本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Amazon DocumentDB 的 受管政策
若要新增許可給使用者、群組和角色,使用 AWS 受管政策比自行撰寫政策更容易。建立 [IAM 客戶受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。若要快速開始使用,您可以使用我們的 AWS 受管政策。這些政策涵蓋常見的使用案例,並且可在您的帳戶中使用 AWS 。如需 AWS 受管政策的詳細資訊,請參閱《 *AWS Identity and Access Management 使用者指南*》中的 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
AWS 服務會維護和更新 AWS 受管政策。您無法變更 AWS 受管政策中的許可。服務偶爾會將其他許可新增至 AWS 受管政策,以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新操作可用時,服務最有可能更新 AWS 受管政策。服務不會從 AWS 受管政策中移除許可,因此政策更新不會破壞您現有的許可。
此外, AWS 支援跨多個 服務之任務函數的受管政策。例如, `ViewOnlyAccess` AWS 受管政策提供許多 AWS 服務和資源的唯讀存取權。當服務啟動新功能時, 會 AWS 新增新操作和資源的唯讀許可。如需任務函數政策的清單和說明,請參閱《 *AWS Identity and Access Management 使用者指南*》中的[AWS 任務函數的受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
下列 AWS 受管政策是 Amazon DocumentDB 特有的,您可以連接到您帳戶中的使用者:
+ [AmazonDocDBFullAccess](#AmazonDocDBFullAccess) – 授予根 AWS 帳戶所有 Amazon DocumentDB 資源的完整存取權。
+ [AmazonDocDBReadOnlyAccess](#AmazonDocDBReadOnlyAccess) – 授予根 AWS 帳戶所有 Amazon DocumentDB 資源的唯讀存取權。
+ [AmazonDocDBConsoleFullAccess](#AmazonDocDBConsoleFullAccess) – 授予使用 管理 Amazon DocumentDB 和 Amazon DocumentDB 彈性叢集資源的完整存取權 AWS 管理主控台。
+ [AmazonDocDBElasticReadOnlyAccess](#AmazonDocDB-ElasticReadOnlyAccess) – 授予根 AWS 帳戶所有 Amazon DocumentDB 彈性叢集資源的唯讀存取權。
+ [AmazonDocDBElasticFullAccess](#AmazonDocDB-ElasticFullAccess) – 授予根 AWS 帳戶所有 Amazon DocumentDB 彈性叢集資源的完整存取權。
## AmazonDocDBFullAccess
此政策會授予管理許可,允許委託人完整存取所有 Amazon DocumentDB 動作。此政策中的許可分組如下:
+ Amazon DocumentDB 許可允許所有 Amazon DocumentDB 動作。
+ 此政策中的某些 Amazon EC2 許可需要驗證 API 請求中傳遞的資源。這是為了確保 Amazon DocumentDB 能夠成功地將資源與叢集搭配使用。此政策中的其餘 Amazon EC2 許可允許 Amazon DocumentDB 建立所需的 AWS 資源,讓您可以連線到叢集。
+ API 呼叫期間會使用 Amazon DocumentDB 許可來驗證請求中傳遞的資源。Amazon DocumentDB 需要它們才能搭配 Amazon DocumentDB 叢集使用傳遞的金鑰。
+ Amazon DocumentDB 需要 CloudWatch Logs,才能確保日誌交付目的地可連線,且適用於代理程式日誌。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"rds:AddRoleToDBCluster",
"rds:AddSourceIdentifierToSubscription",
"rds:AddTagsToResource",
"rds:ApplyPendingMaintenanceAction",
"rds:CopyDBClusterParameterGroup",
"rds:CopyDBClusterSnapshot",
"rds:CopyDBParameterGroup",
"rds:CreateDBCluster",
"rds:CreateDBClusterParameterGroup",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:CreateEventSubscription",
"rds:DeleteDBCluster",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBSubnetGroup",
"rds:DeleteEventSubscription",
"rds:DescribeAccountAttributes",
"rds:DescribeCertificates",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEngineDefaultClusterParameters",
"rds:DescribeEngineDefaultParameters",
"rds:DescribeEventCategories",
"rds:DescribeEventSubscriptions",
"rds:DescribeEvents",
"rds:DescribeOptionGroups",
"rds:DescribeOrderableDBInstanceOptions",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeValidDBInstanceModifications",
