本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Timestream 查看 LiveAnalytics 基于身份的策略示例
默认情况下,IAM用户和角色无权为 LiveAnalytics 资源创建或修改 Timestream。他们也无法使用 AWS Management Console、CQLSH AWS CLI、或执行任务 AWS API。IAM管理员必须创建IAM策略,授予用户和角色对其所需的指定资源执行特定API操作的权限。然后,管理员必须将这些策略附加到需要这些权限的IAM用户或群组。
要了解如何使用这些示例JSON策略文档创建IAM基于身份的策略,请参阅《IAM用户指南》JSON中的 “在选项卡上创建策略”。
主题
策略最佳实践
基于身份的策略决定了某人是否可以创建、访问或删除您账户中的 LiveAnalytics 资源的 Timestream。这些操作可能会使 AWS 账户产生成本。创建或编辑基于身份的策略时,请遵循以下指南和建议:
-
开始使用 AWS 托管策略并转向最低权限权限 — 要开始向用户和工作负载授予权限,请使用为许多常见用例授予权限的AWS 托管策略。它们在你的版本中可用 AWS 账户。我们建议您通过定义针对您的用例的 AWS 客户托管策略来进一步减少权限。有关更多信息,请参阅《IAM用户指南》中的AWS 托AWS 管策略或工作职能托管策略。
-
应用最低权限权限-使用IAM策略设置权限时,仅授予执行任务所需的权限。为此,您可以定义在特定条件下可以对特定资源执行的操作,也称为最低权限许可。有关使用应用权限IAM的更多信息,请参阅《IAM用户指南》IAM中的策略和权限。
-
使用IAM策略中的条件进一步限制访问权限-您可以在策略中添加条件以限制对操作和资源的访问权限。例如,您可以编写一个策略条件来指定所有请求都必须使用发送SSL。如果服务操作是通过特定 AWS 服务的(例如)使用的,则也可以使用条件来授予对服务操作的访问权限 AWS CloudFormation。有关更多信息,请参阅《IAM用户指南》中的IAMJSON策略元素:条件。
-
使用 A IAM ccess Analyzer 验证您的IAM策略以确保权限的安全性和功能性 — A IAM ccess Analyzer 会验证新的和现有的策略,以便策略符合IAM策略语言 (JSON) 和IAM最佳实践。IAMAccess Analyzer 提供了 100 多项策略检查和可行的建议,可帮助您制定安全和实用的策略。有关更多信息,请参阅《IAM用户指南》中的使用 A IAM ccess Analyzer 验证策略。
-
需要多重身份验证 (MFA)-如果您的场景需要IAM用户或 root 用户 AWS 账户,请打开MFA以提高安全性。要要求MFA何时调用API操作,请在策略中添加MFA条件。有关更多信息,请参阅《IAM用户指南》MFA中的使用进行安全API访问。
有关中最佳做法的更多信息IAM,请参阅《IAM用户指南》IAM中的安全最佳实践。
使用控制台的 Timestrea LiveAnalytics m
Timestream LiveAnalytics 版不需要特定权限即可访问适用于控制台的 Amazon Timestream LiveAnalytics 。您至少需要具有只读权限才能列出和查看有关您 AWS 账户中 LiveAnalytics 资源的时间流的详细信息。如果您创建的基于身份的策略比所需的最低权限更严格,则控制台将无法按预期运行,适用于使用该策略的实体(IAM用户或角色)。
允许用户查看他们自己的权限
此示例说明如何创建允许IAM用户查看附加到其用户身份的内联和托管策略的策略。此策略包括在控制台上或使用或以编程方式完成此操作的 AWS CLI 权限。 AWS API
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }
Timestream 中的常见操作 LiveAnalytics
以下是允许在 Timestream 中进行常见操作的示例IAM策略 LiveAnalytics。
主题
允许所有操作
以下是允许在 Timestream 中进行所有操作的示例策略。 LiveAnalytics
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:*" ], "Resource": "*" } ] }
允许SELECT操作
以下示例策略允许对特定资源进行样SELECT式查询。
注意
<account_ID>用您的亚马逊账户编号替换。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:Select", "timestream:DescribeTable", "timestream:ListMeasures" ], "Resource": "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/table/DevOps" }, { "Effect": "Allow", "Action": [ "timestream:DescribeEndpoints", "timestream:SelectValues", "timestream:CancelQuery" ], "Resource": "*" } ] }
允许对多个资源进行SELECT操作
以下示例策略允许对多个资源进行样SELECT式查询。
注意
<account_ID>用您的亚马逊账户编号替换。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:Select", "timestream:DescribeTable", "timestream:ListMeasures" ], "Resource": [ "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/table/DevOps", "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/table/DevOps1", "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/table/DevOps2" ] }, { "Effect": "Allow", "Action": [ "timestream:DescribeEndpoints", "timestream:SelectValues", "timestream:CancelQuery" ], "Resource": "*" } ] }
允许元数据操作
以下示例策略允许用户执行元数据查询,但不允许用户执行在 Timestream 中读取或写入实际数据的操作。 LiveAnalytics
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:DescribeEndpoints", "timestream:DescribeTable", "timestream:ListMeasures", "timestream:SelectValues", "timestream:ListTables", "timestream:ListDatabases", "timestream:CancelQuery" ], "Resource": "*" } ] }
允许INSERT操作
以下示例策略允许用户对账户database/sampleDB/table/DevOps内执行INSERT操作<account_id>。
注意
