Amazon适用于 的托管策略Amazon Batch - Amazon Batch
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon适用于 的托管策略Amazon Batch

您可以使用Amazon托管策略,为您的团队提供更简单的身份访问管理,并Amazon资源的费用。Amazon托管策略涵盖了各种常见使用案例,默认情况下可在Amazon账户,并代表您维护和更新。您无法更改 Amazon 托管式策略中的权限。如果您需要更大的灵活性,也可以选择创建 IAM 客户托管策略。这样,您就可以向团队预配置的资源提供他们所需的确切权限。

有关 Amazon 托管策略的更多信息,请参阅《IAM 用户指南》中的 Amazon 托管策略

Amazon服务维护和更新Amazon代表您管理策略。定期Amazon服务将额外权限添加到Amazon托管策略。Amazon当新功能启动或操作可用时,托管策略很可能会更新。这些更新会自动影响附加策略的所有身份(用户、组和角色)。但是,他们不会删除权限或破坏您现有的权限。

此外,Amazon 还支持跨多种服务的工作职能的托管式策略。例如,ReadOnlyAccess Amazon托管策略向所有人提供只读访问Amazon服务和资源。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

Amazon托管策略:BatchServiceRolePolicy

这些区域有:BatchServiceRolePolicy策略附加到服务相关角色。这允许Amazon Batch以代表您执行操作。您不能将此策略附加到您的 IAM 实体。有关更多信息,请参阅 将服务相关角色用于 Amazon Batch

此政策授予Amazon Batch授予对相关服务(包括 Amazon EC2、Amazon EC2 Auto Scaling、Amazon ECS 和亚马逊)的访问权限 CloudWatch 日志。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:RequestSpotFleet", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:DeregisterTaskDefinition", "ecs:TagResource", "ecs:ListAccountSettings", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*:log-stream:*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:DeleteLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/AWSBatch*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/AWSBatch*" }, { "Effect": "Allow", "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:cluster/AWSBatch*" }, { "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task-definition/*" }, { "Effect": "Allow", "Action": [ "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:RegisterTaskDefinition" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:placement-group/*", "arn:aws:ec2:*:*:capacity-reservation/*", "arn:aws:ec2:*:*:elastic-gpu/*", "arn:aws:elastic-inference:*:*:elastic-inference-accelerator/*", "arn:aws:resource-groups:*:*:group/*" ] }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateLaunchTemplate", "RequestSpotFleet" ] } } } ] }

Amazon托管策略:Batch 完全访问

这些区域有:Batch 完全访问保单补助Amazon Batch对操作完全访问权限Amazon Batch资源的费用。它还授予对 Amazon EC2、Amazon ECS、CloudWatch 和 IAM 服务的描述和列出操作访问权限。这是为了让 IAM 身份(无论是用户还是角色)都可以查看Amazon Batch代表他们创建的管理资源。最后,此策略还允许将选定的 IAM 角色传递给这些服务。

你可以附加Batch 完全访问向您的 IAM 实体。Amazon Batch还将此策略附加到允许的服务角色。Amazon Batch以代表您执行操作。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "batch:*", "cloudwatch:GetMetricStatistics", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeImages", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ecs:DescribeClusters", "ecs:Describe*", "ecs:List*", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents", "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws:iam::*:role/AWSBatchServiceRole", "arn:aws:iam::*:role/service-role/AWSBatchServiceRole", "arn:aws:iam::*:role/ecsInstanceRole", "arn:aws:iam::*:instance-profile/ecsInstanceRole", "arn:aws:iam::*:role/iaws-ec2-spot-fleet-role", "arn:aws:iam::*:role/aws-ec2-spot-fleet-role", "arn:aws:iam::*:role/AWSBatchJobRole*" ] }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/*Batch*", "Condition": { "StringEquals": { "iam:AWSServiceName": "batch.amazonaws.com" } } } ] }

对 Amazon 托管式策略的 Amazon Batch 更新

查看有关 Amazon Batch 的 Amazon 托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。有关此页面更改的自动提示,请订阅 Amazon Batch 文档历史记录页面上的 RSS 源。

BatchServiceRolePolicy政策已更新(2022 年 5 月 18 日)

已更新以添加对由管理的 Amazon EC2 容量预留组的支持Amazon Resource Groups. 有关更多信息,请参阅 。使用 容量预留 组适用于 Linux 实例的 Amazon EC2 用户指南.

BatchServiceRolePolicyAWSBatchServiceRole更新策略(2021 年 12 月 6 日)

更新了以增加对描述状态的支持Amazon BatchAmazon EC2 中的托管实例,以便替换运行状况不佳的实例。

BatchServiceRolePolicy政策更新(2021 年 3 月 26 日)

更新为在 Amazon EC2 中添加了对置放群组、容量预留、弹性 GPU 和 Elastic Inference 资源的支持。

BatchServiceRolePolicy添加策略(2021 年 3 月 10 日)

使用BatchServiceRolePolicy托管策略AWSServiceRoleForBatch服务相关角色,您可以使用由管理的服务相关角色。Amazon Batch. 使用此策略,您无需维护自己的角色即可在计算环境中使用。

Batch 完全访问-添加添加服务相关角色的权限(2021 年 3 月 10 日)

添加 IAM 权限以允许AWSServiceRoleForBatch要添加到账户的服务相关角色。

Amazon Batch开始跟踪变更(2021 年 3 月 10 日)

Amazon Batch 为其 Amazon 托管式策略开启了跟踪更改。