适用于 Amazon RDS 的 Amazon 托管式策略
要向权限集和角色添加权限,与自己编写策略相比,使用 Amazon 托管式策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管式策略。这些策略涵盖常见使用案例,可在您的 Amazon Web Services 账户 中使用。有关 Amazon 托管式策略的更多信息,请参阅 IAM 用户指南中的Amazon 托管式策略。
Amazon Web Services 负责维护和更新 Amazon 托管式策略。您无法更改 Amazon 托管式策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新功能。此类型的更新会影响附加了策略的所有身份(权限集和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。
此外,Amazon 还支持跨多种服务的工作职能的托管式策略。例如,ReadOnlyAccess Amazon 托管式策略提供对许多 Amazon Web Services和资源的只读访问权限。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略。
主题
Amazon 托管式策略:AmazonRDSReadOnlyAccess
此策略允许通过 Amazon Web Services Management Console 对 Amazon RDS 进行只读访问。
权限详细信息
此策略包含以下权限:
-
rds– 允许主体描述 Amazon RDS 资源并列出 Amazon RDS 资源的标签。 -
cloudwatch– 允许主体获取 Amazon CloudWatch 指标统计数据。 -
ec2– 允许主体描述可用区和网络资源。 -
logs– 允许主体描述日志组的 CloudWatch Logs 日志流,并获取 CloudWatch Logs 日志事件。 -
devops-guru– 允许主体描述具有 Amazon DevOps Guru 覆盖范围的资源,该覆盖范围由 CloudFormation 堆栈名称或资源标签指定。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:Describe*", "rds:ListTagsForResource", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "devops-guru:GetResourceCollection" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricStatistics", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": "*" } ] }
Amazon 托管式策略:AmazonRDSFullAccess
此策略通过 Amazon Web Services Management Console 提供了对 Amazon RDS 的完全访问权限。
权限详细信息
此策略包含以下权限:
-
rds– 允许主体完全访问 Amazon RDS。 -
application-autoscaling– 允许主体描述和管理 Application Auto Scaling 扩展目标和策略。 -
cloudwatch– 允许主体获取 CloudWatch 指标统计数据并管理 CloudWatch 警报。 -
ec2– 允许主体描述可用区和网络资源。 -
logs– 允许主体描述日志组的 CloudWatch Logs 日志流,并获取 CloudWatch Logs 日志事件。 -
outposts– 允许主体获取 Amazon Outposts 实例类型。 -
pi– 允许主体获取 Performance Insights 指标。 -
sns– 允许主体访问 Amazon Simple Notification Service (Amazon SNS) 订阅和主题,并发布 Amazon SNS 消息。 -
devops-guru– 允许主体描述具有 Amazon DevOps Guru 覆盖范围的资源,该覆盖范围由 CloudFormation 堆栈名称或资源标签指定。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:*", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeCoipPools", "ec2:DescribeInternetGateways", "ec2:DescribeLocalGatewayRouteTablePermissions", "ec2:DescribeLocalGatewayRouteTables", "ec2:DescribeLocalGatewayRouteTableVpcAssociations", "ec2:DescribeLocalGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:GetCoipPoolUsage", "sns:ListSubscriptions", "sns:ListTopics", "sns:Publish", "logs:DescribeLogStreams", "logs:GetLogEvents", "outposts:GetOutpostInstanceTypes" ], "Effect": "Allow", "Resource": "*" }, { "Action": "pi:*", "Effect": "Allow", "Resource": "arn:aws:pi:*:*:metrics/rds/*" }, { "Action": [ "devops-guru:GetResourceCollection" ], "Effect": "Allow", "Resource": "*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "rds.amazonaws.com", "rds.application-autoscaling.amazonaws.com" ] } } } ] }
Amazon 托管式策略:AmazonRDSDataFullAccess
此策略提供完全访问权限,允许在特定 Amazon Web Services 账户中的 Aurora Serverless 集群上使用 Data API 和查询编辑器。此策略允许 Amazon Web Services 账户从 Amazon Secrets Manager 获取密钥的值。
您可以将 AmazonRDSDataFullAccess 策略附加得到 IAM 身份。
权限详细信息
此策略包含以下权限:
-
dbqms– 允许主体访问、创建、删除、描述和更新查询。Database Query Metadata Service (dbqms) 是一项仅限内部使用的服务。它为 Amazon Web Services Management Console 上多项 Amazon Web Services(包括 Amazon RDS)提供查询编辑器最近的和保存的查询。 -
