AWS 亚马逊 DocumentDB 的托管政策 - Amazon DocumentDB

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS 亚马逊 DocumentDB 的托管政策

要向用户、群组和角色添加权限,使用 AWS 托管策略比自己编写策略要容易得多。创建IAM客户托管策略以仅向您的团队提供他们所需的权限需要时间和专业知识。要快速入门,您可以使用我们的 AWS 托管策略。这些政策涵盖常见用例,可在您的 AWS 账户中使用。有关 AWS 托管策略的更多信息,请参阅《Identity and A ccess Managem AWS ent 用户指南》中的AWS 托管策略

AWS 服务维护和更新 AWS 托管策略。您无法更改 AWS 托管策略中的权限。服务偶尔会向 AWS 托管策略添加其他权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当推出新功能或有新操作可用时,服务最有可能更新 AWS 托管策略。服务不会从 AWS 托管策略中移除权限,因此策略更新不会破坏您的现有权限。

此外,还 AWS 支持跨多个服务的工作职能的托管策略。例如,ViewOnlyAccess AWS 托管策略提供对许多 AWS 服务和资源的只读访问权限。当服务启动一项新功能时, AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 AWS IAM 用户指南中的用于工作职能的AWS 托管策略

以下 AWS 托管策略仅适用于 Amazon DocumentDB,您可以将其附加到账户中的用户:

AmazonDocDBFullAccess

此策略授予了允许主体完全访问 Amazon DocumentDB 所有 Amazon DocumentDB 操作的管理权限。此策略中的权限如下分组:

  • Amazon DocumentDB 权限允许所有Amazon DocumentDB 操作。

  • 此政策中的一些 Amazon EC2 权限是验证API请求中传递的资源所必需的。这旨在确保 Amazon DocumentDB 能够配合集群成功使用资源。此策略中的其余亚马逊EC2权限允许亚马逊文档数据库创建必要的 AWS 资源,使您能够连接到您的集群。

  • Amazon DocumentDB 权限在API调用期间用于验证请求中传递的资源。Amazon DocumentDB 需要这些资源才能配合 Amazon DocumentDB 集群一起使用传递的密钥。

  • Amazon DocumentDB 需要这些 CloudWatch 日志才能确保日志传输目标可达,并且这些日志对于代理日志的使用有效。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:AddRoleToDBCluster", "rds:AddSourceIdentifierToSubscription", "rds:AddTagsToResource", "rds:ApplyPendingMaintenanceAction", "rds:CopyDBClusterParameterGroup", "rds:CopyDBClusterSnapshot", "rds:CopyDBParameterGroup", "rds:CreateDBCluster", "rds:CreateDBClusterParameterGroup", "rds:CreateDBClusterSnapshot", "rds:CreateDBInstance", "rds:CreateDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:CreateEventSubscription", "rds:DeleteDBCluster", "rds:DeleteDBClusterParameterGroup", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBInstance", "rds:DeleteDBParameterGroup", "rds:DeleteDBSubnetGroup", "rds:DeleteEventSubscription", "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultClusterParameters", "rds:DescribeEngineDefaultParameters", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DescribeValidDBInstanceModifications", "rds:DownloadDBLogFilePortion", "rds:FailoverDBCluster", "rds:ListTagsForResource", "rds:ModifyDBCluster", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:ModifyDBParameterGroup", "rds:ModifyDBSubnetGroup", "rds:ModifyEventSubscription", "rds:PromoteReadReplicaDBCluster", "rds:RebootDBInstance", "rds:RemoveRoleFromDBCluster", "rds:RemoveSourceIdentifierFromSubscription", "rds:RemoveTagsFromResource", "rds:ResetDBClusterParameterGroup", "rds:ResetDBParameterGroup", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListRetirableGrants", "logs:DescribeLogStreams", "logs:GetLogEvents", "sns:ListSubscriptions", "sns:ListTopics", "sns:Publish" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:AWS ServiceName": "rds.amazonaws.com" } } } ] }

