有关使用 AWS CLI 或 AWS 开发工具包的示例策略 - Application Auto Scaling
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

如果我们为英文版本指南提供翻译,那么如果存在任何冲突,将以英文版本指南为准。在提供翻译时使用机器翻译。

有关使用 AWS CLI 或 AWS 开发工具包的示例策略

默认情况下,全新的 IAM 用户没有执行任何操作的权限。一个 IAM 管理员必须创建 IAM 授予用户和角色执行权限的策略 Application Auto Scaling 操作,例如配置扩展策略。然后,管理员必须将这些策略附加到需要这些权限的 IAM 用户或角色。

学习如何创建 IAM 使用这些示例JSON策略文件的策略,请参阅 在JSON选项卡上创建策略IAM 用户指南.

以下策略授予针对常见使用案例的权限。您可以根据您的 IAM 用户所需的访问权限将这些策略附加到这些用户。每个策略授予 的全部或部分 API 操作的访问权限。Application Auto Scaling.

下面显示允许用户对 执行所有 API 操作的权限策略的示例。Application Auto Scaling.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*" ], "Resource": "*" } ] }

下面显示允许用户配置扩展策略的权限策略示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScalingPolicy" ], "Resource": "*" } ] }

下面显示允许用户配置计划扩展的权限策略示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScheduledAction", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScheduledAction" ], "Resource": "*" } ] }

其他要求 IAM 权限

对于用户将配置扩展策略的每种类型的资源,用户必须具有额外的权限。您在 Action 一个 IAM 政策声明。

ECS 服务

  • ecs:DescribeServices

  • ecs:UpdateService

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

EC2 Spot 队列请求

  • ec2:DescribeSpotFleetRequests

  • ec2:ModifySpotFleetRequest

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Amazon EMR 集群

  • elasticmapreduce:ModifyInstanceGroups

  • elasticmapreduce:ListInstanceGroups

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

AppStream 2.0 队列

  • appstream:DescribeFleets

  • appstream:UpdateFleet

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

DynamoDB 表和全局二级索引

  • dynamodb:DescribeTable

  • dynamodb:UpdateTable

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Aurora 数据库集群

  • rds:AddTagsToResource

  • rds:CreateDBInstance

  • rds:DeleteDBInstance

  • rds:DescribeDBClusters

  • rds:DescribeDBInstances

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

SageMaker 终端节点

  • sagemaker:DescribeEndpoint

  • sagemaker:DescribeEndpointConfig

  • sagemaker:UpdateEndpointWeightsAndCapacities

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

自定义资源

  • execute-api:Invoke

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Amazon Comprehend 文档分类终端节点

  • comprehend:UpdateEndpoint

  • comprehend:DescribeEndpoint

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Lambda 函数。

  • lambda:PutProvisionedConcurrencyConfig

  • lambda:GetProvisionedConcurrencyConfig

  • lambda:DeleteProvisionedConcurrencyConfig

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Amazon Keyspaces 表

  • cassandra:Select

  • cassandra:Alter

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

创建服务链接角色所需的权限

Application Auto Scaling 需要权限才能首次在您的 AWS 帐户呼叫 RegisterScalableTarget 给定服务。 Application Auto Scaling 如果角色不存在,请在您的帐户中创建服务特定的服务链接角色。此服务相关角色向 Application Auto Scaling 授予权限,以便它能代表您调用其他服务。

为使自动角色创建操作成功,用户必须具有 iam:CreateServiceLinkedRole 操作的权限。

"Action": "iam:CreateServiceLinkedRole"

下面显示了允许用户为 Spot 队列创建 Application Auto Scaling 服务相关角色的权限策略示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest", "Condition": { "StringLike": { "iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com" } } } ] }

有关更多信息,请参阅 服务链接角色 Application Auto Scaling.