本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
您可以使用基于 Amazon 资源名称 (ARNs) 的资源名称和资源标签来管理对 AWS DMS 资源的访问权限。为此,您可以定义允许的操作或在IAM策略中加入条件语句。
使用资源名称控制访问
您可以创建IAM用户帐户并根据 AWS DMS 资源分配策略ARN。
以下策略拒绝访问带有 arn ARN: aws: dms: us-east-1:152683116: rep:: 的 AWS DMS 复制实例 DOH67ZTOXGLIXMIHKITV
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV"
}
]
}
例如,在该策略生效时,以下命令将失败:
$ aws dms delete-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV
$ aws dms modify-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV"
A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV
您还可以指定限制对 AWS DMS 端点和复制任务的访问权限的IAM策略。
以下策略限制使用 AWS DMS 终端节点访问终端节点ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX"
}
]
}
例如,当使用终端节点的策略生效时,以下命令ARN会失败。
$ aws dms delete-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX"
A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation:
User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint
on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX
$ aws dms modify-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX"
A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation:
User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint
on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX
以下策略限制使用 AWS DMS 任务对任务的访问权限ARN。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT"
}
]
}
例如,当使用任务的策略生效时,以下命令ARN会失败。
$ aws dms delete-replication-task
--replication-task-arn "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation:
User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask
on resource: arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT
使用标签控制访问
AWS DMS 定义了一组常用的键值对,可在客户定义的策略中使用,无需任何额外的标记要求。有关为 AWS DMS 资源添加标签的更多信息,请参阅在 AWS Database Migration Service 中标记资源。
以下列出了可与之配合使用的标准标签 AWS DMS:
-
aw CurrentTime s: — 表示请求日期和时间,允许根据时间标准限制访问权限。
-
aws: EpochTime — 此标签与前面的 aws: CurrentTime 标签类似,不同之处在于当前时间表示为自 Unix 时代以来经过的秒数。
-
aws: MultiFactorAuthPresent — 这是一个布尔标记,用于指示请求是否通过多重身份验证签名。
-
aws: MultiFactorAuthAge — 提供对多因素身份验证令牌使用年限(以秒为单位)的访问权限。
-
aws:principaltype – 提供对当前请求的主体类型(用户、账户、联合用户等)的访问。
-
aw SourceIp s: — 表示发出请求的用户的源 IP 地址。
-
aw UserAgent s: — 提供有关请求资源的客户端应用程序的信息。
-
aws:userid – 提供对发出请求的用户的 ID 的访问。
-
aws:username – 提供对发出请求的用户的名称的访问。
-
dms: InstanceClass — 提供对复制实例主机的计算大小的访问权限。
-
dms: StorageSize — 提供对存储卷大小(以 GB 为单位)的访问。
您还可以定义自己的标签。客户定义的标签是保存在标签服务中的简单键值对。 AWS 您可以将它们添加到 AWS DMS 资源,包括复制实例、终端节点和任务。这些标签通过在策略中使用 IAM “条件” 语句进行匹配,并使用特定的条件标签进行引用。标签键前面带有“dms”、资源类型和“tag”前缀。下面显示了标签格式。
dms:{resource type}-tag/{tag key}={tag value}
例如,假设您要定义一个策略,该策略仅允许对包含 “stage=production” 标签的复制实例成功API调用。以下条件语句会匹配具有给定标签的资源。
"Condition":
{
"streq":
{
"dms:rep-tag/stage":"production"
}
}
您将以下标签添加到与该策略条件匹配的复制实例中。
stage production
除了已分配给 AWS DMS 资源的标签外,还可以编写策略来限制可以应用于给定资源的标签键和值。在此情况下,标签前缀为“req”。
例如,以下策略语句将用户可为给定资源分配的标签限制为特定的允许值列表。
"Condition":
{
"streq":
{
"dms:rep-tag/stage": [ "production", "development", "testing" ]
}
}
以下策略示例根据 AWS DMS 资源标签限制对资源的访问权限。
以下策略限制对标签值为“Desktop”且标签键为“Env”的复制实例的访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"dms:rep-tag/Env": [
"Desktop"
]
}
}
}
]
}
当标签值为 “Desktop” 且标签键为 “Env” 时,以下命令的成功或失败取决于限制访问权限的IAM策略。
$ aws dms list-tags-for-resource
--resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
--endpoint-url http://localhost:8000
{
"TagList": [
{
"Value": "Desktop",
"Key": "Env"
}
]
}
$ aws dms delete-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
$ aws dms modify-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN"
A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
$ aws dms add-tags-to-resource
--resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
--tags Key=CostCenter,Value=1234
A client error (AccessDeniedException) occurred when calling the AddTagsToResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
$ aws dms remove-tags-from-resource
--resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
--tag-keys Env
A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
以下策略限制对标签值为 “桌面” 且标签键为 “Env” 的 AWS DMS 端点的访问权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"dms:endpoint-tag/Env": [
"Desktop"
]
}
}
}
]
}
当标签值为 “Desktop” 且标签键为 “Env” 时,以下命令的成功或失败取决于限制访问权限的IAM策略。
$ aws dms list-tags-for-resource
--resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
{
"TagList": [
{
"Value": "Desktop",
"Key": "Env"
}
]
}
$ aws dms delete-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I"
A client error (AccessDeniedException) occurred when calling the DeleteEndpoint
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
$ aws dms modify-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I"
A client error (AccessDeniedException) occurred when calling the ModifyEndpoint
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
$ aws dms add-tags-to-resource
--resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
--tags Key=CostCenter,Value=1234
A client error (AccessDeniedException) occurred when calling the AddTagsToResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
$ aws dms remove-tags-from-resource
--resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
--tag-keys Env
A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
以下策略限制对标签值为“Desktop”且标签键为“Env”的复制任务的访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"dms:task-tag/Env": [
"Desktop"
]
}
}
}
]
}
当标签值为 “Desktop” 且标签键为 “Env” 时,以下命令的成功或失败取决于限制访问权限的IAM策略。
$ aws dms list-tags-for-resource
--resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
{
"TagList": [
{
"Value": "Desktop",
"Key": "Env"
}
]
}
$ aws dms delete-replication-task
--replication-task-arn "arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
$ aws dms add-tags-to-resource
--resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
--tags Key=CostCenter,Value=1234
A client error (AccessDeniedException) occurred when calling the AddTagsToResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
$ aws dms remove-tags-from-resource
--resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
--tag-keys Env
A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3