AmazonDocDBReadOnlyAccess

此策略授予了允许用户查看 Amazon DocumentDB 中信息的只读权限。附加有这种策略的主体不能进行任何更新或删除现有资源,也不能创建新的 Amazon DocumentDB 资源。例如,拥有这些权限的主体可以查看与其账户关联的集群列表和配置,但不能更改任何集群的配置或设置。此策略中的权限如下分组:

  • Amazon DocumentDB 权限允许您列出 Amazon DocumentDB 资源,描述它们并获取有关它们的信息。

  • Amazon EC2 权限用于描述与集群关联的 Amazon VPC、ENIs子网、安全组。

  • Amazon DocumentDB 权限用于描述与该集群关联的密钥。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSubnetGroups", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DownloadDBLogFilePortion", "rds:ListTagsForResource" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:ListKeys", "kms:ListRetirableGrants", "kms:ListAliases", "kms:ListKeyPolicies" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*", "arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*" ] } ] }

AmazonDocDBConsoleFullAccess

授予使用以下方式管理 Amazon DocumentDB 资源的完全访问权限: AWS Management Console

  • 允许所有 Amazon DocumentDB 和 Amazon DocumentDB 集群操作的 Amazon DocumentDB 权限。

  • 此政策中的一些 Amazon EC2 权限是验证API请求中传递的资源所必需的。这是为了确保 Amazon DocumentDB 能够成功使用资源来准备和维护集群。此策略中的其余亚马逊EC2权限允许 Amazon DocumentDB 创建所需的 AWS 资源,使您能够连接到集群,例如。VPCEndpoint

  • AWS KMS 权限用于在API调 AWS KMS 用期间验证请求中传递的资源。Amazon DocumentDB 需要它们才能配合 Amazon DocumentDB 弹性集群使用已传递的密钥加密和解密静态数据。

