Amazon 亚马逊 DocumentDB 的托管政策 - Amazon DocumentDB
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon 亚马逊 DocumentDB 的托管政策

要向用户、群组和角色添加权限,使用 Amazon 托管策略比自己编写策略要容易得多。创建仅为团队提供所需权限的 IAM 客户托管式策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些政策涵盖常见用例,可在您的 Amazon 账户中使用。有关 Amazon 托管策略的更多信息,请参阅《Identity and A ccess Managem Amazon ent 用户指南》中的Amazon 托管策略

Amazon 服务维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管策略添加其他权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当推出新功能或有新操作可用时,服务最有可能更新 Amazon 托管策略。服务不会从 Amazon 托管策略中移除权限,因此策略更新不会破坏您的现有权限。

此外,还 Amazon 支持跨多个服务的工作职能的托管策略。例如,ViewOnlyAccess Amazon 托管策略提供对许多 Amazon 服务和资源的只读访问权限。当服务启动一项新功能时, Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 Amazon IAM 用户指南中的用于工作职能的Amazon 托管策略

以下 Amazon 托管策略仅适用于 Amazon DocumentDB,您可以将其附加到账户中的用户:

AmazonDocDBFullAccess

此策略授予了允许主体完全访问 Amazon DocumentDB 所有 Amazon DocumentDB 操作的管理权限。此策略中的权限如下分组:

  • Amazon DocumentDB 权限允许所有Amazon DocumentDB 操作。

  • 此政策中的一些 Amazon EC2 权限是验证API请求中传递的资源所必需的。这旨在确保 Amazon DocumentDB 能够配合集群成功使用资源。此策略中的其余亚马逊EC2权限允许亚马逊文档数据库创建必要的 Amazon 资源,使您能够连接到您的集群。

  • Amazon DocumentDB 权限在API调用期间用于验证请求中传递的资源。Amazon DocumentDB 需要这些资源才能配合 Amazon DocumentDB 集群一起使用传递的密钥。

  • Amazon DocumentDB 需要这些 CloudWatch 日志才能确保日志传输目标可达,并且这些日志对于代理日志的使用有效。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:AddRoleToDBCluster", "rds:AddSourceIdentifierToSubscription", "rds:AddTagsToResource", "rds:ApplyPendingMaintenanceAction", "rds:CopyDBClusterParameterGroup", "rds:CopyDBClusterSnapshot", "rds:CopyDBParameterGroup", "rds:CreateDBCluster", "rds:CreateDBClusterParameterGroup", "rds:CreateDBClusterSnapshot", "rds:CreateDBInstance", "rds:CreateDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:CreateEventSubscription", "rds:DeleteDBCluster", "rds:DeleteDBClusterParameterGroup", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBInstance", "rds:DeleteDBParameterGroup", "rds:DeleteDBSubnetGroup", "rds:DeleteEventSubscription", "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultClusterParameters", "rds:DescribeEngineDefaultParameters", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DescribeValidDBInstanceModifications", "rds:DownloadDBLogFilePortion", "rds:FailoverDBCluster", "rds:ListTagsForResource", "rds:ModifyDBCluster", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:ModifyDBParameterGroup", "rds:ModifyDBSubnetGroup", "rds:ModifyEventSubscription", "rds:PromoteReadReplicaDBCluster", "rds:RebootDBInstance", "rds:RemoveRoleFromDBCluster", "rds:RemoveSourceIdentifierFromSubscription", "rds:RemoveTagsFromResource", "rds:ResetDBClusterParameterGroup", "rds:ResetDBParameterGroup", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListRetirableGrants", "logs:DescribeLogStreams", "logs:GetLogEvents", "sns:ListSubscriptions", "sns:ListTopics", "sns:Publish" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:Amazon ServiceName": "rds.amazonaws.com" } } } ] }

AmazonDocDBReadOnlyAccess

此策略授予了允许用户查看 Amazon DocumentDB 中信息的只读权限。附加有这种策略的主体不能进行任何更新或删除现有资源,也不能创建新的 Amazon DocumentDB 资源。例如,拥有这些权限的主体可以查看与其账户关联的集群列表和配置,但不能更改任何集群的配置或设置。此策略中的权限如下分组:

  • Amazon DocumentDB 权限允许您列出 Amazon DocumentDB 资源,描述它们并获取有关它们的信息。

  • Amazon EC2 权限用于描述与集群关联的 Amazon VPC、ENIs子网、安全组。

  • Amazon DocumentDB 权限用于描述与该集群关联的密钥。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSubnetGroups", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DownloadDBLogFilePortion", "rds:ListTagsForResource" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:ListKeys", "kms:ListRetirableGrants", "kms:ListAliases", "kms:ListKeyPolicies" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*", "arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*" ] } ] }

