适用于 Amazon Batch 的 Amazon 托管式策略
您可以使用 Amazon 托管式策略来简化团队和已配置 Amazon 资源的身份访问管理。Amazon 托管政策涵盖各种常见用例,默认情况下可在您的 Amazon 账户中使用,并以您的名义进行维护和更新。您无法更改 Amazon 管理型策略中的权限。如果您需要更大的灵活性,也可以选择创建 IAM 客户管理型策略。这样,您就可以为团队预配置的资源提供他们所需的确切权限。
有关 Amazon 托管策略的更多信息,请参阅《IAM 用户指南》中的Amazon 托管策略。
Amazon 服务代表您负责维护和更新 Amazon 托管策略。Amazon 服务会定期向 Amazon 托管策略添加额外权限。当有新功能启动或操作可用时,Amazon 托管策略很可能会更新。此类更新会自动影响附加策略的所有身份(用户、组和角色)。但是,它们不会移除权限或破坏您的现有权限。
此外,Amazon 还支持跨多种服务的工作职能的托管策略。例如,ReadOnlyAccess
Amazon 托管式策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动新特征时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 管理型策略。
Amazon 托管策略:BatchServiceRolePolicy
AWSServiceRoleForBatch 服务相关角色使用 BatchServiceRolePolicy 托管的 IAM 策略。这样就允许 Amazon Batch 代表您执行操作。您不能将此策略附加到您的 IAM 实体。有关更多信息,请参阅 使用 Amazon Batch 的服务相关角色。
该策略允许 Amazon Batch 对指定资源完成以下操作:
-
autoscaling
– 允许 Amazon Batch 创建和管理 Amazon EC2 Auto Scaling 资源。Amazon Batch 为大多数计算环境创建和管理 Amazon EC2 Auto Scaling 组。 -
ec2
– 允许 Amazon Batch 控制 Amazon EC2 实例的生命周期以及创建和管理启动模板和标签。Amazon Batch 为某些 EC2 竞价计算环境创建和管理 EC2 竞价型实例集请求。 -
ecs
- 允许 Amazon Batch 创建和管理 Amazon ECS 集群、任务定义和作业执行的任务。 -
eks
- 允许 Amazon Batch 描述用于验证的 Amazon EKS 集群资源。 -
iam
- 允许 Amazon Batch 验证所有者提供的角色并将其传递给 Amazon EC2、Amazon EC2 Auto Scaling 和 Amazon ECS。 -
logs
– 允许 Amazon Batch 创建和管理 Amazon Batch 作业的日志组和日志流。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:RequestSpotFleet", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "eks:DescribeCluster", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:DeregisterTaskDefinition", "ecs:TagResource", "ecs:ListAccountSettings", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*" }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*:log-stream:*" }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement6", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement7", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement8", "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:DeleteLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement9", "Effect": "Allow", "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement10", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement11", "Effect": "Allow", "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:cluster/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement12", "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task-definition/*" }, { "Sid": "AWSBatchPolicyStatement13", "Effect": "Allow", "Action": [ "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Sid": "AWSBatchPolicyStatement14", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:RegisterTaskDefinition" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement15", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:placement-group/*", "arn:aws:ec2:*:*:capacity-reservation/*", "arn:aws:ec2:*:*:elastic-gpu/*", "arn:aws:elastic-inference:*:*:elastic-inference-accelerator/*", "arn:aws:resource-groups:*:*:group/*" ] }, { "Sid": "AWSBatchPolicyStatement16", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement17", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateLaunchTemplate", "RequestSpotFleet" ] } } } ] }
