本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS SAM 连接器参考
本节包含 AWS Serverless Application Model (AWS SAM) 连接器资源类型的参考信息。有关连接器的简介,请参阅[使用 AWS SAM 连接器管理资源权限](managing-permissions-connectors.md)。
## 连接器支持的源资源和目的地资源类型
`AWS::Serverless::Connector` 资源类型支持源资源资源和目的地资源之间一定数量的连接。在 AWS SAM 模板中配置连接器时,请使用下表来参考支持的连接以及需要为每种源和目标资源类型定义的属性。有关在模板中配置连接器的更多信息,请参阅[AWS::Serverless::Connector](sam-resource-connector.md)。
对于源资源和目标资源,如果在同一个模板中定义,则使用 `Id` 属性。或者,可以添加 `Qualifier` 以缩小您定义的资源范围。当资源不在同一个模板中时,请使用受支持属性的组合。
要申请新的连接,[请在*serverless-application-model AWS GitHub存储库*中提交新问题](https://github.com/aws/serverless-application-model/issues/new?assignees=&labels=area%2Fconnectors,stage%2Fneeds-triage&template=other.md&title=%28New%20Connector%20Profile%29)。
| Source type(源类型) | 目的地类型 | Permissions | 源属性 | 目的地属性 |
| --- | --- | --- | --- | --- |
| `AWS::ApiGateway::RestApi` | `AWS::Lambda::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::ApiGateway::RestApi` | `AWS::Serverless::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::ApiGatewayV2::Api` | `AWS::Lambda::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::ApiGatewayV2::Api` | `AWS::Serverless::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::DataSource` | `AWS::DynamoDB::Table` | `Read` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::DataSource` | `AWS::DynamoDB::Table` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::DataSource` | `AWS::Events::EventBus` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::DataSource` | `AWS::Lambda::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::DataSource` | `AWS::Serverless::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::DataSource` | `AWS::Serverless::SimpleTable` | `Read` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::DataSource` | `AWS::Serverless::SimpleTable` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::GraphQLApi` | `AWS::Lambda::Function` | `Write` | `Id` 或 `ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::AppSync::GraphQLApi` | `AWS::Serverless::Function` | `Write` | `Id` 或 `ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::DynamoDB::Table` | `AWS::Lambda::Function` | `Read` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `RoleName` 和 `Type` |
| `AWS::DynamoDB::Table` | `AWS::Serverless::Function` | `Read` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `RoleName` 和 `Type` |
| `AWS::Events::Rule` | `AWS::Events::EventBus` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Events::Rule` | `AWS::Lambda::Function` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Events::Rule` | `AWS::Serverless::Function` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Events::Rule` | `AWS::Serverless::StateMachine` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Events::Rule` | `AWS::SNS::Topic` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Events::Rule` | `AWS::SQS::Queue` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn`、`QueueUrl` 和 `Type` |
| `AWS::Events::Rule` | `AWS::StepFunctions::StateMachine` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::DynamoDB::Table` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::Events::EventBus` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::Lambda::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::Location::PlaceIndex` | `Read` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::S3::Bucket` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::Serverless::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::Serverless::SimpleTable` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::Serverless::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::SNS::Topic` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::SQS::Queue` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Lambda::Function` | `AWS::StepFunctions::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
| `AWS::S3::Bucket` | `AWS::Lambda::Function` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::S3::Bucket` | `AWS::Serverless::Function` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Api` | `AWS::Lambda::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Api` | `AWS::Serverless::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::DynamoDB::Table` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::Events::EventBus` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::Lambda::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::S3::Bucket` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::Serverless::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::Serverless::SimpleTable` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::Serverless::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::SNS::Topic` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::SQS::Queue` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::Function` | `AWS::StepFunctions::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
| `AWS::Serverless::HttpApi` | `AWS::Lambda::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::HttpApi` | `AWS::Serverless::Function` | `Write` | `Id` 或 `Qualifier`、`ResourceId` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::SimpleTable` | `AWS::Lambda::Function` | `Read` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `RoleName` 和 `Type` |
