使用资源名称和标签进行精细访问控制 - AWS 数据库迁移服务

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用资源名称和标签进行精细访问控制

您可以使用基于 Amazon 资源名称 (ARN) 的资源名称和资源标签来管理对 AWS DMS 资源的访问权限。为此,请在 IAM 策略中定义允许的操作或包括条件语句。

使用资源名称控制访问

您可以创建一个 IAM 用户账户,并根据 AWS DMS 资源的 ARN 分配策略。

以下策略拒绝访问带有 ARN arn: aws: dms: us-east-1:152683116: rep: doh67ztoxglixmihkitV 的 AWS DMS 复制实例:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" } ] }

例如,在该策略生效时,以下命令将失败:

$ aws dms delete-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV $ aws dms modify-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV

您还可以指定 IAM 策略来限制对 AWS DMS 终端节点和复制任务的访问。

以下策略使用 AWS DMS 终端节点的 ARN 限制对终端节点的访问。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" } ] }

例如,在使用终端节点的 ARN 的策略生效时,以下命令将失败。

$ aws dms delete-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX $ aws dms modify-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX

以下策略使用 AWS DMS 任务的 ARN 限制对任务的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT" } ] }

例如,在使用任务的 ARN 的策略生效时,以下命令将失败。

$ aws dms delete-replication-task --replication-task-arn "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT" A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT

使用标签控制访问

AWS DMS 定义了一组常用的键值对,可在客户定义的策略中使用,无需任何额外的标记要求。有关为 AWS DMS 资源添加标签的更多信息,请参阅在 AWS Database Migration Service 中标记资源

以下列出了可与之配合使用的标准标签 AWS DMS:

  • aw CurrentTime s: — 表示请求日期和时间,允许根据时间标准限制访问权限。

  • aws: EpochTime — 此标签与前面的 aws: CurrentTime 标签类似,不同之处在于当前时间表示为自 Unix 时代以来经过的秒数。

  • aws: MultiFactorAuthPresent — 这是一个布尔标记,用于指示请求是否通过多重身份验证签名。

  • aws: MultiFactorAuthAge — 提供对多因素身份验证令牌使用年限(以秒为单位)的访问权限。

  • aws:principaltype – 提供对当前请求的主体类型(用户、账户、联合用户等)的访问。

  • aw SourceIp s: — 表示发出请求的用户的源 IP 地址。

  • aw UserAgent s: — 提供有关请求资源的客户端应用程序的信息。

  • aws:userid – 提供对发出请求的用户的 ID 的访问。

  • aws:username – 提供对发出请求的用户的名称的访问。

  • dms: InstanceClass — 提供对复制实例主机的计算大小的访问权限。

  • dms: StorageSize — 提供对存储卷大小(以 GB 为单位)的访问。

您还可以定义自己的标签。客户定义的标签是保存在标签服务中的简单键值对。 AWS 您可以将它们添加到 AWS DMS 资源,包括复制实例、终端节点和任务。这些标签是通过使用策略中的 IAM“条件”语句匹配的,并使用特定的条件标签引用这些标签。标签键前面带有“dms”、资源类型和“tag”前缀。下面显示了标签格式。

dms:{resource type}-tag/{tag key}={tag value}

例如,假设您要定义一个策略,以仅允许包含“stage=production”标签的复制实例成功完成 API 调用。以下条件语句会匹配具有给定标签的资源。

"Condition": { "streq": { "dms:rep-tag/stage":"production" } }

您将以下标签添加到与该策略条件匹配的复制实例中。

stage production

除了已分配给 AWS DMS 资源的标签外,还可以编写策略来限制可以应用于给定资源的标签键和值。在此情况下,标签前缀为“req”。

例如,以下策略语句将用户可为给定资源分配的标签限制为特定的允许值列表。

"Condition": { "streq": { "dms:rep-tag/stage": [ "production", "development", "testing" ] } }

以下策略示例根据 AWS DMS 资源标签限制对资源的访问权限。

以下策略限制对标签值为“Desktop”且标签键为“Env”的复制实例的访问:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:rep-tag/Env": [ "Desktop" ] } } } ] }

根据在标签值为“Desktop”且标签键为“Env”时限制访问的 IAM 策略,以下命令成功或失败。

$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --endpoint-url http://localhost:8000 { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN" A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms modify-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN" A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN

以下策略限制对标签值为 “桌面” 且标签键为 “Env” 的 AWS DMS 端点的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:endpoint-tag/Env": [ "Desktop" ] } } } ] }

根据在标签值为“Desktop”且标签键为“Env”时限制访问的 IAM 策略,以下命令成功或失败。

$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I" A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms modify-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I" A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I

以下策略限制对标签值为“Desktop”且标签键为“Env”的复制任务的访问。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:task-tag/Env": [ "Desktop" ] } } } ] }

根据在标签值为“Desktop”且标签键为“Env”时限制访问的 IAM 策略,以下命令成功或失败。

$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-replication-task --replication-task-arn "arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3" A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3