<account_ID>用您的亚马逊账户编号替换。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "timestream:WriteRecords" ], "Resource": [ "arn:aws:timestream:us-east-1:<account_id>:database/sampleDB/table/DevOps" ], "Effect": "Allow" }, { "Action": [ "timestream:DescribeEndpoints" ], "Resource": "*", "Effect": "Allow" } ] }
允许CRUD操作
以下示例策略允许用户在 Timestream 中为 LiveAnalytics执行CRUD操作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:DescribeEndpoints", "timestream:CreateTable", "timestream:DescribeTable", "timestream:CreateDatabase", "timestream:DescribeDatabase", "timestream:ListTables", "timestream:ListDatabases", "timestream:DeleteTable", "timestream:DeleteDatabase", "timestream:UpdateTable", "timestream:UpdateDatabase" ], "Resource": "*" } ] }
取消查询并在不指定资源的情况下选择数据
以下示例策略允许用户取消查询并对不需要指定资源的数据执行Select查询:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:SelectValues", "timestream:CancelQuery" ], "Resource": "*" } ] }
创建、描述、删除和描述数据库
以下示例策略允许用户创建、描述、删除和描述数据库sampleDB:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:CreateDatabase", "timestream:DescribeDatabase", "timestream:DeleteDatabase", "timestream:UpdateDatabase" ], "Resource": "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB" } ] }
按标签限制列出的数据库 {"Owner": "${username}"}
以下示例策略允许用户列出所有使用键值对标记的数据库{"Owner": "${username}"}:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:ListDatabases" ], "Resource": "arn:aws:timestream:us-east-1:<account_ID>:database/*", "Condition": { "StringEquals": { "aws:ResourceTag/Owner": "${aws:username}" } } } ] }
列出数据库中的所有表
以下示例策略用于列出数据库中的所有表sampleDB:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:ListTables" ], "Resource": "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/" } ] }
在表格上创建、描述、删除、更新和选择
以下示例策略允许用户创建表、描述表、删除表、更新表以及对数据库DevOps中的表执行Select查询sampleDB:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:CreateTable", "timestream:DescribeTable", "timestream:DeleteTable", "timestream:UpdateTable", "timestream:Select" ], "Resource": "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/table/DevOps" } ] }
按表限制查询
以下示例策略允许用户查询除DevOps数据库之外的所有表sampleDB:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:Select" ], "Resource": "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/table/*" }, { "Effect": "Deny", "Action": [ "timestream:Select" ], "Resource": "arn:aws:timestream:us-east-1:<account_ID>:database/sampleDB/table/DevOps" } ] }
基于标签的 LiveAnalytics 资源访问时间流
您可以使用基于身份的策略中的条件来控制基于标签的 LiveAnalytics 资源对 Timestream 的访问权限。本章节提供了一些示例。
以下示例说明如何创建一个策略,该策略授予用户查看表的权限(如果表的 Owner 包含该用户的用户名的值)。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccessTaggedTables", "Effect": "Allow", "Action": "timestream:Select", "Resource": "arn:aws:timestream:us-east-2:111122223333:database/mydatabase/table/*", "Condition": { "StringEquals": { "aws:ResourceTag/Owner": "${aws:username}" } } } ] }
您可以将此政策附加到您账户中的IAM用户。如果名为的用户richard-roe尝试查看 LiveAnalytics 表的时间流,则必须对该表进行标记Owner=richard-roe或owner=richard-roe。否则,他将被拒绝访问。条件标签键 Owner 匹配 Owner 和 owner,因为条件键名称不区分大小写。有关更多信息,请参阅《IAM用户指南》中的 “IAMJSON策略元素:条件”。
如果请求中传递的标签具有键Owner和值,则以下策略向用户授予创建带有标签的表的权限username:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateTagTableUser", "Effect": "Allow", "Action": [ "timestream:Create", "timestream:TagResource" ], "Resource": "arn:aws:timestream:us-east-2:111122223333:database/mydatabase/table/*", "Condition": { "ForAnyValue:StringEquals": { "aws:RequestTag/Owner": "${aws:username}" } } } ] }