rds-data– 允许主体在 Aurora Serverless 数据库上运行 SQL 语句。 -
secretsmanager– 允许主体从 Amazon Secrets Manager 获取密钥的值。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecretsManagerDbCredentialsAccess", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:PutResourcePolicy", "secretsmanager:PutSecretValue", "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret", "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:rds-db-credentials/*" }, { "Sid": "RDSDataServiceAccess", "Effect": "Allow", "Action": [ "dbqms:CreateFavoriteQuery", "dbqms:DescribeFavoriteQueries", "dbqms:UpdateFavoriteQuery", "dbqms:DeleteFavoriteQueries", "dbqms:GetQueryString", "dbqms:CreateQueryHistory", "dbqms:DescribeQueryHistory", "dbqms:UpdateQueryHistory", "dbqms:DeleteQueryHistory", "rds-data:ExecuteSql", "rds-data:ExecuteStatement", "rds-data:BatchExecuteStatement", "rds-data:BeginTransaction", "rds-data:CommitTransaction", "rds-data:RollbackTransaction", "secretsmanager:CreateSecret", "secretsmanager:ListSecrets", "secretsmanager:GetRandomPassword", "tag:GetResources" ], "Resource": "*" } ] }
Amazon 托管式策略:AmazonRDSEnhancedMonitoringRole
此策略提供了对 Amazon CloudWatch Logs 的访问权限,支持 Amazon RDS 增强监控。
权限详细信息
此策略包含以下权限:
-
logs– 允许主体创建 CloudWatch Logs 日志组和保留策略,并创建和描述日志组的 CloudWatch Logs 日志流。它还允许主体放置和获取 CloudWatch Logs 日志事件。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroups", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:RDS*" ] }, { "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogStreams", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:RDS*:log-stream:*" ] } ] }
Amazon 托管式策略:AmazonRDSPerformanceInsightsReadOnly
此策略提供了对 Amazon RDS Performance Insights 的只读访问权限,用于处理 Amazon RDS 数据库实例和 Amazon Aurora 数据库集群。
权限详细信息
此策略包含以下权限:
-
rds– 允许主体描述 Amazon RDS 数据库实例和 Amazon Aurora 数据库集群。 -
pi– 允许主体调用 Amazon RDS Performance Insights API 并访问 Performance Insights 指标。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" }, { "Effect": "Allow", "Action": "rds:DescribeDBClusters", "Resource": "*" }, { "Effect": "Allow", "Action": "pi:DescribeDimensionKeys", "Resource": "arn:aws:pi:*:*:metrics/rds/*" }, { "Effect": "Allow", "Action": "pi:GetDimensionKeyDetails", "Resource": "arn:aws:pi:*:*:metrics/rds/*" }, { "Effect": "Allow", "Action": "pi:GetResourceMetadata", "Resource": "arn:aws:pi:*:*:metrics/rds/*" }, { "Effect": "Allow", "Action": "pi:GetResourceMetrics", "Resource": "arn:aws:pi:*:*:metrics/rds/*" }, { "Effect": "Allow", "Action": "pi:ListAvailableResourceDimensions", "Resource": "arn:aws:pi:*:*:metrics/rds/*" }, { "Effect": "Allow", "Action": "pi:ListAvailableResourceMetrics", "Resource": "arn:aws:pi:*:*:metrics/rds/*" } ] }
Amazon 托管式策略:AmazonRDSDirectoryServiceAccess
此策略允许 Amazon RDS 调用 Amazon Directory Service。
权限详细信息
此策略包含以下权限:
-
ds– 允许主体描述 Amazon Directory Service 目录并控制对 Amazon Directory Service 目录的授权。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ds:DescribeDirectories", "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:GetAuthorizedApplicationDetails" ], "Effect": "Allow", "Resource": "*" } ] }
Amazon 托管式策略:AmazonRDSServiceRolePolicy
您不能将 AmazonRDSServiceRolePolicy 策略附加到您的 IAM 实体。此附加到服务相关角色的策略允许 Amazon RDS 代表您执行操作。有关更多信息,请参阅Amazon Aurora 的服务相关角色权限。