| `AWS::Serverless::SimpleTable` | `AWS::Serverless::Function` | `Read` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `RoleName` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::DynamoDB::Table` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::Events::EventBus` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::Lambda::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::S3::Bucket` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::Serverless::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::Serverless::SimpleTable` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::Serverless::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::SNS::Topic` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::SQS::Queue` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::Serverless::StateMachine` | `AWS::StepFunctions::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
| `AWS::SNS::Topic` | `AWS::Lambda::Function` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::SNS::Topic` | `AWS::Serverless::Function` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::SNS::Topic` | `AWS::SQS::Queue` | `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `Arn`、`QueueUrl` 和 `Type` |
| `AWS::SQS::Queue` | `AWS::Lambda::Function` | `Read`, `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `RoleName` 和 `Type` |
| `AWS::SQS::Queue` | `AWS::Serverless::Function` | `Read`, `Write` | `Id` 或 `Arn` 和 `Type` | `Id` 或 `RoleName` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::DynamoDB::Table` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::Events::EventBus` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::Lambda::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::S3::Bucket` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::Serverless::Function` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::Serverless::SimpleTable` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::Serverless::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::SNS::Topic` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::SQS::Queue` | `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn` 和 `Type` |
| `AWS::StepFunctions::StateMachine` | `AWS::StepFunctions::StateMachine` | `Read`, `Write` | `Id` 或 `RoleName` 和 `Type` | `Id` 或 `Arn`、`Name` 和 `Type` |
## 连接器创建的 IAM 策略
本节记录了使用连接器 AWS SAM 时创建的 AWS Identity and Access Management (IAM) 策略。
`AWS::DynamoDB::Table` 到 `AWS::Lambda::Function`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Resource": [
"%{Source.Arn}/stream/*"
]
}
]
}
```
`AWS::Events::Rule` 到 `AWS::SNS::Topic`
**策略类型**
[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topicpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topicpolicy.html) 附加在 `AWS::SNS::Topic` 上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Resource": "%{Destination.Arn}",
"Action": "sns:Publish",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "%{Source.Arn}"
}
}
}
]
}
```
`AWS::Events::Rule` 到 `AWS::Events::EventBus`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Events::Rule` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::Events::Rule` 到 `AWS::StepFunctions::StateMachine`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Events::Rule` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::Events::Rule` 到 `AWS::Lambda::Function`
**策略类型**
`[AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)` 附加在 `AWS::Lambda::Function` 上。
**访问类别**
`Write`
```
{
"Action": "lambda:InvokeFunction",
"Principal": "events.amazonaws.com",
"SourceArn": "%{Source.Arn}"
}
```
`AWS::Events::Rule` 到 `AWS::SQS::Queue`
**策略类型**
`[AWS::SQS::QueuePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queuepolicy.html)` 附加在 `AWS::SQS::Queue` 上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Resource": "%{Destination.Arn}",
"Action": "sqs:SendMessage",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "%{Source.Arn}"
}
}
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::Lambda::Function`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::S3::Bucket`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTorrent",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/*"
]
}
]
}
```
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:RestoreObject"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/*"
]
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::DynamoDB::Table`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:PartiQLSelect"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/index/*"
]
}
]
}
```
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:PartiQLDelete",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLUpdate"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/index/*"
]
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::SQS::Queue`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:SendMessage",
"sqs:ChangeMessageVisibility",
"sqs:PurgeQueue"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::SNS::Topic`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::StepFunctions::StateMachine`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution",
"states:StartSyncExecution"
],
"Resource": [
"%{Destination.Arn}"
]
},
{
"Effect": "Allow",
"Action": [
"states:StopExecution"
],
"Resource": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
]
}
]
}
```
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:ListExecutions"
],
"Resource": [
"%{Destination.Arn}"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:DescribeStateMachineForExecution",
"states:GetExecutionHistory"
],
"Resource": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
]
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::Events::EventBus`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::Lambda::Function` 到 `AWS::Location::PlaceIndex`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"geo:DescribePlaceIndex",
"geo:GetPlace",
"geo:SearchPlaceIndexForPosition",
"geo:SearchPlaceIndexForSuggestions",
"geo:SearchPlaceIndexForText"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::ApiGatewayV2::Api` 到 `AWS::Lambda::Function`
