AmazonDocDBFullAccess AmazonDocDBReadOnlyAccess AmazonDocDBConsoleFullAccess AmazonDocDBElasticReadOnlyAccess AmazonDocDBElasticFullAccess AmazonDoc 資料庫-ElasticServiceRolePolicy 受 AWS 管政策的 Amazon DocumentDB 更新

AWS Amazon DocumentDB 的受管政策

若要將許可新增至使用者、群組和角色，使用 AWS 受管政策比自行撰寫政策更容易。建立 IAM 客戶受管政策需要時間和專業知識，為您的團隊提供他們所需的許可。若要快速入門，您可以使用我們的 AWS 受管政策。這些政策涵蓋常見的使用案例，並且可在您的帳戶中使用 AWS 。如需有關 AWS 受管政策的詳細資訊，請參閱 AWS 身分和存取管理使用者指南中的受AWS 管政策。

AWS 服務會維護和更新 AWS 受管政策。您無法變更 AWS 受管政策中的許可。服務偶爾會將其他許可新增至 AWS 受管政策，以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新操作可用時，服務最有可能更新 AWS 受管政策。服務不會從 AWS 受管政策中移除許可，因此政策更新不會破壞現有的許可。

此外， AWS 支援跨多個服務的任務函數的受管政策。例如， ViewOnlyAccess AWS 受管政策提供對許多 AWS 服務和資源的唯讀存取。當服務啟動新功能時，會為新操作和資源 AWS 新增唯讀許可。如需任務函數政策的清單和描述，請參閱 AWS Identity and Access Management 使用者指南中的AWS 任務函數的受管政策。

下列 AWS 受管政策可連接至您帳戶中的使用者，其專屬於 Amazon DocumentDB：

AmazonDocDBFullAccess – 授予根 AWS 帳戶所有 Amazon DocumentDB 資源的完整存取權。
AmazonDocDBReadOnlyAccess – 授予根 AWS 帳戶所有 Amazon DocumentDB 資源的唯讀存取權。
AmazonDocDBConsoleFullAccess – 授予使用管理 Amazon DocumentDB 和 Amazon DocumentDB 彈性叢集資源的完整存取權 AWS Management Console。
AmazonDocDBElasticReadOnlyAccess – 授予根 AWS 帳戶所有 Amazon DocumentDB 彈性叢集資源的唯讀存取權。
AmazonDocDBElasticFullAccess – 授予根 AWS 帳戶所有 Amazon DocumentDB 彈性叢集資源的完整存取權。

AmazonDocDBFullAccess

此政策會授予管理許可，允許主體完整存取所有 Amazon DocumentDB 動作。此政策中的許可分組如下：

Amazon DocumentDB 許可允許所有 Amazon DocumentDB 動作。
此政策中的某些 Amazon EC2 許可需要驗證 API 請求中的傳遞資源。這是為了確保 Amazon DocumentDB 能夠成功地將資源與叢集搭配使用。本政策中的其餘 Amazon EC2 許可允許 Amazon DocumentDB 建立所需的 AWS 資源，讓您能夠連線至叢集。
Amazon DocumentDB 許可會在 API 呼叫期間使用，以驗證請求中傳遞的資源。Amazon DocumentDB 需要這些金鑰，才能搭配 Amazon DocumentDB 叢集使用傳遞的金鑰。
Amazon DocumentDB 需要 CloudWatch Logs 才能確保日誌交付目的地可連線，且對代理程式日誌的使用有效。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:AddRoleToDBCluster",
                "rds:AddSourceIdentifierToSubscription",
                "rds:AddTagsToResource",
                "rds:ApplyPendingMaintenanceAction",
                "rds:CopyDBClusterParameterGroup",
                "rds:CopyDBClusterSnapshot",
                "rds:CopyDBParameterGroup",
                "rds:CreateDBCluster",
                "rds:CreateDBClusterParameterGroup",
                "rds:CreateDBClusterSnapshot",
                "rds:CreateDBInstance",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:CreateEventSubscription",
                "rds:DeleteDBCluster",
                "rds:DeleteDBClusterParameterGroup",
                "rds:DeleteDBClusterSnapshot",
                "rds:DeleteDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:DeleteEventSubscription",
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultClusterParameters",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEventCategories",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeEvents",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeValidDBInstanceModifications",
                "rds:DownloadDBLogFilePortion",
                "rds:FailoverDBCluster",
                "rds:ListTagsForResource",
                "rds:ModifyDBCluster",
                "rds:ModifyDBClusterParameterGroup",
                "rds:ModifyDBClusterSnapshotAttribute",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:ModifyEventSubscription",
                "rds:PromoteReadReplicaDBCluster",
                "rds:RebootDBInstance",
                "rds:RemoveRoleFromDBCluster",
                "rds:RemoveSourceIdentifierFromSubscription",
                "rds:RemoveTagsFromResource",
                "rds:ResetDBClusterParameterGroup",
                "rds:ResetDBParameterGroup",
                "rds:RestoreDBClusterFromSnapshot",
                "rds:RestoreDBClusterToPointInTime"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListRetirableGrants",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
            "Condition": {
                "StringLike": {
                    "iam:AWS ServiceName": "rds.amazonaws.com"
                }
            }
        }
    ]
}