以下策略允许DescribeDatabaseAPI在任何将env标签设置为dev或的数据库上使用test:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDescribeEndpoints", "Effect": "Allow", "Action": [ "timestream:DescribeEndpoints" ], "Resource": "*" }, { "Sid": "AllowDevTestAccess", "Effect": "Allow", "Action": [ "timestream:DescribeDatabase" ], "Resource": "*", "Condition": { "StringEquals": { "timestream:tag/env": [ "dev", "test" ] } } } ] } { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowTagAccessForDevResources", "Effect": "Allow", "Action": [ "timestream:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/env": [ "test", "dev" ] } } } ] }
此策略使用Condition密钥来允许将密钥env且值为testqa、或dev的标签添加到资源中。
计划查询
列出、删除、更新、执行 ScheduledQuery
以下示例策略允许用户列出、删除、更新和执行计划查询。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "timestream:DeleteScheduledQuery", "timestream:ExecuteScheduledQuery", "timestream:UpdateScheduledQuery", "timestream:ListScheduledQueries", "timestream:DescribeEndpoints" ], "Resource": "*" } ] }
CreateScheduledQuery 使用客户管理的KMS密钥
以下示例策略允许用户创建使用客户托管KMS密钥加密的计划查询;<keyid for
ScheduledQuery>.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/ScheduledQueryExecutionRole" ], "Effect": "Allow" }, { "Action": [ "timestream:CreateScheduledQuery", "timestream:DescribeEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/<keyid for ScheduledQuery>", "Effect": "Allow" } ] }
DescribeScheduledQuery 使用客户管理的KMS密钥
以下示例策略允许用户描述使用客户托管KMS密钥创建的计划查询;<keyid for
ScheduledQuery>.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "timestream:DescribeScheduledQuery", "timestream:DescribeEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/<keyid for ScheduledQuery>", "Effect": "Allow" } ] }
执行角色权限(使用客户托管KMS密钥进行计划查询,SSE-KMS 用于错误报告)
将以下示例策略附加到ScheduledQueryExecutionRoleArn参数中指定的IAM角色,该角色使用客户托管KMS密钥进行计划查询SSE-KMS加密和错误报告加密。CreateScheduledQuery API
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:GenerateDataKey", ], "Resource": "arn:aws:kms:us-west-2:123456789012:key/<keyid for ScheduledQuery>", "Effect": "Allow" }, { "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-west-2:123456789012:key/<keyid for database-1>", "arn:aws:kms:us-west-2:123456789012:key/<keyid for database-n>", "arn:aws:kms:us-west-2:123456789012:key/<keyid for ScheduledQuery>" ], "Effect": "Allow" }, { "Action": [ "sns:Publish" ], "Resource": [ "arn:aws:sns:us-west-2:123456789012:scheduled-query-notification-topic-*" ], "Effect": "Allow" }, { "Action": [ "timestream:Select", "timestream:SelectValues", "timestream:WriteRecords" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:PutObject", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::scheduled-query-error-bucket", "arn:aws:s3:::scheduled-query-error-bucket/*" ], "Effect": "Allow" } ] }
执行角色信任关系
以下是在的ScheduledQueryExecutionRoleArn参数中指定的IAM角色的信任关系CreateScheduledQueryAPI。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "timestream.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
允许访问在账户中创建的所有计划查询
将以下示例策略附加到ScheduledQueryExecutionRoleArn参数中指定的IAM角色 CreateScheduledQueryAPI,以允许访问在账户中创建的所有计划查询 Account_ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "timestream.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "Account_ID" }, "ArnLike": { "aws:SourceArn": "arn:aws:timestream:us-west-2:Account_ID:scheduled-query/*" } } } ] }
允许访问所有具有特定名称的计划查询
将以下示例策略附加到ScheduledQueryExecutionRoleArn参数中指定的IAM角色 CreateScheduledQueryAPI,以允许访问名称以开头的所有定时查询 Scheduled_Query_Name,在账户内 Account_ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "timestream.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "Account_ID" }, "ArnLike": { "aws:SourceArn": "arn:aws:timestream:us-west-2:Account_ID:scheduled-query/Scheduled_Query_Name*" } } } ] }