"rds:DownloadDBLogFilePortion",
"rds:FailoverDBCluster",
"rds:ListTagsForResource",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyDBSubnetGroup",
"rds:ModifyEventSubscription",
"rds:PromoteReadReplicaDBCluster",
"rds:RebootDBInstance",
"rds:RemoveRoleFromDBCluster",
"rds:RemoveSourceIdentifierFromSubscription",
"rds:RemoveTagsFromResource",
"rds:ResetDBClusterParameterGroup",
"rds:ResetDBParameterGroup",
"rds:RestoreDBClusterFromSnapshot",
"rds:RestoreDBClusterToPointInTime"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"kms:ListAliases",
"kms:ListKeyPolicies",
"kms:ListKeys",
"kms:ListRetirableGrants",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"sns:ListSubscriptions",
"sns:ListTopics",
"sns:Publish"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWS ServiceName": "rds.amazonaws.com"
}
}
}
]
}
```
------
## AmazonDocDBReadOnlyAccess
此政策授予唯讀許可,允許使用者檢視 Amazon DocumentDB 中的資訊。附加此政策的主體無法進行任何更新或刪除結束的資源,也無法建立新的 Amazon DocumentDB 資源。例如,具有這些許可的主體可以檢視與其帳戶相關聯的叢集和組態清單,但無法變更任何叢集的組態或設定。此政策中的許可分組如下:
+ Amazon DocumentDB 許可可讓您列出 Amazon DocumentDB 資源、描述這些資源,以及取得這些資源的相關資訊。
+ Amazon EC2 許可用於描述與叢集相關聯的 Amazon VPC、子網路、安全群組和 ENIs。
+ Amazon DocumentDB 許可用於描述與叢集相關聯的金鑰。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeAccountAttributes",
"rds:DescribeCertificates",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventCategories",
"rds:DescribeEventSubscriptions",
"rds:DescribeEvents",
"rds:DescribeOrderableDBInstanceOptions",
"rds:DescribePendingMaintenanceActions",
"rds:DownloadDBLogFilePortion",
"rds:ListTagsForResource"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:ListKeys",
"kms:ListRetirableGrants",
"kms:ListAliases",
"kms:ListKeyPolicies"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*"
]
}
]
}
```
------
## AmazonDocDBConsoleFullAccess
授予完整存取權,以使用 管理 Amazon DocumentDB 資源 AWS 管理主控台 ,如下所示:
+ 允許所有 Amazon DocumentDB 和 Amazon DocumentDB 叢集動作的 Amazon DocumentDB 許可。
+ 此政策中的某些 Amazon EC2 許可需要驗證 API 請求中傳遞的資源。這是為了確保 Amazon DocumentDB 能夠成功使用 資源來佈建和維護叢集。此政策中的其餘 Amazon EC2 許可允許 Amazon DocumentDB 建立所需的 AWS 資源,讓您可以連線到 VPCEndpoint 等叢集。
+ AWS KMS 許可會在 API 呼叫 時使用, AWS KMS 以驗證請求中傳遞的資源。Amazon DocumentDB 需要使用它們,才能使用傳遞的金鑰,透過 Amazon DocumentDB 彈性叢集來加密和解密靜態資料。
+ Amazon DocumentDB 需要 CloudWatch Logs 才能確保日誌交付目的地可連線,而且它們適用於稽核和分析日誌。
+ 需要 Secrets Manager 許可才能驗證指定的秘密,並使用它來設定 Amazon DocumentDB 彈性叢集的管理員使用者。
+ Amazon DocumentDB 叢集管理動作需要 Amazon RDS 許可。對於某些管理功能,Amazon DocumentDB 使用與 Amazon RDS 共用的操作技術。
+ SNS 許可允許主體使用 Amazon Simple Notification Service (Amazon SNS) 訂閱和主題,以及發佈 Amazon SNS 訊息。
+ 建立指標和日誌發佈所需的服務連結角色時,需要 IAM 許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DocdbSids",
"Effect": "Allow",
"Action": [
"docdb-elastic:CreateCluster",
