将 IAM 与 DynamoDB 备份和还原结合使用 - Amazon DynamoDB
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

将 IAM 与 DynamoDB 备份和还原结合使用

您可以使用 Amazon Identity and Access Management (IAM) 限制对某些资源执行 Amazon DynamoDB 备份和还原操作。CreateBackupRestoreTableFromBackup API 按表运行。

有关在 DynamoDB 中使用 IAM 策略的更多信息,请参阅 将基于身份的策略(IAM 策略)与 Amazon DynamoDB 配合使用

以下是 IAM 策略的示例,您可以使用这些策略配置 DynamoDB 中的特定备份和还原功能。

示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作

以下 IAM 策略授予权限,在所有表上允许 CreateBackupRestoreTableFromBackup DynamoDB 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" } ] }
重要

DynamoDB 写入权限是还原功能所必需的。

示例 2:允许 CreateBackup 和拒绝 RestoreTableFromBackup

以下 IAM 策略授予权限,允许 CreateBackup 操作,拒绝 RestoreTableFromBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:RestoreTableFromBackup"], "Resource": "*" } ] }

示例 3:允许 ListBackups,拒绝 CreateBackup 和 RestoreTableFromBackup

以下 IAM 策略授予权限,允许 ListBackups 操作,拒绝 CreateBackupRestoreTableFromBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup" ], "Resource": "*" } ] }

示例 4:允许 ListBackups 和拒绝 DeleteBackup

以下 IAM 策略授予权限,允许 ListBackups 操作,拒绝 DeleteBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:DeleteBackup"], "Resource": "*" } ] }

示例 5:对所有资源允许 RestoreTableFromBackup 和 DescribeBackup,对特定备份拒绝 DeleteBackup

以下 IAM 策略授予权限,允许 RestoreTableFromBackupDescribeBackup 操作,对特定备份资源拒绝 DeleteBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeBackup", "dynamodb:RestoreTableFromBackup", ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" } ] }
重要

DynamoDB 写入权限是还原功能所必需的。

示例 6:允许为特定表 CreateBackup

以下 IAM 策略授予权限,仅允许 Movies 表的 CreateBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Movies" ] } ] }

示例 7:允许 ListBackups

以下 IAM 策略授予权限允许 ListBackups 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" } ] }
重要

不能授予对特定表的 ListBackups 操作权限。

示例 8:允许访问 Amazon Backup 功能

您将需要 StartAwsBackupJob 操作的 API 权限,才能使用高级功能实现成功备份,以及需要 dynamodb:RestoreTableFromAwsBackup 操作的 API 权限以成功还原该备份。

以下 IAM 策略授予 Amazon Backup 使用高级功能触发备份和还原的权限。另请注意,如果表已加密,则策略将需要访问 Amazon KMS 密钥。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeQueryScanBooksTable", "Effect": "Allow", "Action": [ "dynamodb:StartAwsBackupJob", "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" }, { "Sid": "AllowRestoreFromAwsBackup", "Effect": "Allow", "Action": ["dynamodb:RestoreTableFromAwsBackup"], "Resource": "*" }, ] }

示例 9:拒绝特定源表的 RestoreTableToPointInTime

以下 IAM 策略拒绝针对特定源表的 RestoreTableToPointInTime 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableToPointInTime" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music" } ] }

示例 10:拒绝特定源表的所有备份的 RestoreTableFromBackup

以下 IAM 策略拒绝针对特定源表的所有备份的 RestoreTableToPointInTime 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/*" } ] }