AmazonDocDBReadOnlyAccess

此政策授予唯讀許可，允許使用者檢視 Amazon DocumentDB 中的資訊。附加此政策的主體無法進行任何更新或刪除結束的資源，也無法建立新的 Amazon DocumentDB 資源。例如，具有這些許可的主體可以檢視與其帳戶相關聯的叢集和組態清單，但無法變更任何叢集的組態或設定。此政策中的許可分組如下：

Amazon DocumentDB 許可可讓您列出 Amazon DocumentDB 資源、描述它們，以及取得有關它們的資訊。
Amazon EC2 許可用於描述與叢集相關聯的 Amazon VPC、子網路、安全群組和 ENIs。
Amazon DocumentDB 許可用於描述與叢集相關聯的金鑰。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEventCategories",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeEvents",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DownloadDBLogFilePortion",
                "rds:ListTagsForResource"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kms:ListKeys",
                "kms:ListRetirableGrants",
                "kms:ListAliases",
                "kms:ListKeyPolicies"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*",
                "arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*"
            ]
        }
    ]
}

AmazonDocDBConsoleFullAccess

授予完整存取權，以使用管理 Amazon DocumentDB 資源 AWS Management Console ，如下所示：

允許所有 Amazon DocumentDB Amazon DocumentDB 和 Amazon DocumentDB 叢集動作的 Amazon DocumentDB 許可。
此政策中的某些 Amazon EC2 許可需要驗證 API 請求中的傳遞資源。這是為了確保 Amazon DocumentDB 能夠成功地使用資源來佈建和維護叢集。本政策中的其餘 Amazon EC2 許可允許 Amazon DocumentDB 建立所需的 AWS 資源，以便您能夠連線到 VPCEndpoint 等叢集。
AWS KMS 許可會在 API 呼叫期間使用 AWS KMS ，以驗證請求中的傳遞資源。Amazon DocumentDB 需要使用它們，才能使用傳遞的金鑰，透過 Amazon DocumentDB 彈性叢集來加密和解密靜態資料。
Amazon DocumentDB 需要 CloudWatch Logs 才能確保日誌交付目的地可連線，且它們適用於稽核和分析日誌。
需要 Secrets Manager 許可才能驗證指定的秘密，並使用它為 Amazon DocumentDB 彈性叢集設定管理員使用者。
Amazon DocumentDB 叢集管理動作需要 Amazon RDS 許可。對於某些管理功能，Amazon DocumentDB 使用與 Amazon RDS 共用的操作技術。
SNS 許可允許主體 Amazon Simple Notification Service (Amazon SNS) 訂閱和主題，以及發佈 Amazon SNS 訊息。
建立指標和日誌發佈所需的服務連結角色需要 IAM 許可。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DocdbSids",
            "Effect": "Allow",
            "Action": [
                "docdb-elastic:CreateCluster",
                "docdb-elastic:UpdateCluster",
                "docdb-elastic:GetCluster",
                "docdb-elastic:DeleteCluster",
                "docdb-elastic:ListClusters",
                "docdb-elastic:CreateClusterSnapshot",
                "docdb-elastic:GetClusterSnapshot",
                "docdb-elastic:DeleteClusterSnapshot",
                "docdb-elastic:ListClusterSnapshots",
                "docdb-elastic:RestoreClusterFromSnapshot",
                "docdb-elastic:TagResource",
                "docdb-elastic:UntagResource",
                "docdb-elastic:ListTagsForResource",
                "docdb-elastic:CopyClusterSnapshot",
                "docdb-elastic:StartCluster",
                "docdb-elastic:StopCluster",
                "rds:AddRoleToDBCluster",
                "rds:AddSourceIdentifierToSubscription",
                "rds:AddTagsToResource",
                "rds:ApplyPendingMaintenanceAction",
                "rds:CopyDBClusterParameterGroup",
                "rds:CopyDBClusterSnapshot",
                "rds:CopyDBParameterGroup",
                "rds:CreateDBCluster",
                "rds:CreateDBClusterParameterGroup",
                "rds:CreateDBClusterSnapshot",
                "rds:CreateDBInstance",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:CreateEventSubscription",
                "rds:CreateGlobalCluster",
                "rds:DeleteDBCluster",
                "rds:DeleteDBClusterParameterGroup",
                "rds:DeleteDBClusterSnapshot",
                "rds:DeleteDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:DeleteEventSubscription",
                "rds:DeleteGlobalCluster",
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultClusterParameters",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEventCategories",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeEvents",
                "rds:DescribeGlobalClusters",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeValidDBInstanceModifications",
                "rds:DownloadDBLogFilePortion",
                "rds:FailoverDBCluster",
                "rds:ListTagsForResource",
                "rds:ModifyDBCluster",
                "rds:ModifyDBClusterParameterGroup",
                "rds:ModifyDBClusterSnapshotAttribute",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:ModifyEventSubscription",
                "rds:ModifyGlobalCluster",
                "rds:PromoteReadReplicaDBCluster",
                "rds:RebootDBInstance",
                "rds:RemoveFromGlobalCluster",
                "rds:RemoveRoleFromDBCluster",
                "rds:RemoveSourceIdentifierFromSubscription",
                "rds:RemoveTagsFromResource",
                "rds:ResetDBClusterParameterGroup",
                "rds:ResetDBParameterGroup",
                "rds:RestoreDBClusterFromSnapshot",
                "rds:RestoreDBClusterToPointInTime"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DependencySids",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "ec2:AllocateAddress",
                "ec2:AssignIpv6Addresses",
                "ec2:AssignPrivateIpAddresses",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:CreateCustomerGateway",
                "ec2:CreateDefaultSubnet",
                "ec2:CreateDefaultVpc",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeInstances",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyVpcEndpoint",
                "kms:DescribeKey",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListRetirableGrants",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DocdbSLRSid",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "rds.amazonaws.com"
                }
            }
        },
        {
            "Sid": "DocdbElasticSLRSid",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "docdb-elastic.amazonaws.com"
                }
            }
        }
    ]
}