"docdb-elastic:UpdateCluster",
"docdb-elastic:GetCluster",
"docdb-elastic:DeleteCluster",
"docdb-elastic:ListClusters",
"docdb-elastic:CreateClusterSnapshot",
"docdb-elastic:GetClusterSnapshot",
"docdb-elastic:DeleteClusterSnapshot",
"docdb-elastic:ListClusterSnapshots",
"docdb-elastic:RestoreClusterFromSnapshot",
"docdb-elastic:TagResource",
"docdb-elastic:UntagResource",
"docdb-elastic:ListTagsForResource",
"docdb-elastic:CopyClusterSnapshot",
"docdb-elastic:StartCluster",
"docdb-elastic:StopCluster",
"docdb-elastic:GetPendingMaintenanceAction",
"docdb-elastic:ListPendingMaintenanceActions",
"docdb-elastic:ApplyPendingMaintenanceAction",
"rds:AddRoleToDBCluster",
"rds:AddSourceIdentifierToSubscription",
"rds:AddTagsToResource",
"rds:ApplyPendingMaintenanceAction",
"rds:CopyDBClusterParameterGroup",
"rds:CopyDBClusterSnapshot",
"rds:CopyDBParameterGroup",
"rds:CreateDBCluster",
"rds:CreateDBClusterParameterGroup",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:CreateEventSubscription",
"rds:CreateGlobalCluster",
"rds:DeleteDBCluster",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBSubnetGroup",
"rds:DeleteEventSubscription",
"rds:DeleteGlobalCluster",
"rds:DescribeAccountAttributes",
"rds:DescribeCertificates",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEngineDefaultClusterParameters",
"rds:DescribeEngineDefaultParameters",
"rds:DescribeEventCategories",
"rds:DescribeEventSubscriptions",
"rds:DescribeEvents",
"rds:DescribeGlobalClusters",
"rds:DescribeOptionGroups",
"rds:DescribeOrderableDBInstanceOptions",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeValidDBInstanceModifications",
"rds:DownloadDBLogFilePortion",
"rds:FailoverDBCluster",
"rds:ListTagsForResource",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyDBSubnetGroup",
"rds:ModifyEventSubscription",
"rds:ModifyGlobalCluster",
"rds:PromoteReadReplicaDBCluster",
"rds:RebootDBInstance",
"rds:RemoveFromGlobalCluster",
"rds:RemoveRoleFromDBCluster",
"rds:RemoveSourceIdentifierFromSubscription",
"rds:RemoveTagsFromResource",
"rds:ResetDBClusterParameterGroup",
"rds:ResetDBParameterGroup",
"rds:RestoreDBClusterFromSnapshot",
"rds:RestoreDBClusterToPointInTime"
],
"Resource": [
"*"
]
},
{
"Sid": "DependencySids",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:AllocateAddress",
"ec2:AssignIpv6Addresses",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:AssociateVpcCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:CreateCustomerGateway",
"ec2:CreateDefaultSubnet",
"ec2:CreateDefaultVpc",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeCustomerGateways",
"ec2:DescribeInstances",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpcEndpoint",
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListKeyPolicies",
