将 IAM 与 DynamoDB 备份和还原结合使用 - Amazon DynamoDB
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

将 IAM 与 DynamoDB 备份和还原结合使用

您可以使用 Amazon Identity and Access Management (IAM) 限制对某些资源执行 Amazon DynamoDB 备份和还原操作。CreateBackupRestoreTableFromBackup API 按表运行。

有关在 DynamoDB 中使用 IAM 策略的更多信息,请参阅 适用于 DynamoDB 的基于身份的策略

以下是 IAM 策略的示例,您可以使用这些策略配置 DynamoDB 中的特定备份和还原功能。

示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作

下面的 IAM 策略授予在所有表上允许 CreateBackupRestoreTableFromBackup DynamoDB 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" } ] }
重要

源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

示例 2:允许 CreateBackup 并拒绝 RestoreTableFromBackup

下面的 IAM 策略授予允许 CreateBackup 操作并拒绝 RestoreTableFromBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:RestoreTableFromBackup"], "Resource": "*" } ] }

示例 3:允许 ListBackups 并拒绝 CreateBackup 和 RestoreTableFromBackup

下面的 IAM 策略授予允许 ListBackups 操作并拒绝 CreateBackupRestoreTableFromBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup" ], "Resource": "*" } ] }

示例 4:允许 ListBackups 并拒绝 DeleteBackup

下面的 IAM 策略授予允许 ListBackups 操作并拒绝 DeleteBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:DeleteBackup"], "Resource": "*" } ] }

示例 5:对所有资源允许 RestoreTableFromBackup 和 DescribeBackup,并对特定备份拒绝 DeleteBackup

下面的 IAM 策略授予允许 RestoreTableFromBackupDescribeBackup 操作并对特定备份资源拒绝 DeleteBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeBackup", "dynamodb:RestoreTableFromBackup", ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" } ] }
重要

源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

示例 6:对特定表允许 CreateBackup

下面的 IAM 策略授予仅允许在 Movies 表上执行 CreateBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Movies" ] } ] }

示例 7:允许 ListBackups

下面的 IAM 策略授予允许 ListBackups 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" } ] } }
重要

不能授予对特定表的 ListBackups 操作权限。

示例 8:允许访问 Amazon Backup 功能

您将需要 StartAwsBackupJob 操作的 API 权限,才能使用高级功能实现成功备份,以及需要 dynamodb:RestoreTableFromAwsBackup 操作的 API 权限以成功还原该备份。

下面的 IAM 策略授予 Amazon Backup 使用高级功能触发备份和还原的权限。另请注意,如果表已经加密,则该策略需要访问 Amazon KMS 密钥

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeQueryScanBooksTable", "Effect": "Allow", "Action": [ "dynamodb:StartAwsBackupJob", "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" }, { "Sid": "AllowRestoreFromAwsBackup", "Effect": "Allow", "Action": ["dynamodb:RestoreTableFromAwsBackup"], "Resource": "*" }, ] }

示例 9:拒绝特定源表的 RestoreTableToPointInTime

下面的 IAM 策略拒绝针对特定源表的 RestoreTableToPointInTime 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableToPointInTime" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music" } ] }

示例 10:拒绝特定源表的所有备份的 RestoreTableFromBackup

下面的 IAM 策略拒绝针对特定源表的所有备份的 RestoreTableToPointInTime 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/*" } ] }