**策略类型**
`[AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)` 附加在 `AWS::Lambda::Function` 上。
**访问类别**
`Write`
```
{
"Action": "lambda:InvokeFunction",
"Principal": "apigateway.amazonaws.com",
"SourceArn": "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:%{Source.ResourceId}/%{Source.Qualifier}"
}
```
`AWS::ApiGateway::RestApi` 到 `AWS::Lambda::Function`
**策略类型**
`[AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)` 附加在 `AWS::Lambda::Function` 上。
**访问类别**
`Write`
```
{
"Action": "lambda:InvokeFunction",
"Principal": "apigateway.amazonaws.com",
"SourceArn": "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:%{Source.ResourceId}/%{Source.Qualifier}"
}
```
`AWS::SNS::Topic` 到 `AWS::SQS::Queue`
**策略类型**
`[AWS::SQS::QueuePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queuepolicy.html)` 附加在 `AWS::SQS::Queue` 上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Resource": "%{Destination.Arn}",
"Action": "sqs:SendMessage",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "%{Source.Arn}"
}
}
}
]
}
```
`AWS::SNS::Topic` 到 `AWS::Lambda::Function`
**策略类型**
`[AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)` 附加在 `AWS::Lambda::Function` 上。
**访问类别**
`Write`
```
{
"Action": "lambda:InvokeFunction",
"Principal": "sns.amazonaws.com",
"SourceArn": "%{Source.Arn}"
}
```
`AWS::SQS::Queue` 到 `AWS::Lambda::Function`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::Lambda::Function` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage"
],
"Resource": [
"%{Source.Arn}"
]
}
]
}
```
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"%{Source.Arn}"
]
}
]
}
```
`AWS::S3::Bucket` 到 `AWS::Lambda::Function`
**策略类型**
`[AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)` 附加在 `AWS::Lambda::Function` 上。
**访问类别**
`Write`
```
{
"Action": "lambda:InvokeFunction",
"Principal": "s3.amazonaws.com",
"SourceArn": "%{Source.Arn}",
"SourceAccount": "${AWS::AccountId}"
}
```
`AWS::StepFunctions::StateMachine` 到 `AWS::Lambda::Function`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::StepFunctions::StateMachine` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::StepFunctions::StateMachine` 到 `AWS::SNS::Topic`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::StepFunctions::StateMachine` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::StepFunctions::StateMachine` 到 `AWS::SQS::Queue`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::StepFunctions::StateMachine` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:SendMessage"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::StepFunctions::StateMachine` 到 `AWS::S3::Bucket`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::StepFunctions::StateMachine` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTorrent",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/*"
]
}
]
}
```
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:RestoreObject"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/*"
]
}
]
}
```
`AWS::StepFunctions::StateMachine` 到 `AWS::DynamoDB::Table`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::StepFunctions::StateMachine` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:PartiQLSelect"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/index/*"
]
}
]
}
```
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:PartiQLDelete",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLUpdate"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/index/*"
]
}
]
}
```
`AWS::StepFunctions::StateMachine` 到 `AWS::StepFunctions::StateMachine`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::StepFunctions::StateMachine` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:DescribeExecution"
],
"Resource": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
]
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule"
],
"Resource": [
"arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
}
]
}
```
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": [
"%{Destination.Arn}"
]
},
{
"Effect": "Allow",
"Action": [
"states:StopExecution"
],
"Resource": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule"
],
"Resource": [
"arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
}
]
}
```
`AWS::StepFunctions::StateMachine` 到 `AWS::Events::EventBus`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::StepFunctions::StateMachine` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::AppSync::DataSource` 到 `AWS::DynamoDB::Table`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::AppSync::DataSource` 角色上。
**访问类别**
`Read`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:PartiQLSelect"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/index/*"
]
}
]
}
```
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:PartiQLDelete",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLUpdate"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}/index/*"
]
}
]
}
```
`AWS::AppSync::DataSource` 到 `AWS::Lambda::Function`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::AppSync::DataSource` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"%{Destination.Arn}",
"%{Destination.Arn}:*"
]
}
]
}
```
`AWS::AppSync::DataSource` 到 `AWS::Events::EventBus`
**策略类型**
[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)附加在 `AWS::AppSync::DataSource` 角色上。
**访问类别**
`Write`
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"%{Destination.Arn}"
]
}
]
}
```
`AWS::AppSync::GraphQLApi` 到 `AWS::Lambda::Function`
**策略类型**
`[AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)` 附加在 `AWS::Lambda::Function` 上。
**访问类别**
`Write`
```
{
"Action": "lambda:InvokeFunction",
"Principal": "appsync.amazonaws.com",
"SourceArn": "arn:${AWS::Partition}:appsync:${AWS::Region}:${AWS::AccountId}:apis/%{Source.ResourceId}"
}
```