本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Application Auto Scaling 基于身份的策略示例
默认情况下,您中的全新用户 AWS 账户 无权执行任何操作。IAM 管理员必须创建并分配 IAM policy,以便为 IAM 身份(例如用户或角色)授予执行 Application Auto Scaling API 操作的权限。
要了解如何使用以下示例 JSON 策略文档创建 IAM policy,请参阅《IAM 用户指南》中的[在 JSON 选项卡上创建策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor)。
**Topics**
+ [Application Auto Scaling API 操作所需的权限](#application-auto-scaling-actions-permissions)
+ [对目标服务进行 API 操作所需的权限以及 CloudWatch](#application-auto-scaling-additional-permissions)
+ [在中工作的权限 AWS 管理控制台](#security_iam_id-based-policy-examples-console)
## Application Auto Scaling API 操作所需的权限
以下策略为调用 Application Auto Scaling API 时的常见使用案例授予权限。编写基于身份的策略时,请参阅本节。每个策略授予执行全部或部分 Application Auto Scaling API 操作的权限。您还需要确保最终用户拥有目标服务的权限,以及 CloudWatch (有关详细信息,请参阅下一节)。
以下基于身份的策略授予执行全部 Application Auto Scaling API 操作的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"application-autoscaling:*"
],
"Resource": "*"
}
]
}
```
------
以下基于身份的策略授予执行配置扩展策略而非计划操作所需的全部 Application Auto Scaling API 操作的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DeleteScalingPolicy"
],
"Resource": "*"
}
]
}
```
------
以下基于身份的策略授予执行配置计划操作而非扩展策略所需的全部 Application Auto Scaling API 操作的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DeleteScheduledAction"
],
"Resource": "*"
}
]
}
```
------
## 对目标服务进行 API 操作所需的权限以及 CloudWatch
要成功配置并将 Application Auto Scaling 与目标服务一起使用,必须向最终用户授予访问亚马逊 CloudWatch 和他们将为其配置扩展的每项目标服务的权限。使用以下策略授予使用目标服务和所需的最低权限 CloudWatch。
**Topics**
+ [AppStream 2.0 支舰队](#permissions-for-appstream-fleets)
+ [Aurora 副本](#permissions-for-aurora-clusters)
+ [Amazon Comprehend 文档分类和实体识别程序终端节点](#permissions-for-comprehend-endpoints)
+ [DynamoDB 表和全局二级索引](#permissions-for-dynamodb-tables-and-gsis)
+ [ECS 服务](#permissions-for-ecs-services)
+ [ElastiCache 复制组](#permissions-for-elasticache)
+ [Amazon EMR 集群](#permissions-for-emr-clusters)
+ [Amazon Keyspaces 表](#permissions-for-keyspaces-tables)
+ [Lambda 函数](#permissions-for-lambda-functions)
+ [Amazon Managed Streaming for Apache Kafka (MSK) 代理存储](#permissions-for-msk-broker-storage)
+ [Neptune 集群](#permissions-for-neptune-clusters)
+ [SageMaker AI 端点](#permissions-for-sagemaker-endpoints)
+ [Spot 实例集(Amazon EC2)](#permissions-for-spot-fleet)
+ [自定义资源](#permissions-for-custom-resources)
### AppStream 2.0 支舰队
以下基于身份的策略授予所需的所有 AppStream 2.0 和 CloudWatch API 操作的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appstream:DescribeFleets",
"appstream:UpdateFleet",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Aurora 副本
以下基于身份的策略授予对所有 Aurora 和 CloudWatch API 所需操作的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Amazon Comprehend 文档分类和实体识别程序终端节点
以下基于身份的策略向所有必需的 Amazon Com CloudWatch prehend 和 API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"comprehend:UpdateEndpoint",
"comprehend:DescribeEndpoint",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### DynamoDB 表和全局二级索引
以下基于身份的策略向所有必需的 DynamoDB 和 API 操作授予权限。 CloudWatch
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### ECS 服务
以下基于身份的策略向所有必需的 ECS 和 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeServices",
"ecs:UpdateService",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### ElastiCache 复制组
以下基于身份的策略向所有 ElastiCache 必需的 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticache:ModifyReplicationGroupShardConfiguration",
"elasticache:IncreaseReplicaCount",
"elasticache:DecreaseReplicaCount",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameters",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Amazon EMR 集群
