使用 CloudWatch RUM 的 IAM 策略 - Amazon CloudWatch
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

使用 CloudWatch RUM 的 IAM 策略

为了完全管理 CloudWatch RUM,必须以具有 AmazonCloudWatchRUMFullAccess IAM 策略的 IAM 用户或角色身份登录。此外,可能需要其他策略或权限:

  • 要创建应用程序监控来创建新的 Amazon Cognito 身份池进行授权,需要具备 Admin IAM 角色或 AdministratorAccess IAM 策略。

  • 要创建将数据发送到 CloudWatch Logs 的应用程序监控,必须登录具有以下权限的 IAM 角色或策略:

    {
    "Effect": "Allow",
    "Action": [
        "logs:PutResourcePolicy"
    ],
    "Resource": [
        "*"
    ]
}

  • 要在应用程序监测仪中启用 JavaScript 源映射,您需要将源映射文件上传到 Amazon S3 存储桶。您的 IAM 角色或策略需要特定的 Amazon S3 权限,才能创建 Amazon S3 存储桶、设置存储桶策略和管理存储桶中的文件。为了安全起见,将这些权限范围限定于特定资源。下面的示例策略限制访问名称中包含 rum 的存储桶,并使用 aws:ResourceAccount 条件键将权限仅限于主体账户。

    {
    "Sid": "AllowS3BucketCreationAndListing",
    "Effect": "Allow",
    "Action": [
        "s3:CreateBucket",
        "s3:ListAllMyBuckets"
    ],
    "Resource": "arn:aws:s3:::*",
    "Condition": {
        "StringEquals": {
            "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
    }
},
{
    "Sid": "AllowS3BucketActions",
    "Effect": "Allow",
    "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*rum*",
    "Condition": {
        "StringEquals": {
            "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
    }
},
{
    "Sid": "AllowS3BucketPolicyActions",
    "Effect": "Allow",
    "Action": [
        "s3:PutBucketPolicy",
        "s3:GetBucketPolicy"
    ],
    "Resource": "arn:aws:s3:::*rum*",
    "Condition": {
        "StringEquals": {
            "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
    }
},
{
    "Sid": "AllowS3ObjectActions",
    "Effect": "Allow",
    "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload"
    ],
    "Resource": "arn:aws:s3:::*rum*",
    "Condition": {
        "StringEquals": {
            "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
    }
}

  • 要在源映射存储桶上使用自己的 Amazon KMS 密钥进行服务器端加密,您的 IAM 角色或策略需要特定的 Amazon KMS 权限,才能创建密钥、更新密钥策略、在 Amazon S3 中使用 Amazon KMS 密钥以及设置 Amazon S3 存储桶的加密配置。为了安全起见,将这些权限范围限定于特定目的。下面的示例限制访问特定区域和 accountId 的密钥,并具有与上面示例类似的 S3 限制。

    {
    "Sid": "AllowKMSKeyCreation",
    "Effect": "Allow",
    "Action": [
        "kms:CreateKey",
        "kms:CreateAlias"
    ],
    "Resource": "*"
},
{
    "Sid": "KMSReadPermissions",
    "Effect": "Allow",
    "Action": [
        "kms:ListAliases"
    ],
    "Resource": "*"
},
{
    "Sid": "AllowUpdatingKeyPolicy",
    "Effect": "Allow",
    "Action": [
        "kms:PutKeyPolicy",
        "kms:GetKeyPolicy",
        "kms:ListKeyPolicies"
    ],
    "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/*"
},
{
    "Sid": "AllowUseOfKMSKeyForS3",
    "Effect": "Allow",
    "Action": [
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/*"
},
{
    "Sid": "AllowS3EncryptionConfiguration",
    "Effect": "Allow",
    "Action": [
        "s3:PutEncryptionConfiguration",
        "s3:GetEncryptionConfiguration"
    ],
    "Resource": "arn:aws:s3:::*rum*",
    "Condition": {
        "StringEquals": {
            "aws:ResourceAccount": "${aws:PrincipalAccount}"
        }
    }
}

需要查看 CloudWatch RUM 数据但不需要创建 CloudWatch RUM 资源的其他用户,可以授予 AmazonCloudWatchRUMReadOnlyAccess 策略。