"kms:ListKeys",
"kms:ListRetirableGrants",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"sns:ListSubscriptions",
"sns:ListTopics",
"sns:Publish"
],
"Resource": [
"*"
]
},
{
"Sid": "DocdbSLRSid",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "rds.amazonaws.com"
}
}
},
{
"Sid": "DocdbElasticSLRSid",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "docdb-elastic.amazonaws.com"
}
}
}
]
}
```
------
## AmazonDocDBElasticReadOnlyAccess
此政策授予唯讀許可,允許使用者在 Amazon DocumentDB 中檢視彈性叢集資訊。附加此政策的主體無法進行任何更新或刪除結束的資源,也無法建立新的 Amazon DocumentDB 資源。例如,具有這些許可的主體可以檢視與其帳戶相關聯的叢集和組態清單,但無法變更任何叢集的組態或設定。此政策中的許可分組如下:
+ Amazon DocumentDB 彈性叢集許可可讓您列出 Amazon DocumentDB 彈性叢集資源、加以描述,以及取得這些資源的相關資訊。
+ CloudWatch 許可用於驗證服務指標。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"docdb-elastic:ListClusters",
"docdb-elastic:GetCluster",
"docdb-elastic:ListClusterSnapshots",
"docdb-elastic:GetClusterSnapshot",
"docdb-elastic:ListTagsForResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
```
------
## AmazonDocDBElasticFullAccess
此政策授予管理許可,允許主體完整存取 Amazon DocumentDB 彈性叢集的所有 Amazon DocumentDB 動作。
此政策在條件中使用 AWS 標籤 (https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html://) 來限制對 資源的存取。如果您使用秘密,則必須使用標籤索引鍵`DocDBElasticFullAccess`和標籤值來標記秘密。如果您使用客戶受管金鑰,則必須使用標籤金鑰`DocDBElasticFullAccess`和標籤值來標記。
此政策中的許可分組如下:
+ Amazon DocumentDB 彈性叢集許可允許所有 Amazon DocumentDB 動作。
+ 此政策中的某些 Amazon EC2 許可需要驗證 API 請求中傳遞的資源。這是為了確保 Amazon DocumentDB 能夠成功使用 資源來佈建和維護叢集。此政策中的其餘 Amazon EC2 許可允許 Amazon DocumentDB 建立所需的 AWS 資源,讓您可以像 VPC 端點一樣連線到叢集。
+ AWS KMS 需要 許可,Amazon DocumentDB 才能使用傳遞的金鑰來加密和解密 Amazon DocumentDB 彈性叢集內的靜態資料。
**注意**
客戶受管金鑰必須具有具有金鑰`DocDBElasticFullAccess`和標籤值的標籤。
+ 需要 SecretsManager 許可才能驗證指定的秘密,並使用它來設定 Amazon DocumentDB 彈性叢集的管理員使用者。
**注意**
使用的秘密必須具有具有索引鍵`DocDBElasticFullAccess`和標籤值的標籤。
+ 建立指標和日誌發佈所需的服務連結角色時,需要 IAM 許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DocdbElasticSid",
"Effect": "Allow",
"Action": [
"docdb-elastic:CreateCluster",
"docdb-elastic:UpdateCluster",
"docdb-elastic:GetCluster",
"docdb-elastic:DeleteCluster",
"docdb-elastic:ListClusters",
"docdb-elastic:CreateClusterSnapshot",
"docdb-elastic:GetClusterSnapshot",
"docdb-elastic:DeleteClusterSnapshot",
"docdb-elastic:ListClusterSnapshots",
"docdb-elastic:RestoreClusterFromSnapshot",
"docdb-elastic:TagResource",
"docdb-elastic:UntagResource",
"docdb-elastic:ListTagsForResource",
"docdb-elastic:CopyClusterSnapshot",
"docdb-elastic:StartCluster",
"docdb-elastic:StopCluster",
"docdb-elastic:GetPendingMaintenanceAction",
"docdb-elastic:ListPendingMaintenanceActions",
"docdb-elastic:ApplyPendingMaintenanceAction"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2Sid",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints",
