本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
資源管理的服務連結角色許可
Security Lake 使用名為 的服務連結角色AWSServiceRoleForSecurityLakeResourceManagement
來執行持續的監控和效能改善,進而降低延遲和成本。此服務連結角色信任resource-management.securitylake.amazonaws.com
服務擔任該角色。啟用 AWSServiceRoleForSecurityLakeResourceManagement
也會授予其對 Lake Formation 的存取權,並自動向所有區域的 Lake Formation 註冊您的 Security Lake 受管 S3 儲存貯體,以提高安全性。
角色的許可政策是名為 的 AWS 受管政策SecurityLakeResourceManagementServiceRolePolicy
,允許 存取以管理 Security Lake 建立的資源,包括管理資料湖中的中繼資料。如需 Amazon Security Lake 受 AWS 管政策的詳細資訊,請參閱 AWS Amazon Security Lake 的受管政策。
此服務連結角色可讓 Security Lake 監控 Security Lake (S3 儲存貯體、 AWS Glue 資料表、Amazon SQS Queue、中繼存放區管理員 (MSM) Lambda Function 和 EventBridge 規則) 部署至您帳戶的資源的運作狀態。Security Lake 可以使用此服務連結角色執行的一些操作範例如下:
Apache Iceberg 資訊清單檔案壓縮,可改善查詢效能並降低 Lambda MSM 處理時間和成本。
監控 Amazon SQS 的狀態以偵測擷取問題。
最佳化跨區域資料複寫以排除中繼資料檔案。
注意
如果您未安裝AWSServiceRoleForSecurityLakeResourceManagement
服務連結角色,Security Lake 將繼續運作,但強烈建議您接受此服務連結角色,以便 Security Lake 可以監控和最佳化您帳戶中的資源。
許可詳細資訊
角色的設定具有下列許可政策:
-
events
– 允許主體管理日誌來源和日誌訂閱者所需的 EventBridge 規則。 -
lambda
– 允許主體管理用於在 AWS 來源交付和跨區域複寫之後更新 AWS Glue 資料表分割區的 lambda。 -
glue
– 允許主體執行 AWS Glue Data Catalog 資料表的特定寫入動作。這也允許 AWS Glue 爬蟲程式識別資料中的分割區,並允許 Security Lake 管理 Apache Iceberg 資料表的 Apache Iceberg 中繼資料。 -
s3
– 允許主體在包含日誌資料和 Glue 資料表中繼資料的 Security Lake 儲存貯體上執行特定的讀取和寫入動作。 -
logs
– 允許主體讀取存取權,將 Lambda 函數的輸出記錄到 CloudWatch Logs。 -
sqs
– 允許主體為 Amazon SQS 佇列執行特定的讀取和寫入動作,這些佇列會在資料湖中新增或更新物件時接收事件通知。 -
lakeformation
– 允許主體讀取 Lake Formation 設定,以監控組態錯誤。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadEventBridgeRules", "Effect": "Allow", "Action": [ "events:ListRules" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeEventRules", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/AmazonSecurityLake-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeLambdaConfigurations", "Effect": "Allow", "Action": [ "lambda:GetEventSourceMapping", "lambda:GetFunction", "lambda:PutFunctionConcurrency", "lambda:GetProvisionedConcurrencyConfig", "lambda:GetFunctionConcurrency", "lambda:GetRuntimeManagementConfig", "lambda:PutProvisionedConcurrencyConfig", "lambda:PublishVersion", "lambda:DeleteFunctionConcurrency", "lambda:DeleteEventSourceMapping", "lambda:GetAlias", "lambda:GetPolicy", "lambda:GetFunctionConfiguration", "lambda:UpdateFunctionConfiguration" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowListLambdaEventSourceMappings", "Effect": "Allow", "Action": [ "lambda:ListEventSourceMappings" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowUpdateLambdaEventSourceMapping", "Effect": "Allow", "Action": [ "lambda:UpdateEventSourceMapping" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "lambda:FunctionArn": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" } } }, { "Sid": "AllowUpdateLambdaConfigs", "Effect": "Allow", "Action": [ "lambda:UpdateFunctionConfiguration" ], "Resource": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeGlueResources", "Effect": "Allow", "Action": [ "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetTable", "glue:GetTables", "glue:UpdateTable", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:catalog" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowDataLakeConfigurationManagement", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObjectAttributes", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:GetEncryptionConfiguration", "s3:GetReplicationConfiguration" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataCompactionAndManagement", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:RestoreObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ReadSecurityLakeLambdaLogs", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:StartQuery", "logs:GetLogEvents", "logs:GetQueryResults", "logs:GetLogRecord" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLakeMetastoreManager-*-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeSQSQueue", "Effect": "Allow", "Action": [ "sqs:StartMessageMoveTask", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ChangeMessageVisibility", "sqs:ListMessageMoveTasks", "sqs:ReceiveMessage", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:SetQueueAttributes" ], "Resource": [ "arn:aws:sqs:*:*:SecurityLake_*", "arn:aws:sqs:*:*:AmazonSecurityLakeManager-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowDataLakeManagement", "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings", "lakeformation:ListPermissions" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
您必須設定許可,以允許 IAM 實體 (例如使用者、群組或角色) 建立、編輯或刪除服務連結角色。如需詳細資訊,請參閱 IAM 使用者指南中的服務連結角色許可。
建立 Security Lake 服務連結角色
您可以使用 Security Lake 主控台或 建立 Security Lake AWSServiceRoleForSecurityLakeResourceManagement
的服務連結角色 AWS CLI。
若要建立服務連結角色,您必須將下列許可授予您的 IAM 使用者或 IAM 角色。IAM 角色必須是所有啟用 Security Lake 的區域中的 Lake Formation 管理員。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowLakeFormationActionsViaSecurityLakeConsole", "Effect": "Allow", "Action": [ "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:ListResources", "lakeformation:RegisterResource", "lakeformation:RevokePermissions" ], "Resource": "*" }, { "Sid": "AllowIamActionsViaSecurityLakeConsole", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:GetPolicyVersion", "iam:GetRole" ], "Resource": [ "arn:*:iam::*:role/aws-service-role/resource-management.securitylake.amazonaws.com/AWSServiceRoleForSecurityLakeResourceManagement", "arn:*:iam::aws:policy/service-role/AWSGlueServiceRole", "arn:*:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager", "arn:*:iam::aws:policy/aws-service-role/SecurityLakeResourceManagementServiceRolePolicy" ], "Condition": { "StringLikeIfExists": { "iam:AWSServiceName": [ "securitylake.amazonaws.com", "resource-management.securitylake.amazonaws.com" ] } } }, { "Sid": "AllowGlueActionsViaConsole", "Effect": "Allow", "Action": [ "glue:GetTables" ], "Resource": [ "arn:*:glue:*:*:catalog", "arn:*:glue:*:*:database/amazon_security_lake_glue_db*", "arn:*:glue:*:*:table/amazon_security_lake_glue_db*/*" ] } ] }
啟用AWSServiceRoleForSecurityLakeResourceManagement
角色之後,如果您使用 AWS KMS 客戶受管金鑰 (CMK) 進行加密,您必須允許服務連結角色將加密的物件寫入 CMK 存在的區域中的 AWS S3 儲存貯體。在 AWS KMS 主控台中,將下列政策新增至 KMS 存在 AWS 的區域中的 CMK 金鑰。如需如何變更 KMS 金鑰政策的詳細資訊,請參閱《 AWS Key Management Service 開發人員指南》中的 金鑰政策 AWS KMS。
{ "Sid": "Allow SLR", "Effect": "Allow", "Principal": { "AWS": "arn:[partition]:iam::[accountid]:role/aws-service-role/resource-management.securitylake.amazonaws.com/AWSServiceRoleForSecurityLakeResourceManagement" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::[regional-datalake-s3-bucket-name]" }, "StringLike": { "kms:ViaService": "s3.[region].amazonaws.com" } } },
編輯 Security Lake 服務連結角色
Security Lake 不允許您編輯AWSServiceRoleForSecurityLakeResourceManagement
服務連結角色。建立服務連結角色後,您無法變更角色的名稱,因為各種實體可能會參考角色。不過,您可以使用 IAM 編輯角色的描述。如需詳細資訊,請參閱《IAM 使用者指南》中的編輯服務連結角色。
刪除 Security Lake 服務連結角色
您無法從 Security Lake 刪除服務連結角色。反之,您可以從 IAM 主控台、API 或 刪除服務連結角色 AWS CLI。如需詳細資訊,請參閱《IAM 使用者指南》中的刪除服務連結角色。
在刪除服務連結角色之前,您必須先確認角色沒有作用中的工作階段,並移除AWSServiceRoleForSecurityLakeResourceManagement
正在使用的任何資源。
注意
如果 Security Lake 在您嘗試刪除資源時正在使用AWSServiceRoleForSecurityLakeResourceManagement
角色,刪除可能會失敗。如果發生這種情況,請等待幾分鐘,然後再次嘗試操作。
如果您刪除AWSServiceRoleForSecurityLakeResourceManagement
服務連結角色並需要再次建立,您可以為您的帳戶啟用 Security Lake 來再次建立該角色。當您再次啟用 Security Lake 時,Security Lake 會自動再次為您建立服務連結角色。
AWS 區域 支援 Security Lake 服務連結角色
Security Lake 支援在所有可使用 Security Lake AWS 區域 的 中使用AWSServiceRoleForSecurityLakeResourceManagement
服務連結角色。如需目前可使用 Security Lake 的區域清單,請參閱 Security Lake 區域和端點。