Amazon 托管策略:AWSBatchServiceRole 策略
名为 AWSBatchServiceRole 的角色权限策略允许 Amazon Batch 对指定资源完成以下操作:
AWSBatchServiceRole 托管 IAM 策略通常由名为 AWSBatchServiceRole 的角色使用,该策略包括以下权限。遵循授予最低权限的标准安全建议,AWSBatchServiceRole 托管策略可用作指南。如果您的用例不需要托管策略中授予的任何权限,请创建自定义策略并仅添加所需的权限。这 Amazon Batch 托管策略和角色可以用于大多数计算环境类型,但要想获得出错几率更低、范围更广和改进的托管体验,更适合使用服务相关角色。
-
autoscaling
– 允许 Amazon Batch 创建和管理 Amazon EC2 Auto Scaling 资源。Amazon Batch 为大多数计算环境创建和管理 Amazon EC2 Auto Scaling 组。 -
ec2
– 允许 Amazon Batch 管理 Amazon EC2 实例的生命周期以及创建和管理启动模板和标签。Amazon Batch 为某些 EC2 竞价计算环境创建和管理 EC2 竞价型实例集请求。 -
ecs
- 允许 Amazon Batch 创建和管理 Amazon ECS 集群、任务定义和作业执行的任务。 -
iam
- 允许 Amazon Batch 验证所有者提供的角色并将其传递给 Amazon EC2、Amazon EC2 Auto Scaling 和 Amazon ECS。 -
logs
– 允许 Amazon Batch 创建和管理 Amazon Batch 作业的日志组和日志流。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }
Amazon 托管策略:AWSBatchFullAccess
AWSBatchFullAccess 策略授予 Amazon Batch 操作对所有 Amazon Batch 资源的完全访问权。它还授予 Amazon EC2、Amazon ECS、Amazon EKS、CloudWatch 和 IAM 服务的描述和列出操作权限。这样,IAM 身份(无论是用户还是角色)都可以查看代表其创建的 Amazon Batch 托管资源。最后,该策略还允许将选定的 IAM 角色传递给这些服务。
您可以将 AWSBatchFullAccess 附加到您的 IAM 实体。Amazon Batch 还将此策略附加到服务角色,该角色允许 Amazon Batch 代表您执行操作。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "batch:*", "cloudwatch:GetMetricStatistics", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeImages", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ecs:DescribeClusters", "ecs:Describe*", "ecs:List*", "eks:DescribeCluster", "eks:ListClusters", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents", "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws:iam::*:role/AWSBatchServiceRole", "arn:aws:iam::*:role/service-role/AWSBatchServiceRole", "arn:aws:iam::*:role/ecsInstanceRole", "arn:aws:iam::*:instance-profile/ecsInstanceRole", "arn:aws:iam::*:role/iaws-ec2-spot-fleet-role", "arn:aws:iam::*:role/aws-ec2-spot-fleet-role", "arn:aws:iam::*:role/AWSBatchJobRole*" ] }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/*Batch*", "Condition": { "StringEquals": { "iam:AWSServiceName": "batch.amazonaws.com" } } } ] }
Amazon Batch 更新了 Amazon 托管式策略
查看有关 Amazon Batch 的 Amazon 托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。有关此页面更改的自动提示,请订阅 Amazon Batch 文档历史记录页面上的 RSS 源。
更改 | 描述 | 日期 |
---|---|---|
进行了更新,以增加对描述竞价型实例集请求历史记录和 Amazon EC2 Auto Scaling 活动的支持。 |
2023 年 12 月 5 日 |
|
已添加 AWSBatchServiceRole 策略 |
进行了更新,以添加语句 ID、向 |
2023 年 12 月 5 日 |
更新,增加了对描述 Amazon EKS 集群的支持。 |
2022 年 10 月 20 日 |
|
AWSBatchFullAccess 策略更新 |
更新,增加了对列出和描述 Amazon EKS 集群的支持。 |
2022 年 10 月 20 日 |
更新,增加了对由 Amazon Resource Groups 管理的 Amazon EC2 容量预留组的支持。有关更多信息,请参阅《Amazon EC2 用户指南》中的使用容量预留组。 |
2022 年 5 月 18 日 |
|
更新,增加了对描述 Amazon EC2 中 Amazon Batch 托管实例状态的支持,以便替换运行状况不佳的实例。 |
2021 年 12 月 6 日 |
|
更新,以增加对 Amazon EC2 中的置放群组、容量预留、弹性 GPU 和 Elastic Inference 资源的支持。 |
2021 年 3 月 26 日 |
|
借助 AWSServiceRoleForBatch 服务相关角色的 BatchServiceRolePolicy 托管策略,您可以使用由 Amazon Batch 管理的服务相关角色。有了此策略,您无需维护自己的角色即可在计算环境中使用。 |
2021 年 3 月 10 日 |
|
AWSBatchFullAccess - 添加权限到服务相关角色 |
添加 IAM 权限以允许将 AWSServiceRoleForBatch 服务相关角色添加到账户。 |
2021 年 3 月 10 日 |
Amazon Batch 开启了跟踪更改 |
Amazon Batch 为其 Amazon 托管式策略开启了跟踪更改。 |
2021 年 3 月 10 日 |