Amazon DynamoDB
开发人员指南 (API 版本 2012-08-10)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

将 IAM 用于 DynamoDB 备份和还原

您可以使用 AWS Identity and Access Management (IAM) 来限制一些资源的 Amazon DynamoDB 备份和还原操作。CreateBackupRestoreTableFromBackup API 基于每个表执行操作。

有关在 DynamoDB 中使用 IAM 策略的更多信息,请参阅为 Amazon DynamoDB 使用基于身份的策略(IAM 策略)

以下是可用于配置 DynamoDB 中的特定备份和还原功能的 IAM 策略的示例。

示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作

以下 IAM 策略授予允许对所有表执行 CreateBackupRestoreTableFromBackup DynamoDB 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" } ] }

重要

DynamoDB 写入权限是还原功能所必需的。

示例 2:允许 CreateBackup 但拒绝 RestoreTableFromBackup

以下 IAM 策略授予执行 CreateBackup 操作的权限但拒绝 RestoreTableFromBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:RestoreTableFromBackup"], "Resource": "*" } ] }

示例 3:允许 ListBackups 但拒绝 CreateBackup 和 RestoreTableFromBackup

以下 IAM 策略授予执行 ListBackups 操作的权限但拒绝 CreateBackupRestoreTableFromBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup" ], "Resource": "*" } ] }

示例 4:允许 ListBackups 但拒绝 DeleteBackup

以下 IAM 策略授予执行 ListBackups 操作的权限,但拒绝 DeleteBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:DeleteBackup"], "Resource": "*" } ] }

示例 5:允许对所有资源执行 RestoreTableFromBackup 和 DescribeBackup 但拒绝对特定备份执行 DeleteBackup

以下 IAM 策略授予执行 RestoreTableFromBackupDescribeBackup 操作的权限,但拒绝对特定备份资源执行 DeleteBackup 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MusicCollection/backup/01489173575360-b308cd7d" } ] }

重要

DynamoDB 写入权限是还原功能所必需的。

示例 6:允许对特定表执行 CreateBackup

以下 IAM 策略授予仅对 Movies 表执行 CreateBackup 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Movies" ] } ] }

示例 7:允许 ListBackups

以下 IAM 策略授予执行 ListBackups 操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" } ] }

重要

您无法授予对特定表执行 ListBackups 操作的权限。