将 IAM 与 DynamoDB 备份和还原结合使用 - Amazon DynamoDB
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

将 IAM 与 DynamoDB 备份和还原结合使用

您可以使用 Amazon Identity and Access Management (IAM) 限制对某些资源执行 Amazon DynamoDB 备份和还原操作。CreateBackupRestoreTableFromBackup API 按表运行。

有关在 DynamoDB 中使用 IAM policy 的更多信息,请参阅。将基于身份的策略(IAM policy)与 Amazon DynamoDB 结合使用

以下是 IAM policy 的示例,您可以使用这些策略配置 DynamoDB 中的特定备份和还原功能。

示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作

下面的 IAM policy 授予在所有表上允许 CreateBackupRestoreTableFromBackup DynamoDB 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" } ] }
重要

源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

示例 2:允许 CreateBackup 并拒绝 RestoreTableFromBackup

下面的 IAM policy 授予允许 CreateBackup 操作并拒绝 RestoreTableFromBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:RestoreTableFromBackup"], "Resource": "*" } ] }

示例 3:允许 ListBackups 并拒绝 CreateBackup 和 RestoreTableFromBackup

下面的 IAM policy 授予允许 ListBackups 操作并拒绝 CreateBackupRestoreTableFromBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup" ], "Resource": "*" } ] }

示例 4:允许 ListBackups 并拒绝 DeleteBackup

下面的 IAM policy 授予允许 ListBackups 操作并拒绝 DeleteBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:DeleteBackup"], "Resource": "*" } ] }

示例 5:对所有资源允许 RestoreTableFromBackup 和 DescribeBackup,并对特定备份拒绝 DeleteBackup

下面的 IAM policy 授予允许 RestoreTableFromBackupDescribeBackup 操作并对特定备份资源拒绝 DeleteBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeBackup", "dynamodb:RestoreTableFromBackup", ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" } ] }
重要

源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

示例 6:对特定表允许 CreateBackup

下面的 IAM policy 授予仅允许在 Movies 表上执行 CreateBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Movies" ] } ] }

示例 7:允许 ListBackups

下面的 IAM policy 授予允许 ListBackups 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" } ] } }
重要

不能授予对特定表的 ListBackups 操作权限。

示例 8:允许访问 Amazon Backup 功能

您将需要 StartAwsBackupJob 操作的 API 权限,才能使用高级功能实现成功备份,以及需要 dynamodb:RestoreTableFromAwsBackup 操作的 API 权限以成功还原该备份。

下面的 IAM policy 授予 Amazon Backup 使用高级功能触发备份和还原的权限。另请注意,如果表已加密,则策略将需要访问 Amazon KMS 密钥。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeQueryScanBooksTable", "Effect": "Allow", "Action": [ "dynamodb:StartAwsBackupJob", "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" }, { "Sid": "AllowRestoreFromAwsBackup", "Effect": "Allow", "Action": ["dynamodb:RestoreTableFromAwsBackup"], "Resource": "*" }, ] }

示例 9:拒绝特定源表的 RestoreTableToPointInTime

下面的 IAM policy 拒绝针对特定源表的 RestoreTableToPointInTime 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableToPointInTime" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music" } ] }

示例 10:拒绝特定源表的所有备份的 RestoreTableFromBackup

下面的 IAM policy 拒绝针对特定源表的所有备份的 RestoreTableToPointInTime 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/*" } ] }