Application Auto Scaling 基于身份的策略示例 - Application Auto Scaling
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Application Auto Scaling 基于身份的策略示例

默认情况下,您中的全新用户 Amazon Web Services 账户 无权执行任何操作。IAM管理员必须创建和分配IAM策略,授予IAM身份(例如用户或角色)执行Application Auto Scaling API 操作的权限。

要了解如何使用以下示例IAMJSON策略文档创建策略,请参阅《IAM用户指南》JSON选项卡上的 “创建策略”。

Application Auto Scaling API 操作所需的权限

在调用 Application Auto Scaling 时,以下策略授予常见用例的权限API。编写基于身份的策略时,请参阅本节。每项策略都授予对全部或部分 Application Auto Scaling API 操作的权限。您还需要确保最终用户拥有目标服务的权限,以及 CloudWatch (有关详细信息,请参阅下一节)。

以下基于身份的策略授予所有 Application Auto Scaling API 操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*" ], "Resource": "*" } ] }

以下基于身份的策略向配置扩展策略所需的所有 Application Auto Scaling API 操作授予权限,而不是计划操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScalingPolicy" ], "Resource": "*" } ] }

以下基于身份的策略向配置计划API操作而不是扩展策略所需的所有 Application Auto Scaling 操作授予权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScheduledAction", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScheduledAction" ], "Resource": "*" } ] }

对目标服务API执行操作所需的权限以及 CloudWatch

要成功配置并将 Application Auto Scaling 与目标服务一起使用,必须向最终用户授予访问亚马逊 CloudWatch 以及他们将为其配置扩展的每项目标服务的权限。使用以下策略授予使用目标服务和所需的最低权限 CloudWatch。

AppStream 2.0 支舰队

以下基于身份的策略授予所有 AppStream 2.0 版本的权限和所需的 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:DescribeFleets", "appstream:UpdateFleet", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Aurora 副本

以下基于身份的策略授予所有 Aurora 所需的权限和 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DeleteDBInstance", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Amazon Comprehend 文档分类和实体识别程序终端节点

以下基于身份的策略授予所有 Amazon Com CloudWatch API prehend 所需的权限和操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "comprehend:UpdateEndpoint", "comprehend:DescribeEndpoint", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

DynamoDB 表和全局二级索引

以下基于身份的策略授予所有 DynamoDB 所需的权限和操作。 CloudWatch API

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:UpdateTable", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

ECS服务

以下基于身份的策略向所有人授予所需的权限ECS和 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

ElastiCache 复制组

以下基于身份的策略向所有人授予所需的权限 ElastiCache 和 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroupShardConfiguration", "elasticache:IncreaseReplicaCount", "elasticache:DecreaseReplicaCount", "elasticache:DescribeReplicationGroups", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameters", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

亚马逊EMR集群

以下基于身份的策略向所有 Amazon 授予权限EMR和所需的 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Amazon Keyspaces 表

以下基于身份的策略授予所有 Amazon Keyspaces 所需的权限和 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cassandra:Select", "cassandra:Alter", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Lambda 函数

以下基于身份的策略授予对所有 Lambda 和所需 CloudWatch API操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:PutProvisionedConcurrencyConfig", "lambda:GetProvisionedConcurrencyConfig", "lambda:DeleteProvisionedConcurrencyConfig", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

适用于 Apache Kafka 的亚马逊托管流媒体 Kafka MSK () 代理存储

以下基于身份的策略向所有 Amazon 授予权限MSK和所需的 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka:DescribeCluster", "kafka:DescribeClusterOperation", "kafka:UpdateBrokerStorage", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Neptune 集群

以下基于身份的策略授予所有 Neptune 所需的权限和 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "rds:DescribeDBClusterParameters", "rds:DeleteDBInstance", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

SageMaker 端点

以下基于身份的策略向所有人授予所需的权限 SageMaker 和 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeInferenceComponent", "sagemaker:UpdateEndpointWeightsAndCapacities", "sagemaker:UpdateInferenceComponentRuntimeConfig", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Spot Fleets(亚马逊EC2)

以下基于身份的策略授予所有 Spot 队列所需的权限和 CloudWatch API操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSpotFleetRequests", "ec2:ModifySpotFleetRequest", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

自定义资源

以下基于身份的策略授予API网关API执行操作的权限。该策略还授予 CloudWatch 执行所有必需操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

在中工作的权限 Amazon Web Services Management Console

没有独立的 Application Auto Scaling 控制台。与 Application Auto Scaling 集成的大多数服务都具有专用于帮助您通过控制台配置扩缩的功能。

在大多数情况下,每项服务都提供 Amazon 托管(预定义)IAM策略,这些策略定义了对其控制台的访问权限,其中包括对 Application Auto Scaling API 操作的权限。有关详细信息,请参阅要使用其控制台的服务的文档。

您还可以创建自己的自定义IAM策略,为用户提供查看和使用中特定的 Application Auto Scaling API 操作的精细权限。 Amazon Web Services Management Console您可以使用前面部分中的示例策略;但是,它们是为使用 Amazon CLI 或发出的请求而设计的SDK。控制台对其功能使用其他API操作,因此这些策略可能无法按预期运行。例如,要配置分步缩放,用户可能需要额外的权限才能创建和管理 CloudWatch 警报。

提示

为了帮助您确定需要哪些API操作才能在控制台中执行任务,您可以使用诸如之类的服务 Amazon CloudTrail。有关更多信息,请参阅 用户指南。Amazon CloudTrail

以下基于身份的策略授予为竞价型实例集配置扩展策略的权限。除了 Spot 队列的IAM权限外,从 Amazon 控制台访问队列扩展设置的EC2控制台用户还必须拥有支持动态扩展的服务的相应权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*", "ec2:DescribeSpotFleetRequests", "ec2:ModifySpotFleetRequest", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:DisableAlarmActions", "cloudwatch:EnableAlarmActions", "sns:CreateTopic", "sns:Subscribe", "sns:Get*", "sns:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest", "Condition": { "StringLike": { "iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com" } } } ] }

该策略允许控制台用户在 Amazon EC2 控制台中查看和修改扩展策略,并在控制 CloudWatch 台中创建和管理 CloudWatch 警报。

您可以调整API操作以限制用户访问权限。例如,将 application-autoscaling:Describe* 替换为 application-autoscaling:* 意味着用户具有只读访问权限。

您也可以根据需要调整 CloudWatch 权限,以限制用户对 CloudWatch功能的访问权限。有关更多信息,请参阅 Amazon CloudWatch 用户指南中的 CloudWatch 控制台所需权限