AWS Lambda
开发人员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

策略模板

在控制台中使用某个蓝图创建 AWS Lambda 函数时,Lambda 允许您从 Lambda 策略模板列表为函数创建角色。通过选择这些模板之一,您的 Lambda 函数将自动使用已附加到该策略的必需权限创建角色。

下面列出了应用于 Policy templates 列表中的每个策略模板的权限。策略模板按照其对应的蓝图命名。Lambda 将自动使用适当的信息来填充占位符项目(例如 regionaccountID)。有关使用策略模板创建 Lambda 函数的更多信息,请参阅步骤 2.1:创建 Hello World Lambda 函数

将根据您创建的 Lambda 函数的类型自动应用以下模板:

基本:“基本 Lambda 权限”

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"logs:CreateLogGroup", "Resource":"arn:aws:logs:region:accountId:*" }, { "Effect":"Allow", "Action":[ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource":[ "arn:aws:logs:region:accountId:log-group:[[logGroups]]:*" ] } ] }

VPCAccess:“Lambda VPC 访问权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces" ], "Resource": "*" } ] }

Kinesis:“Lambda Kinesis 流轮询器权限”

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"lambda:InvokeFunction", "Resource":"arn:aws:lambda:region:accountId:function:functionName*" }, { "Effect":"Allow", "Action":"kinesis:ListStreams", "Resource":"arn:aws:kinesis:region:accountId:stream/*" }, { "Effect":"Allow", "Action":[ "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource":"arn:aws:kinesis:region:accountId: stream/streamName" } ] }

DynamoDB:“Lambda DynamoDB 流轮询器权限”

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"lambda:InvokeFunction", "Resource":"arn:aws:lambda:region:accountId:function:functionName*" }, { "Effect":"Allow", "Action":[ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListStreams" ], "Resource":"arn:aws:dynamodb:region:accountId:table/tableName/stream/*" } ] }

Edge:”基本的 Edge Lambda 权限“

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }

RedrivePolicySNS:”死信队列 SNS 权限“

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:region:accountId:topicName" } ] }

RedrivePolicySQS:”死信队列 SQS 权限“

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage" ], "Resource": "arn:aws:sqs:region:accountId:queueName" } ] }

以下模板根据您选择的蓝图选出。您还可以从下拉菜单中选择模板以添加额外权限:

CloudFormation:“CloudFormation 堆栈只读权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": "*" } ] }

AMI:“AMI 只读权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": "*" } ] }

KMS:“KMS 解密权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*" } ] }

S3:“S3 对象只读权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::*" } ] }

Elasticsearch:“Elasticsearch 权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost" ], "Resource": "*" } ] }

SES:“SES 退回邮件权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": "*" } ] }

TestHarness:“测试设备权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:region:accountId:table/*" }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:region:accountId:function:*" } ] }

Microservice:“简单微服务权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "arn:aws:dynamodb:region:accountId:table/*" } ] }

VPN:“VPN 连接监控权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeVpnConnections" ], "Resource": "*" } ] }

SQS:“SQS 轮询器权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Resource": "arn:aws:sqs:*" }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:region:accountId:function:functionName*" } ] }

IoTButton:“AWS IoT 按钮权限”

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": "*" } ] }

RekognitionNoDataAccess:”Amazon Rekognition 无数据权限“

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels" ], "Resource": "*" } ] }

RekognitionReadOnlyAccess:”Amazon Rekognition 只读权限“

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": "*" } ] }

RekognitionWriteOnlyAccess:”Amazon Rekognition 只写权限“

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": "*" } ] }