3:::repo.us-east-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.us-east-1.appinfo.src/*"
Oeste dos EUA (Norte da Califórnia) "arn:aws:s3:::packages.us-west-1.amazonaws.com/","arn:aws:s3:::repo.us-west-1.amazonaws.com/","arn:aws:s3:::repo.us-west-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.us-west-1.appinfo.src/*"
Oeste dos EUA (Oregon) "arn:aws:s3:::packages.us-west-2.amazonaws.com/","arn:aws:s3:::repo.us-west-2.amazonaws.com/","arn:aws:s3:::repo.us-west-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.us-west-2.appinfo.src/*"
África (Cidade do Cabo) "arn:aws:s3:::packages.af-south-1.amazonaws.com/","arn:aws:s3:::repo.af-south-1.amazonaws.com/","arn:aws:s3:::repo.af-south-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.af-south-1.appinfo.src/*"
África (Cidade do Cabo) "arn:aws:s3:::packages.ap-east-1.amazonaws.com/","arn:aws:s3:::repo.ap-east-1.amazonaws.com/","arn:aws:s3:::repo.ap-east-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-east-1.appinfo.src/*"
Ásia-Pacífico (Hyderabad) "arn:aws:s3:::packages.ap-south-2.amazonaws.com/","arn:aws:s3:::repo.ap-south-2.amazonaws.com/","arn:aws:s3:::repo.ap-south-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-south-2.appinfo.src/*"
Ásia-Pacífico (Jacarta) "arn:aws:s3:::packages.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-southeast-3.appinfo.src/*"
Ásia-Pacífico (Malásia) "arn:aws:s3:::packages.ap-southeast-5.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-5.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-5.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-southeast-5.appinfo.src/*"
Ásia-Pacífico (Melbourne) "arn:aws:s3:::packages.ap-southeast-4.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-4.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-4.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-south-2.appinfo.src/*"
Ásia-Pacífico (Jacarta) "arn:aws:s3:::packages.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-southeast-4.appinfo.src/*"
Ásia Pacífico (Mumbai) "arn:aws:s3:::packages.ap-south-1.amazonaws.com/","arn:aws:s3:::repo.ap-south-1.amazonaws.com/","arn:aws:s3:::repo.ap-south-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-south-1.appinfo.src/*"
Asia Pacific (Osaka) "arn:aws:s3:::packages.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-3.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-southeast-4.appinfo.src/*"
Ásia-Pacífico (Seul) "arn:aws:s3:::packages.ap-northeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-northeast-2.appinfo.src/*"
Ásia-Pacífico (Singapura) "arn:aws:s3:::packages.ap-southeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-southeast-1.appinfo.src/*"
Ásia-Pacífico (Sydney) "arn:aws:s3:::packages.ap-southeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-2.amazonaws.com/","arn:aws:s3:::repo.ap-southeast-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-southeast-2.appinfo.src/*"
Ásia-Pacífico (Tóquio) "arn:aws:s3:::packages.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-northeast-1.appinfo.src/*"
Canadá (Central) "arn:aws:s3:::packages.ca-central-1.amazonaws.com/","arn:aws:s3:::repo.ca-central-1.amazonaws.com/","arn:aws:s3:::repo.ca-central-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.ca-central-1.appinfo.src/*"
Oeste do Canadá (Calgary) "arn:aws:s3:::packages.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.amazonaws.com/","arn:aws:s3:::repo.ap-northeast-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.ap-northeast-1.appinfo.src/*"
Europa (Frankfurt) "arn:aws:s3:::packages.eu-central-1.amazonaws.com/","arn:aws:s3:::repo.eu-central-1.amazonaws.com/","arn:aws:s3:::repo.eu-central-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-central-1.appinfo.src/*"
Europa (Irlanda) "arn:aws:s3:::packages.eu-west-1.amazonaws.com/","arn:aws:s3:::repo.eu-west-1.amazonaws.com/","arn:aws:s3:::repo.eu-west-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-west-1.appinfo.src/*"
Europa (Londres) "arn:aws:s3:::packages.eu-west-2.amazonaws.com/","arn:aws:s3:::repo.eu-west-2.amazonaws.com/","arn:aws:s3:::repo.eu-west-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-west-2.appinfo.src/*"
Europa (Milão) "arn:aws:s3:::packages.eu-south-1.amazonaws.com/","arn:aws:s3:::repo.eu-south-1.amazonaws.com/","arn:aws:s3:::repo.eu-south-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-south-1.appinfo.src/*"
Europa (Paris) "arn:aws:s3:::packages.eu-west-3.amazonaws.com/","arn:aws:s3:::repo.eu-west-3.amazonaws.com/","arn:aws:s3:::repo.eu-west-3.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-west-3.appinfo.src/*"
Europa (Espanha) "arn:aws:s3:::packages.eu-south-2.amazonaws.com/","arn:aws:s3:::repo.eu-south-2.amazonaws.com/","arn:aws:s3:::repo.eu-south-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-south-2.appinfo.src/*"
Europa (Estocolmo) "arn:aws:s3:::packages.eu-north-1.amazonaws.com/","arn:aws:s3:::repo.eu-north-1.amazonaws.com/","arn:aws:s3:::repo.eu-north-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-north-1.appinfo.src/*"
Europa (Zurique) "arn:aws:s3:::packages.eu-central-2.amazonaws.com/","arn:aws:s3:::repo.eu-central-2.amazonaws.com/","arn:aws:s3:::repo.eu-central-2.emr.amazonaws.com/*" "arn:aws:s3:::prod.eu-central-2.appinfo.src/*"
Israel (Tel Aviv) "arn:aws:s3:::packages.il-central-1.amazonaws.com/","arn:aws:s3:::repo.il-central-1.amazonaws.com/","arn:aws:s3:::repo.il-central-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.il-central-1.appinfo.src/*"
Oriente Médio (Bahrein) "arn:aws:s3:::packages.me-south-1.amazonaws.com/","arn:aws:s3:::repo.me-south-1.amazonaws.com/","arn:aws:s3:::repo.me-south-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.me-south-1.appinfo.src/*"
Oriente Médio (Emirados Árabes Unidos) "arn:aws:s3:::packages.me-central-1.amazonaws.com/","arn:aws:s3:::repo.me-central-1.amazonaws.com/","arn:aws:s3:::repo.me-central-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.me-central-1.appinfo.src/*"
América do Sul (São Paulo) "arn:aws:s3:::packages.sa-east-1.amazonaws.com/","arn:aws:s3:::repo.sa-east-1.amazonaws.com/","arn:aws:s3:::repo.sa-east-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.sa-east-1.appinfo.src/*"
AWS GovCloud (Leste dos EUA) "arn:aws:s3:::packages.us-gov-east-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-east-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-east-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.us-gov-east-1.appinfo.src/*"
AWS GovCloud (Oeste dos EUA) "arn:aws:s3:::packages.us-gov-west-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-west-1.amazonaws.com/","arn:aws:s3:::repo.us-gov-west-1.emr.amazonaws.com/*" "arn:aws:s3:::prod.me-south-1.appinfo.src/*"