将 IAM 与 DynamoDB 备份和还原结合使用
您可以使用 AWS Identity and Access Management (IAM) 限制对某些资源执行 Amazon DynamoDB 备份和还原操作。CreateBackup 和 RestoreTableFromBackup API 按表运行。
有关在 DynamoDB 中使用 IAM 策略的更多信息,请参阅 适用于 DynamoDB 的基于身份的策略。
以下是 IAM 策略的示例,您可以使用这些策略配置 DynamoDB 中的特定备份和还原功能。
示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作
下面的 IAM 策略授予在所有表上允许 CreateBackup 和 RestoreTableFromBackup DynamoDB 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" } ] }
重要
源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
示例 2:允许 CreateBackup 并拒绝 RestoreTableFromBackup
下面的 IAM 策略授予允许 CreateBackup 操作并拒绝 RestoreTableFromBackup 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:RestoreTableFromBackup"], "Resource": "*" } ] }
示例 3:允许 ListBackups 并拒绝 CreateBackup 和 RestoreTableFromBackup
下面的 IAM 策略授予允许 ListBackups 操作并拒绝 CreateBackup 和 RestoreTableFromBackup 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup" ], "Resource": "*" } ] }
示例 4:允许 ListBackups 并拒绝 DeleteBackup
下面的 IAM 策略授予允许 ListBackups 操作并拒绝 DeleteBackup 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:DeleteBackup"], "Resource": "*" } ] }
示例 5:对所有资源允许 RestoreTableFromBackup 和 DescribeBackup,并对特定备份拒绝 DeleteBackup
下面的 IAM 策略授予允许 RestoreTableFromBackup 和 DescribeBackup 操作并对特定备份资源拒绝 DeleteBackup 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeBackup", "dynamodb:RestoreTableFromBackup", ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" } ] }
重要
源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
示例 6:对特定表允许 CreateBackup
下面的 IAM 策略授予仅允许在 Movies 表上执行 CreateBackup 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Movies" ] } ] }
示例 7:允许 ListBackups
下面的 IAM 策略授予允许执行 ListBackups 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" } ] } }
重要
您不能授予对特定表执行 ListBackups 操作的权限。
示例 8:允许访问 AWS Backup 功能
您将需要 StartAwsBackupJob 操作的 API 权限,才能使用高级功能实现成功备份,以及需要 dynamodb:RestoreTableFromAwsBackup 操作的 API 权限以成功还原该备份。
下面的 IAM 策略授予 AWS Backup 使用高级功能触发备份和还原的权限。另请注意,如果表已经加密,则该策略需要访问 AWS KMS 密钥。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeQueryScanBooksTable", "Effect": "Allow", "Action": [ "dynamodb:StartAwsBackupJob", "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" }, { "Sid": "AllowRestoreFromAwsBackup", "Effect": "Allow", "Action": ["dynamodb:RestoreTableFromAwsBackup"], "Resource": "*" }, ] }
示例 9:拒绝特定源表的 RestoreTableToPointInTime
下面的 IAM 策略拒绝针对特定源表的 RestoreTableToPointInTime 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableToPointInTime" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music" } ] }
示例 10:拒绝特定源表的所有备份的 RestoreTableFromBackup
下面的 IAM 策略拒绝针对特定源表的所有备份的 RestoreTableToPointInTime 操作的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/*" } ] }