AmazonDocDBElasticReadOnlyAccess

此政策授予唯讀許可，允許使用者在 Amazon DocumentDB 中檢視彈性叢集資訊。附加此政策的主體無法進行任何更新或刪除結束的資源，也無法建立新的 Amazon DocumentDB 資源。例如，具有這些許可的主體可以檢視與其帳戶相關聯的叢集和組態清單，但無法變更任何叢集的組態或設定。此政策中的許可分組如下：

Amazon DocumentDB 彈性叢集許可可讓您列出 Amazon DocumentDB 彈性叢集資源、加以描述，並取得相關資訊。
CloudWatch 許可用於驗證服務指標。


{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "docdb-elastic:ListClusters",
            "docdb-elastic:GetCluster",
            "docdb-elastic:ListClusterSnapshots",
            "docdb-elastic:GetClusterSnapshot",
            "docdb-elastic:ListTagsForResource"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "cloudwatch:GetMetricData",
            "cloudwatch:ListMetrics",
            "cloudwatch:GetMetricStatistics"
         ],
         "Resource": "*"
      }
   ]
}

AmazonDocDBElasticFullAccess

此政策授予管理許可，允許主體完整存取 Amazon DocumentDB 彈性叢集的所有 Amazon DocumentDB 動作。

此政策在條件下使用 AWS 標籤 (https://docs.aws.amazon.com/tag-editor/latest/userguide/taggingWord.html) 來限制對資源的存取。如果您使用的是秘密，則必須使用標籤索引鍵DocDBElasticFullAccess和標籤值來標記。如果您使用客戶受管金鑰，則必須使用標籤金鑰DocDBElasticFullAccess和標籤值來標記。

此政策中的許可分組如下：

Amazon DocumentDB 彈性叢集許可允許所有 Amazon DocumentDB 動作。
此政策中的某些 Amazon EC2 許可需要驗證 API 請求中的傳遞資源。這是為了確保 Amazon DocumentDB 能夠成功地使用資源來佈建和維護叢集。此政策中的其餘 Amazon EC2 許可允許 Amazon DocumentDB 建立所需的 AWS 資源，讓您能夠像 VPC 端點一樣連線到叢集。
AWS KMS Amazon DocumentDB 需要許可，才能使用傳遞的金鑰來加密和解密 Amazon DocumentDB 彈性叢集中的靜態資料。

