Application Auto Scaling 基于身份的策略示例 - Application Auto Scaling
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

Application Auto Scaling 基于身份的策略示例

默认情况下,全新的 IAM 用户没有执行任何操作的权限。IAM 管理员必须创建 IAM 策略,以便为用户和角色授予执行 Application Auto Scaling API 操作(如配置扩缩策略)的权限。然后,管理员必须将这些策略附加到需要这些权限的 IAM 用户或角色。

要了解如何使用以下示例 JSON 策略文档创建 IAM 策略,请参阅 IAM 用户指南中的在 JSON 选项卡上创建策略

Application Auto Scaling API 操作所需的权限

以下策略为调用 Application Auto Scaling API 时的常见使用案例授予权限。设置 访问控制 并编写您可以附加到 IAM 用户或角色的权限策略时,请参阅本节。每个策略授予全部或部分 Application Auto Scaling API 操作的访问权限。您还需要确保 IAM 用户或角色具有目标服务和 CloudWatch 的权限策略(有关详细信息,请参阅下一节)。

以下权限策略授予全部 Application Auto Scaling API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*" ], "Resource": "*" } ] }

以下权限策略授予对配置扩缩策略而非计划操作所需的全部 Application Auto Scaling API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScalingPolicy" ], "Resource": "*" } ] }

以下权限策略授予对配置计划操作而非扩缩策略所需的全部 Application Auto Scaling API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScheduledAction", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScheduledAction" ], "Resource": "*" } ] }

目标资源和 CloudWatch 上 API 操作所需的权限

要成功配置 Application Auto Scaling 并将其与目标服务一起使用,必须授予 IAM 用户 Amazon CloudWatch 和将配置扩缩的每个目标服务所需的权限。使用以下策略为用户授予使用目标服务和 CloudWatch 所需的最低权限。

AppStream 2.0 队列

以下权限策略授予对所需的所有 AppStream 2.0 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:DescribeFleets", "appstream:UpdateFleet", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Aurora 副本

以下权限策略授予对所需的所有 Aurora 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DeleteDBInstance", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Amazon Comprehend 文档分类和实体识别程序终端节点

以下权限策略授予对所需的所有 Amazon Comprehend 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "comprehend:UpdateEndpoint", "comprehend:DescribeEndpoint", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

DynamoDB 表和全局二级索引

以下权限策略授予对所需的所有 DynamoDB 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:UpdateTable", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

ECS 服务

以下权限策略授予对所需的所有 ECS 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

ElastiCache 复制组

以下权限策略授予对所需的所有 ElastiCache 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroupShardConfiguration", "elasticache:IncreaseReplicaCount", "elasticache:DecreaseReplicaCount", "elasticache:DescribeReplicationGroups", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameters", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Amazon EMR 集群

以下权限策略授予对所需的所有 Amazon EMR 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Amazon Keyspaces 表

以下权限策略授予对所需的所有 Amazon Keyspaces 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cassandra:Select", "cassandra:Alter", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Lambda 函数

以下权限策略授予对所需的所有 Lambda 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:PutProvisionedConcurrencyConfig", "lambda:GetProvisionedConcurrencyConfig", "lambda:DeleteProvisionedConcurrencyConfig", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Amazon Managed Streaming for Apache Kafka (MSK) 代理存储

以下权限策略授予对所需的所有 Amazon MSK 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kafka:DescribeCluster", "kafka:DescribeClusterOperation", "kafka:UpdateBrokerStorage", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Neptune 集群

以下权限策略授予对所需的所有 Neptune 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "rds:DescribeDBClusterParameters", "rds:DeleteDBInstance", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

SageMaker 终端节点

以下权限策略授予对所需的所有 SageMaker 和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:UpdateEndpointWeightsAndCapacities", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

Spot 实例集(Amazon EC2)

以下权限策略授予对所需的所有 Spot 实例集和 CloudWatch API 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSpotFleetRequests", "ec2:ModifySpotFleetRequest", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

自定义资源

以下权限策略授予用户执行 API Gateway API 操作所需的权限。此策略还授予对所需的所有 CloudWatch 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "*" } ] }

在 Amazon Web Services Management Console中工作的权限

没有独立的 Application Auto Scaling 控制台。与 Application Auto Scaling 集成的大多数服务都具有专用于帮助您通过控制台配置扩缩的功能。

在大多数情况下,每个服务都提供 Amazon 托管(预定义)IAM 策略,用于定义对其控制台的访问权限,其中包括对 Application Auto Scaling API 操作的权限。有关详细信息,请参阅要使用其控制台的服务的文档。

您还可以创建自己的自定义 IAM 策略,为用户授予在 Amazon Web Services Management Console 中查看和处理特定 Application Auto Scaling API 操作的细粒度权限。您可以使用之前章节中的策略;但是,这些策略设计用于使用 Amazon CLI 或软件开发工具包发出的请求。控制台使用其他 API 操作实现其功能,因此这些策略可能不会按预期方式起作用。例如,要配置分步扩缩,用户可能需要额外的权限来创建和管理 CloudWatch 警报。

提示

为帮助您了解在控制台中执行任务所需的相应 API 操作,您可以使用 Amazon CloudTrail 等服务。有关更多信息,请参阅 Amazon CloudTrail 用户指南

下面显示允许用户为 Spot 队列配置扩展策略的权限策略示例。除了 Spot 实例集的 IAM 权限之外,从控制台访问实例集扩缩设置的 IAM 用户必须拥有支持动态扩缩的服务的适当权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*", "ec2:DescribeSpotFleetRequests", "ec2:ModifySpotFleetRequest", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm", "cloudwatch:DisableAlarmActions", "cloudwatch:EnableAlarmActions", "sns:CreateTopic", "sns:Subscribe", "sns:Get*", "sns:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest", "Condition": { "StringLike": { "iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com" } } } ] }

此策略允许用户在 Amazon EC2 控制台中查看和修改扩缩策略,并在 CloudWatch 控制台中创建和管理 CloudWatch 警报。

您可以调整 API 操作以限制用户访问权限。例如,将 application-autoscaling:* 替换为 application-autoscaling:Describe* 意味着用户具有只读访问权限。

还可以根据需要调整 CloudWatch 权限,以限制用户对 CloudWatch 功能的访问权限。有关更多信息,请参阅 Amazon CloudWatch 用户指南中的使用 CloudWatch 控制台所需的权限