Amazon 的托管策略 Amazon Batch - Amazon Batch
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 的托管策略 Amazon Batch

您可以使用 Amazon 托管策略来简化团队和已配置 Amazon 资源的身份访问管理。 Amazon 托管政策涵盖各种常见用例,默认情况下可在您的 Amazon 账户中使用,并以您的名义进行维护和更新。您无法更改 Amazon 托管策略中的权限。如果您需要更大的灵活性,也可以选择创建 IAM 客户管理型策略。这样,您就可以为团队预配置的资源提供他们所需的确切权限。

有关 Amazon 托管策略的更多信息,请参阅 IAM 用户指南中的Amazon 托管策略

Amazon 服务代表您维护和更新 Amazon 托管政策。 Amazon 服务会定期向 Amazon 托管策略添加其他权限。 Amazon 当有新功能启动或操作可用时,托管策略很可能会更新。此类更新会自动影响附加策略的所有身份(用户、组和角色)。但是,它们不会移除权限或破坏您的现有权限。

此外,还 Amazon 支持跨多个服务的工作职能的托管策略。例如,ReadOnlyAccess Amazon 托管策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动一项新功能时, Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅《IAM 用户指南》中的适用于工作职能的Amazon 托管式策略

Amazon 托管策略:BatchServiceRolePolicy

BatchServiceRolePolicy托管 IAM 策略由AWSServiceRoleForBatch服务相关角色使用。这 Amazon Batch 允许您代表您执行操作。您不能将此策略附加到您的 IAM 实体。有关更多信息,请参阅 将服务相关角色用于 Amazon Batch

此策略 Amazon Batch 允许对特定资源完成以下操作:

  • autoscaling— Amazon Batch 允许创建和管理 Amazon EC2 Auto Scaling 资源。 Amazon Batch 为大多数计算环境创建和管理 Amazon EC2 Auto Scaling 组。

  • ec2— Amazon Batch 允许控制 Amazon EC2 实例的生命周期以及创建和管理启动模板和标签。 Amazon Batch 为某些 EC2 竞价计算环境创建和管理 EC2 竞价型队列请求。

  • ecs- Amazon Batch 允许创建和管理 Amazon ECS 集群、任务定义和任务执行任务。

  • eks- Amazon Batch 允许描述用于验证的 Amazon EKS 集群资源。

  • iam-允许 Amazon Batch 验证所有者提供的角色并将其传递给 Amazon EC2、Amazon EC2 Auto Scaling 和 Amazon ECS。

  • logs— Amazon Batch 允许创建和管理 Amazon Batch 作业的日志组和日志流。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:RequestSpotFleet", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "eks:DescribeCluster", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:DeregisterTaskDefinition", "ecs:TagResource", "ecs:ListAccountSettings", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*" }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*:log-stream:*" }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement6", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement7", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement8", "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:DeleteLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement9", "Effect": "Allow", "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement10", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement11", "Effect": "Allow", "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:cluster/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement12", "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task-definition/*" }, { "Sid": "AWSBatchPolicyStatement13", "Effect": "Allow", "Action": [ "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Sid": "AWSBatchPolicyStatement14", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:RegisterTaskDefinition" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement15", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:placement-group/*", "arn:aws:ec2:*:*:capacity-reservation/*", "arn:aws:ec2:*:*:elastic-gpu/*", "arn:aws:elastic-inference:*:*:elastic-inference-accelerator/*", "arn:aws:resource-groups:*:*:group/*" ] }, { "Sid": "AWSBatchPolicyStatement16", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement17", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateLaunchTemplate", "RequestSpotFleet" ] } } } ] }

Amazon 托管策略:AWSBatchServiceRole策略

名为的角色权限策略AWSBatchServiceRole Amazon Batch 允许对特定资源完成以下操作:

AWSBatchServiceRole托管 IAM 策略通常由名为的角色使用 AWSBatchServiceRole,该策略包含以下权限。遵循授予最低权限的标准安全建议,AWSBatchServiceRole 托管策略可用作指南。如果您的用例不需要托管策略中授予的任何权限,请创建自定义策略并仅添加所需的权限。此 Amazon Batch 托管策略和角色可用于大多数计算环境类型,但为了获得更好范围和更好的托管体验 less-error-prone,最好使用与服务相关的角色。

  • autoscaling— Amazon Batch 允许创建和管理 Amazon EC2 Auto Scaling 资源。 Amazon Batch 为大多数计算环境创建和管理 Amazon EC2 Auto Scaling 组。