  • Amazon DocumentDB 需要这些 CloudWatch 日志才能确保日志传输目标可达,并且这些日志对于审计和分析日志的使用有效。

  • 需要 Secrets Manager 权限来验证给定机密并使用它为 Amazon DocumentDB 弹性集群设置管理员用户。

  • 亚马逊 DocumentDB 集群管理操作需要亚马逊RDS权限。对于某些管理功能,Amazon DocumentDB 使用与亚马逊共享的操作技术。RDS

  • SNS权限允许委托人使用亚马逊简单通知服务 (AmazonSNS) 订阅和主题以及发布亚马逊SNS消息。

  • IAM创建发布指标和日志所需的服务关联角色需要权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DocdbSids", "Effect": "Allow", "Action": [ "docdb-elastic:CreateCluster", "docdb-elastic:UpdateCluster", "docdb-elastic:GetCluster", "docdb-elastic:DeleteCluster", "docdb-elastic:ListClusters", "docdb-elastic:CreateClusterSnapshot", "docdb-elastic:GetClusterSnapshot", "docdb-elastic:DeleteClusterSnapshot", "docdb-elastic:ListClusterSnapshots", "docdb-elastic:RestoreClusterFromSnapshot", "docdb-elastic:TagResource", "docdb-elastic:UntagResource", "docdb-elastic:ListTagsForResource", "docdb-elastic:CopyClusterSnapshot", "docdb-elastic:StartCluster", "docdb-elastic:StopCluster", "rds:AddRoleToDBCluster", "rds:AddSourceIdentifierToSubscription", "rds:AddTagsToResource", "rds:ApplyPendingMaintenanceAction", "rds:CopyDBClusterParameterGroup", "rds:CopyDBClusterSnapshot", "rds:CopyDBParameterGroup", "rds:CreateDBCluster", "rds:CreateDBClusterParameterGroup", "rds:CreateDBClusterSnapshot", "rds:CreateDBInstance", "rds:CreateDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:CreateEventSubscription", "rds:CreateGlobalCluster", "rds:DeleteDBCluster", "rds:DeleteDBClusterParameterGroup", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBInstance", "rds:DeleteDBParameterGroup", "rds:DeleteDBSubnetGroup", "rds:DeleteEventSubscription", "rds:DeleteGlobalCluster", "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultClusterParameters", "rds:DescribeEngineDefaultParameters", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeGlobalClusters", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DescribeValidDBInstanceModifications", "rds:DownloadDBLogFilePortion", "rds:FailoverDBCluster", "rds:ListTagsForResource", "rds:ModifyDBCluster", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:ModifyDBParameterGroup", "rds:ModifyDBSubnetGroup", "rds:ModifyEventSubscription", "rds:ModifyGlobalCluster", "rds:PromoteReadReplicaDBCluster", "rds:RebootDBInstance", "rds:RemoveFromGlobalCluster", "rds:RemoveRoleFromDBCluster", "rds:RemoveSourceIdentifierFromSubscription", "rds:RemoveTagsFromResource", "rds:ResetDBClusterParameterGroup", "rds:ResetDBParameterGroup", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime" ], "Resource": [ "*" ] }, { "Sid": "DependencySids", "Effect": "Allow", "Action": [ "iam:GetRole", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:AllocateAddress", "ec2:AssignIpv6Addresses", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateRouteTable", "ec2:AssociateSubnetCidrBlock", "ec2:AssociateVpcCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:CreateCustomerGateway", "ec2:CreateDefaultSubnet", "ec2:CreateDefaultVpc", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeCustomerGateways", "ec2:DescribeInstances", "ec2:DescribeNatGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:ModifyVpcEndpoint", "kms:DescribeKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListRetirableGrants", "logs:DescribeLogStreams", "logs:GetLogEvents", "sns:ListSubscriptions", "sns:ListTopics", "sns:Publish" ], "Resource": [ "*" ] }, { "Sid": "DocdbSLRSid", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:AWSServiceName": "rds.amazonaws.com" } } }, { "Sid": "DocdbElasticSLRSid", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic", "Condition": { "StringLike": { "iam:AWSServiceName": "docdb-elastic.amazonaws.com" } } } ] }

AmazonDocDBElasticReadOnlyAccess

此策略授予了允许用户查看 Amazon DocumentDB 中弹性集群信息的只读权限。附加有这种策略的主体不能进行任何更新或删除现有资源,也不能创建新的 Amazon DocumentDB 资源。例如,拥有这些权限的主体可以查看与其账户关联的集群列表和配置,但不能更改任何集群的配置或设置。此策略中的权限如下分组:

  • Amazon DocumentDB 弹性集群权限允许您列出 Amazon DocumentDB 弹性集群资源,描述它们并获取有关它们的信息。

  • CloudWatch 权限用于验证服务指标。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "docdb-elastic:ListClusters", "docdb-elastic:GetCluster", "docdb-elastic:ListClusterSnapshots", "docdb-elastic:GetClusterSnapshot", "docdb-elastic:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics" ], "Resource": "*" } ] }

AmazonDocDBElasticFullAccess

此策略授予了允许主体完全访问针对 Amazon DocumentDB 弹性集群的所有 Amazon DocumentDB 操作的管理权限。

此策略使用条件内的 AWS 标签 (https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) 来限制对资源的访问权限。如果您将要使用机密,则必须将它用标签密钥 DocDBElasticFullAccess 和标签值标记。如果您将要使用客户托管的密钥,则必须将它用标签密钥 DocDBElasticFullAccess 和标签值标记。

此策略中的权限如下分组:

  • Amazon DocumentDB 弹性集群权限允许所有 Amazon DocumentDB 操作。

  • 此政策中的一些 Amazon EC2 权限是验证API请求中传递的资源所必需的。这是为了确保 Amazon DocumentDB 能够成功使用资源来准备和维护集群。此策略中的其余亚马逊EC2权限允许 Amazon DocumentDB 创建所需的 AWS 资源,使您能够像终端节点一样连接到集群。VPC

