# 将 IAM 与 DynamoDB 备份和还原结合使用
您可以使用 Amazon Identity and Access Management (IAM) 限制对某些资源执行 Amazon DynamoDB 备份和还原操作。`CreateBackup` 和 `RestoreTableFromBackup` API 按表运行。
有关在 DynamoDB 中使用 IAM 策略的更多信息,请参阅 [适用于 DynamoDB 的基于身份的策略](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies)。
以下是 IAM 策略的示例,您可以使用这些策略配置 DynamoDB 中的特定备份和还原功能。
## 示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作
下面的 IAM 策略授予在所有表上允许 `CreateBackup` 和 `RestoreTableFromBackup` DynamoDB 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:RestoreTableFromBackup",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": "*"
}
]
}
```
------
**重要**
源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
## 示例 2:允许 CreateBackup 并拒绝 RestoreTableFromBackup
下面的 IAM 策略授予允许 `CreateBackup` 操作并拒绝 `RestoreTableFromBackup` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:CreateBackup"],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": ["dynamodb:RestoreTableFromBackup"],
"Resource": "*"
}
]
}
```
------
## 示例 3:允许 ListBackups 并拒绝 CreateBackup 和 RestoreTableFromBackup
下面的 IAM 策略授予允许 `ListBackups` 操作并拒绝 `CreateBackup` 和 `RestoreTableFromBackup` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:ListBackups"],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:RestoreTableFromBackup"
],
"Resource": "*"
}
]
}
```
------
## 示例 4:允许 ListBackups 并拒绝 DeleteBackup
下面的 IAM 策略授予允许 `ListBackups` 操作并拒绝 `DeleteBackup` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:ListBackups"],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": ["dynamodb:DeleteBackup"],
"Resource": "*"
}
]
}
```
------
## 示例 5:对所有资源允许 RestoreTableFromBackup 和 DescribeBackup,并对特定备份拒绝 DeleteBackup
下面的 IAM 策略授予允许 `RestoreTableFromBackup` 和 `DescribeBackup` 操作并对特定备份资源拒绝 `DeleteBackup` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeBackup",
"dynamodb:RestoreTableFromBackup"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"dynamodb:DeleteBackup"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d"
}
]
}
```
------
**重要**
源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。
## 示例 6:对特定表允许 CreateBackup
下面的 IAM 策略授予仅允许在 `Movies` 表上执行 `CreateBackup` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:CreateBackup"],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/Movies"
]
}
]
}
```
------
## 示例 7:允许 ListBackups
下面的 IAM 策略授予允许执行 `ListBackups` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:ListBackups"],
"Resource": "*"
}
]
}
```
------
**重要**
您不能授予对特定表执行 `ListBackups` 操作的权限。
## 示例 8:允许访问 Amazon Backup 功能
您将需要 `StartAwsBackupJob` 操作的 API 权限,才能使用高级功能实现成功备份,以及需要 `dynamodb:RestoreTableFromAwsBackup` 操作的 API 权限以成功还原该备份。
下面的 IAM 策略授予 Amazon Backup 使用高级功能触发备份和还原的权限。另请注意,如果表已经加密,则该策略需要访问 [Amazon KMS 密钥](encryption.usagenotes.html#dynamodb-kms-authz)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DescribeQueryScanBooksTable",
"Effect": "Allow",
"Action": [
"dynamodb:StartAwsBackupJob",
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:us-west-2:111122223333:table/Books"
},
{
"Sid": "AllowRestoreFromAwsBackup",
"Effect": "Allow",
"Action": [
"dynamodb:RestoreTableFromAwsBackup"
],
"Resource": "*"
}
]
}
```
------
## 示例 9:拒绝特定源表的 RestoreTableToPointInTime
下面的 IAM 策略拒绝针对特定源表的 `RestoreTableToPointInTime` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"dynamodb:RestoreTableToPointInTime"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music"
}
]
}
```
------
## 示例 10:拒绝特定源表的所有备份的 RestoreTableFromBackup
下面的 IAM 策略拒绝针对特定源表的所有备份的 `RestoreTableToPointInTime` 操作的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"dynamodb:RestoreTableFromBackup"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/*"
}
]
}
```
------