注意
客戶受管金鑰必須具有具有金鑰DocDBElasticFullAccess和標籤值的標籤。
需要 SecretsManager 許可才能驗證指定的秘密，並使用它為 Amazon DocumentDB 彈性叢集設定管理員使用者。

注意
使用的秘密必須具有具有金鑰DocDBElasticFullAccess和標籤值的標籤。
建立指標和日誌發佈所需的服務連結角色需要 IAM 許可。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DocdbElasticSid",
            "Effect": "Allow",
            "Action": [
                "docdb-elastic:CreateCluster",
                "docdb-elastic:UpdateCluster",
                "docdb-elastic:GetCluster",
                "docdb-elastic:DeleteCluster",
                "docdb-elastic:ListClusters",
                "docdb-elastic:CreateClusterSnapshot",
                "docdb-elastic:GetClusterSnapshot",
                "docdb-elastic:DeleteClusterSnapshot",
                "docdb-elastic:ListClusterSnapshots",
                "docdb-elastic:RestoreClusterFromSnapshot",
                "docdb-elastic:TagResource",
                "docdb-elastic:UntagResource",
                "docdb-elastic:ListTagsForResource",
                "docdb-elastic:CopyClusterSnapshot",
                "docdb-elastic:StartCluster",
                "docdb-elastic:StopCluster"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Sid",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeVpcEndpoints",
                "ec2:DeleteVpcEndpoints",
                "ec2:ModifyVpcEndpoint",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeAvailabilityZones",
                "secretsmanager:ListSecrets"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:CalledViaFirst": "docdb-elastic.amazonaws.com"
                }
            }
        },
        {
            "Sid": "KMSSid",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "docdb-elastic.*.amazonaws.com"
                    ],
                    "aws:ResourceTag/DocDBElasticFullAccess": "*"
                }
            }
        },
        {
            "Sid": "KMSGrantSid",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/DocDBElasticFullAccess": "*",
                    "kms:ViaService": [
                        "docdb-elastic.*.amazonaws.com"
                    ]
                },
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        },
        {
            "Sid": "SecretManagerSid",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:GetResourcePolicy"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "secretsmanager:ResourceTag/DocDBElasticFullAccess": "*"
                },
                "StringEquals": {
                    "aws:CalledViaFirst": "docdb-elastic.amazonaws.com"
                }
            }
        },
        {
            "Sid": "CloudwatchSid",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "SLRSid",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "docdb-elastic.amazonaws.com"
                }
            }
        }
    ]
}

AmazonDoc 資料庫-ElasticServiceRolePolicy

您無法AmazonDocDBElasticServiceRolePolicy連接至 AWS Identity and Access Management 實體。此政策會連接至服務連結角色，讓 Amazon DocumentDB 代表您執行動作。如需詳細資訊，請參閱彈性叢集中的服務連結角色。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": [
                        "AWS/DocDB-Elastic"
                    ]
                }
            }
        }
    ]
}

受 AWS 管政策的 Amazon DocumentDB 更新

變更	描述	日期
AmazonDocDBElasticFullAccess、 AmazonDocDBConsoleFullAccess - 變更	已更新政策以新增開始/停止叢集和複製叢集快照動作。	2/21/2024
AmazonDocDBElasticReadOnlyAccess、 AmazonDocDBElasticFullAccess - 變更	已更新政策以新增`cloudwatch:GetMetricData`動作。	6/21/2023
AmazonDocDBElasticReadOnlyAccess – 新政策	Amazon DocumentDB 彈性叢集的新受管政策	6/8/2023
AmazonDocDBElasticFullAccess – 新政策	Amazon DocumentDB 彈性叢集的新受管政策	6/5/2023
AmazonDoc 資料庫-ElasticServiceRolePolicy – 新政策	Amazon DocumentDB 會為 Amazon DocumentDB 彈性叢集建立新的 AWS ServiceRoleForDoc 資料庫彈性服務連結角色	11/30/2022
AmazonDocDBConsoleFullAccess - 變更	已更新政策以新增 Amazon DocumentDB 全域和彈性叢集許可	11/30/2022
AmazonDocDBConsoleFullAccess、AmazonDocDBFullAccess、 AmazonDocDBReadOnlyAccess - 新政策	服務啟動	1/19/2017

您的瀏覽器已停用或無法使用 Javascript。

您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。

文件慣用形式

使用身分型政策 (IAM 政策）

Amazon DocumentDB API 許可參考

AWS Amazon DocumentDB 的 受管政策