  • ec2— Amazon Batch 允许管理 Amazon EC2 实例的生命周期以及创建和管理启动模板和标签。 Amazon Batch 为某些 EC2 竞价计算环境创建和管理 EC2 竞价型队列请求。

  • ecs- Amazon Batch 允许创建和管理 Amazon ECS 集群、任务定义和任务执行任务。

  • iam-允许 Amazon Batch 验证所有者提供的角色并将其传递给 Amazon EC2、Amazon EC2 Auto Scaling 和 Amazon ECS。

  • logs— Amazon Batch 允许创建和管理 Amazon Batch 作业的日志组和日志流。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }

Amazon 托管策略:AWSBatchFullAccess

AWSBatchFullAccess策略授予 Amazon Batch 操作对 Amazon Batch 资源的完全访问权限。它还授予亚马逊 EC2、Amazon ECS、Amazon EKS 和 IAM 服务的描述和列出操作访问权限。 CloudWatch这样,IAM 身份(无论是用户还是角色)都可以查看代表他们创建的 Amazon Batch 托管资源。最后,该策略还允许将选定的 IAM 角色传递给这些服务。

您可以附加AWSBatchFullAccess到您的 IAM 实体。 Amazon Batch 还将此策略附加 Amazon Batch 到允许代表您执行操作的服务角色。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "batch:*", "cloudwatch:GetMetricStatistics", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeImages", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ecs:DescribeClusters", "ecs:Describe*", "ecs:List*", "eks:DescribeCluster", "eks:ListClusters", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents", "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws:iam::*:role/AWSBatchServiceRole", "arn:aws:iam::*:role/service-role/AWSBatchServiceRole", "arn:aws:iam::*:role/ecsInstanceRole", "arn:aws:iam::*:instance-profile/ecsInstanceRole", "arn:aws:iam::*:role/iaws-ec2-spot-fleet-role", "arn:aws:iam::*:role/aws-ec2-spot-fleet-role", "arn:aws:iam::*:role/AWSBatchJobRole*" ] }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/*Batch*", "Condition": { "StringEquals": { "iam:AWSServiceName": "batch.amazonaws.com" } } } ] }

Amazon BatchAmazon 托管策略的更新

查看 Amazon Batch 自该服务开始跟踪这些更改以来 Amazon 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 “ Amazon Batch 文档历史记录” 页面上的 RSS feed。

更改 描述 日期

BatchServiceRolePolicy政策已更新

已更新,增加了对描述 Spot 队列请求历史记录和 Amazon EC2 Auto Scaling 活动的支持。

2023 年 12 月 5 日

AWSBatchServiceRole策略已添加

更新为添加语句 ID、向ec2:DescribeSpotFleetRequestHistory和授予 Amazon Batch 权限autoscaling:DescribeScalingActivities

2023 年 12 月 5 日

BatchServiceRolePolicy政策已更新

更新,增加了对描述 Amazon EKS 集群的支持。

2022 年 10 月 20 日

AWSBatchFullAccess政策已更新

更新,增加了对列出和描述 Amazon EKS 集群的支持。

2022 年 10 月 20 日

BatchServiceRolePolicy政策已更新

更新,增加了对由 Amazon Resource Groups管理的 Amazon EC2 容量预留组的支持。有关更多信息,请参阅 《适用于 Linux 实例的 Amazon EC2 用户指南》 中的 使用容量预留

2022 年 5 月 18 日

BatchServiceRolePolicy并更新了AWSBatchServiceRole政策

更新后增加了对描述 Amazon EC2 中 Amazon Batch 托管实例状态的支持,以便替换运行状况不佳的实例。

2021 年 12 月 6 日

BatchServiceRolePolicy政策已更新

更新,以增加对 Amazon EC2 中的置放群组、容量预留、弹性 GPU 和 Elastic Inference 资源的支持。

2021 年 3 月 26 日

BatchServiceRolePolicy策略已添加

借助AWSServiceRoleForBatch服务相关角色的BatchServiceRolePolicy托管策略,您可以使用由管理的服务相关角色。 Amazon Batch有了此策略,您无需维护自己的角色即可在计算环境中使用。

2021 年 3 月 10 日

AWSBatchFullAccess-添加添加服务相关角色的权限

添加 IAM 权限以允许将AWSServiceRoleForBatch服务相关角色添加到账户。

2021 年 3 月 10 日

Amazon Batch 开始跟踪更改

Amazon Batch 开始跟踪其 Amazon 托管策略的更改。

2021 年 3 月 10 日