本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Canary 的必要角色和許可
每個初期測試都必須與已附加特定權限的IAM角色相關聯。使用 CloudWatch 主控台建立初期測試時,您可以選擇「 CloudWatch Synthetics」來建立初期測試的IAM角色。若您這樣做,則角色將具備所需要的許可。
如果您想要自行建立IAM角色,或建立IAM可在使用 AWS CLI 或建立初期測試時使APIs用的角色,則該角色必須包含本節中列出的權限。
Canary 的所有IAM角色都必須包含以下信任政策聲明。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
此外,金絲雀的IAM角色需要以下語句之一。
不使用 AWS KMS 或不需要 Amazon VPC 訪問的基本金絲雀
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::
path/to/your/s3/bucket/canary/results/folder
" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/s3/bucket/that/contains/canary/results
" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:canary_region_name
:canary_account_id
:log-group:/aws/lambda/cwsyn-canary_name
-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } } ] }
金絲雀用於 AWS KMS 加密金絲雀工件,但不需要 Amazon VPC 訪問
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::
path/to/your/S3/bucket/canary/results/folder
" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results
" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:canary_region_name
:canary_account_id
:log-group:/aws/lambda/cwsyn-canary_name
-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:KMS_key_region_name
:KMS_key_account_id
:key/KMS_key_id
", "Condition": { "StringEquals": { "kms:ViaService": [ "s3.region_name_of_the_canary_results_S3_bucket
.amazonaws.com" ] } } } ] }
不使用 AWS KMS 但確實需要 Amazon VPC 訪問的金絲雀
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::
path/to/your/S3/bucket/canary/results/folder
" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results
" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:canary_region_name
:canary_account_id
:log-group:/aws/lambda/cwsyn-canary_name
-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface" ], "Resource": [ "*" ] } ] }
金絲雀用 AWS KMS 於加密金絲雀工件並且還需要 Amazon VPC 訪問
如果您更新非VPC初期測試以開始使用VPC,則需要更新初期測試的角色,以包含下列原則中列出的網路介面權限。
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::
path/to/your/S3/bucket/canary/results/folder
" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results
" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:canary_region_name
:canary_account_id
:log-group:/aws/lambda/cwsyn-canary_name
-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:KMS_key_region_name
:KMS_key_account_id
:key/KMS_key_id
", "Condition": { "StringEquals": { "kms:ViaService": [ "s3.region_name_of_the_canary_results_S3_bucket
.amazonaws.com" ] } } } ] }