以下基于身份的策略向所有必需的 Amazon EMR 和 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:ModifyInstanceGroups",
"elasticmapreduce:ListInstanceGroups",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Amazon Keyspaces 表
以下基于身份的策略向所有 Amazon Keyspaces 和 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cassandra:Select",
"cassandra:Alter",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Lambda 函数
以下基于身份的策略向所有必需的 Lambda 和 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:PutProvisionedConcurrencyConfig",
"lambda:GetProvisionedConcurrencyConfig",
"lambda:DeleteProvisionedConcurrencyConfig",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Amazon Managed Streaming for Apache Kafka (MSK) 代理存储
以下基于身份的策略向所有必需的 Amazon MSK 和 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kafka:DescribeCluster",
"kafka:DescribeClusterOperation",
"kafka:UpdateBrokerStorage",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Neptune 集群
以下基于身份的策略向所有必需的 Neptune 和 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:CreateDBInstance",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterParameters",
"rds:DeleteDBInstance",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### SageMaker AI 端点
以下基于身份的策略向所有必需的 SageMaker A CloudWatch I 和 API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeInferenceComponent",
"sagemaker:UpdateEndpointWeightsAndCapacities",
"sagemaker:UpdateInferenceComponentRuntimeConfig",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### Spot 实例集(Amazon EC2)
以下基于身份的策略向所有必需的 Spot 队列和 CloudWatch API 操作授予权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSpotFleetRequests",
"ec2:ModifySpotFleetRequest",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
### 自定义资源
以下基于身份的策略授予执行 API Gateway API 操作的权限。该策略还授予 CloudWatch 执行所有必需操作的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
```
------
## 在中工作的权限 AWS 管理控制台
没有独立的 Application Auto Scaling 控制台。与 Application Auto Scaling 集成的大多数服务都具有专用于帮助您通过控制台配置扩缩的功能。
在大多数情况下,每项服务都提供 AWS 托管(预定义)IAM 策略,这些策略定义了对其控制台的访问权限,其中包括对 Application Auto Scaling API 操作的权限。有关详细信息,请参阅要使用其控制台的服务的文档。
您还可以创建自己的自定义 IAM policy,为用户授予在 AWS 管理控制台中查看和处理特定 Application Auto Scaling API 操作的精细权限。您可以使用前面部分中的示例策略;但是,它们是为使用 AWS CLI 或 SDK 发出的请求而设计的。控制台使用其他 API 操作实现其功能,因此这些策略可能不会按预期方式起作用。例如,要配置分步缩放,用户可能需要额外的权限才能创建和管理 CloudWatch 警报。
**提示**
为帮助您了解在控制台中执行任务所需的相应 API 操作,您可以使用 AWS CloudTrail等服务。有关更多信息,请参阅 [AWS CloudTrail 《用户指南》](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)。
以下基于身份的策略授予为竞价型实例集配置扩展策略的权限。除了竞价型实例集的 IAM 权限之外,从 Amazon EC2 控制台访问实例集扩展设置的控制台用户必须具有使用支持动态扩展的服务的适当权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"application-autoscaling:*",
"ec2:DescribeSpotFleetRequests",
"ec2:ModifySpotFleetRequest",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DisableAlarmActions",
"cloudwatch:EnableAlarmActions",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Get*",
"sns:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/{{ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest}}",
"Condition": {
"StringLike": {
"iam:AWSServiceName":"{{ec2.application-autoscaling.amazonaws.com}}"
}
}
}
]
}
```
------
该策略允许控制台用户在 Amazon EC2 控制台中查看和修改扩展策略,并在控制 CloudWatch 台中创建和管理 CloudWatch 警报。
您可以调整 API 操作以限制用户访问权限。例如,将 `application-autoscaling:Describe*` 替换为 `application-autoscaling:*` 意味着用户具有只读访问权限。
您也可以根据需要调整 CloudWatch 权限,以限制用户对 CloudWatch功能的访问权限。有关更多信息,请参阅 *Amazon CloudWatch 用户指南*[中的 CloudWatch 控制台所需权限](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console)。