"ec2:ModifyVpcEndpoint",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeAvailabilityZones",
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "docdb-elastic.amazonaws.com"
}
}
},
{
"Sid": "KMSSid",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": [
"docdb-elastic.*.amazonaws.com"
],
"aws:ResourceTag/DocDBElasticFullAccess": "*"
}
}
},
{
"Sid": "KMSGrantSid",
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/DocDBElasticFullAccess": "*",
"kms:ViaService": [
"docdb-elastic.*.amazonaws.com"
]
},
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "SecretManagerSid",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecretVersionIds",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:GetResourcePolicy"
],
"Resource": "*",
"Condition": {
"StringLike": {
"secretsmanager:ResourceTag/DocDBElasticFullAccess": "*"
},
"StringEquals": {
"aws:CalledViaFirst": "docdb-elastic.amazonaws.com"
}
}
},
{
"Sid": "CloudwatchSid",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
},
{
"Sid": "SLRSid",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "docdb-elastic.amazonaws.com"
}
}
}
]
}
```
------
## AmazonDocDB-ElasticServiceRolePolicy
您無法`AmazonDocDBElasticServiceRolePolicy`連接至 AWS Identity and Access Management 實體。此政策會連接到服務連結角色,允許 Amazon DocumentDB 代表您執行動作。如需詳細資訊,請參閱[彈性叢集中的服務連結角色](elastic-service-linked-roles.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"AWS/DocDB-Elastic"
]
}
}
}
]
}
```
------
## AWS 受管政策的 Amazon DocumentDB 更新
| 變更 | 描述 | Date |
| --- | --- | --- |
| [AmazonDocDBElasticFullAccess](#AmazonDocDB-ElasticFullAccess)、 [AmazonDocDBConsoleFullAccess](#AmazonDocDBConsoleFullAccess) - 變更 | 已更新政策以新增待定的維護動作。 | 2/11/2025 |
| [AmazonDocDBElasticFullAccess](#AmazonDocDB-ElasticFullAccess)、 [AmazonDocDBConsoleFullAccess](#AmazonDocDBConsoleFullAccess) - 變更 | 已更新政策以新增開始/停止叢集和複製叢集快照動作。 | 2/21/2024 |
| [AmazonDocDBElasticReadOnlyAccess](#AmazonDocDB-ElasticReadOnlyAccess)、 [AmazonDocDBElasticFullAccess](#AmazonDocDB-ElasticFullAccess) - 變更 | 已更新政策以新增cloudwatch:GetMetricData動作。 | 6/21/2023 |
| [AmazonDocDBElasticReadOnlyAccess](#AmazonDocDB-ElasticReadOnlyAccess) – 新政策 | Amazon DocumentDB 彈性叢集的新受管政策。 | 6/8/2023 |
| [AmazonDocDBElasticFullAccess](#AmazonDocDB-ElasticFullAccess) – 新政策 | Amazon DocumentDB 彈性叢集的新受管政策。 | 6/5/2023 |
| [AmazonDocDB-ElasticServiceRolePolicy](#docdb-elastic-service-role) – 新政策 | Amazon DocumentDB 會為 Amazon DocumentDB 彈性叢集建立新的 AWS ServiceRoleForDocDB-Elastic 服務連結角色。 | 11/30/2022 |
| [AmazonDocDBConsoleFullAccess](#AmazonDocDBConsoleFullAccess) - 變更 | 已更新政策以新增 Amazon DocumentDB 全域和彈性叢集許可。 | 11/30/2022 |
| [AmazonDocDBConsoleFullAccess](#AmazonDocDBConsoleFullAccess)、[AmazonDocDBFullAccess](#AmazonDocDBFullAccess)、 [AmazonDocDBReadOnlyAccess](#AmazonDocDBReadOnlyAccess) - 新政策 | 服務啟動。 | 1/19/2017 |