  • AWS KMS Amazon DocumentDB 需要权限才能使用传递的密钥对亚马逊文档数据库弹性集群中的静态数据进行加密和解密。

    注意

    客户托管的密钥必须有一个带密钥 DocDBElasticFullAccess 和标签值的标签。

  • SecretsManager 需要权限才能验证给定的密钥并使用它为 Amazon DocumentDB 弹性集群设置管理员用户。

    注意

    用过的机密必须有一个带密钥 DocDBElasticFullAccess 和标签值的标签。

  • IAM创建发布指标和日志所需的服务关联角色需要权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DocdbElasticSid", "Effect": "Allow", "Action": [ "docdb-elastic:CreateCluster", "docdb-elastic:UpdateCluster", "docdb-elastic:GetCluster", "docdb-elastic:DeleteCluster", "docdb-elastic:ListClusters", "docdb-elastic:CreateClusterSnapshot", "docdb-elastic:GetClusterSnapshot", "docdb-elastic:DeleteClusterSnapshot", "docdb-elastic:ListClusterSnapshots", "docdb-elastic:RestoreClusterFromSnapshot", "docdb-elastic:TagResource", "docdb-elastic:UntagResource", "docdb-elastic:ListTagsForResource", "docdb-elastic:CopyClusterSnapshot", "docdb-elastic:StartCluster", "docdb-elastic:StopCluster" ], "Resource": [ "*" ] }, { "Sid": "EC2Sid", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeVpcEndpoints", "ec2:DeleteVpcEndpoints", "ec2:ModifyVpcEndpoint", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeAvailabilityZones", "secretsmanager:ListSecrets" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:CalledViaFirst": "docdb-elastic.amazonaws.com" } } }, { "Sid": "KMSSid", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "docdb-elastic.*.amazonaws.com" ], "aws:ResourceTag/DocDBElasticFullAccess": "*" } } }, { "Sid": "KMSGrantSid", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/DocDBElasticFullAccess": "*", "kms:ViaService": [ "docdb-elastic.*.amazonaws.com" ] }, "Bool": { "kms:GrantIsForAWSResource": true } } }, { "Sid": "SecretManagerSid", "Effect": "Allow", "Action": [ "secretsmanager:ListSecretVersionIds", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:GetResourcePolicy" ], "Resource": "*", "Condition": { "StringLike": { "secretsmanager:ResourceTag/DocDBElasticFullAccess": "*" }, "StringEquals": { "aws:CalledViaFirst": "docdb-elastic.amazonaws.com" } } }, { "Sid": "CloudwatchSid", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics" ], "Resource": [ "*" ] }, { "Sid": "SLRSid", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic", "Condition": { "StringLike": { "iam:AWSServiceName": "docdb-elastic.amazonaws.com" } } } ] }

AmazonDocDB-ElasticServiceRolePolicy

你无法附着AmazonDocDBElasticServiceRolePolicy在你的 AWS Identity and Access Management 实体上。这种策略附加到允许Amazon DocumentDB 代表您执行操作的服务关联角色。有关更多信息,请参阅 弹性集群中的服务关联角色

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": [ "AWS/DocDB-Elastic" ] } } } ] }

亚马逊 DocumentDB 更新了托管 AWS 政策

更改 描述 日期
AmazonDocDBElasticFullAccess, AmazonDocDBConsoleFullAccess - 更改 更新了策略,添加了启动/停止群集和复制集群快照操作。 2024 年 2 月 21 日
AmazonDocDBElasticReadOnlyAccess, AmazonDocDBElasticFullAccess - 更改 策略已更新以增加 cloudwatch:GetMetricData 操作。 2023 年 6 月 21 日
AmazonDocDBElasticReadOnlyAccess – 新策略 Amazon DocumentDB 弹性集群的新托管策略 2023 年 8 月 6 日
AmazonDocDBElasticFullAccess – 新策略 Amazon DocumentDB 弹性集群的新托管策略 2023 年 5 月 6 日
AmazonDocDB-ElasticServiceRolePolicy:新策略 亚马逊 DocumentDB 为亚马逊 Documen AWS ServiceRoleForDoc tDB 弹性集群创建了一个新的数据库弹性服务关联角色 11/30/2022
AmazonDocDBConsoleFullAccess - 更改 策略已更新,以增加 Amazon DocumentDB 全局权限和弹性集群权限 11/30/2022
AmazonDocDBConsoleFullAccessAmazonDocDBFullAccessAmazonDocDBReadOnlyAccess - 新策略 服务启动 1/19/2017