AmazonDocDBConsoleFullAccess

授予使用以下方式管理 Amazon DocumentDB 资源的完全访问权限: Amazon Web Services Management Console

  • 允许所有 Amazon DocumentDB 和 Amazon DocumentDB 集群操作的 Amazon DocumentDB 权限。

  • 此政策中的一些 Amazon EC2 权限是验证API请求中传递的资源所必需的。这是为了确保 Amazon DocumentDB 能够成功使用资源来准备和维护集群。此策略中的其余亚马逊EC2权限允许 Amazon DocumentDB 创建所需的 Amazon 资源,使您能够连接到集群,例如。VPCEndpoint

  • Amazon KMS 权限用于在API调 Amazon KMS 用期间验证请求中传递的资源。Amazon DocumentDB 需要它们才能配合 Amazon DocumentDB 弹性集群使用已传递的密钥加密和解密静态数据。

  • Amazon DocumentDB 需要这些 CloudWatch 日志才能确保日志传输目标可达,并且这些日志对于审计和分析日志的使用有效。

  • 需要 Secrets Manager 权限来验证给定机密并使用它为 Amazon DocumentDB 弹性集群设置管理员用户。

  • 亚马逊 DocumentDB 集群管理操作需要亚马逊RDS权限。对于某些管理功能,Amazon DocumentDB 使用与亚马逊共享的操作技术。RDS

  • SNS权限允许委托人使用亚马逊简单通知服务 (AmazonSNS) 订阅和主题以及发布亚马逊SNS消息。

  • IAM创建发布指标和日志所需的服务关联角色需要权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DocdbSids", "Effect": "Allow", "Action": [ "docdb-elastic:CreateCluster", "docdb-elastic:UpdateCluster", "docdb-elastic:GetCluster", "docdb-elastic:DeleteCluster", "docdb-elastic:ListClusters", "docdb-elastic:CreateClusterSnapshot", "docdb-elastic:GetClusterSnapshot", "docdb-elastic:DeleteClusterSnapshot", "docdb-elastic:ListClusterSnapshots", "docdb-elastic:RestoreClusterFromSnapshot", "docdb-elastic:TagResource", "docdb-elastic:UntagResource", "docdb-elastic:ListTagsForResource", "docdb-elastic:CopyClusterSnapshot", "docdb-elastic:StartCluster", "docdb-elastic:StopCluster", "rds:AddRoleToDBCluster", "rds:AddSourceIdentifierToSubscription", "rds:AddTagsToResource", "rds:ApplyPendingMaintenanceAction", "rds:CopyDBClusterParameterGroup", "rds:CopyDBClusterSnapshot", "rds:CopyDBParameterGroup", "rds:CreateDBCluster", "rds:CreateDBClusterParameterGroup", "rds:CreateDBClusterSnapshot", "rds:CreateDBInstance", "rds:CreateDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:CreateEventSubscription", "rds:CreateGlobalCluster", "rds:DeleteDBCluster", "rds:DeleteDBClusterParameterGroup", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBInstance", "rds:DeleteDBParameterGroup", "rds:DeleteDBSubnetGroup", "rds:DeleteEventSubscription", "rds:DeleteGlobalCluster", "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultClusterParameters", "rds:DescribeEngineDefaultParameters", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeGlobalClusters", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DescribeValidDBInstanceModifications", "rds:DownloadDBLogFilePortion", "rds:FailoverDBCluster", "rds:ListTagsForResource", "rds:ModifyDBCluster", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:ModifyDBParameterGroup", "rds:ModifyDBSubnetGroup", "rds:ModifyEventSubscription", "rds:ModifyGlobalCluster", "rds:PromoteReadReplicaDBCluster", "rds:RebootDBInstance", "rds:RemoveFromGlobalCluster", "rds:RemoveRoleFromDBCluster", "rds:RemoveSourceIdentifierFromSubscription", "rds:RemoveTagsFromResource", "rds:ResetDBClusterParameterGroup", "rds:ResetDBParameterGroup", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime" ], "Resource": [ "*" ] }, { "Sid": "DependencySids", "Effect": "Allow", "Action": [ "iam:GetRole", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:AllocateAddress", "ec2:AssignIpv6Addresses", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateRouteTable", "ec2:AssociateSubnetCidrBlock", "ec2:AssociateVpcCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:CreateCustomerGateway", "ec2:CreateDefaultSubnet", "ec2:CreateDefaultVpc", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeCustomerGateways", "ec2:DescribeInstances", "ec2:DescribeNatGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:ModifyVpcEndpoint", "kms:DescribeKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListRetirableGrants", "logs:DescribeLogStreams", "logs:GetLogEvents", "sns:ListSubscriptions", "sns:ListTopics", "sns:Publish" ], "Resource": [ "*" ] }, { "Sid": "DocdbSLRSid", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:AWSServiceName": "rds.amazonaws.com" } } }, { "Sid": "DocdbElasticSLRSid", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic", "Condition": { "StringLike": { "iam:AWSServiceName": "docdb-elastic.amazonaws.com" } } } ] }

AmazonDocDBElasticReadOnlyAccess

此策略授予了允许用户查看 Amazon DocumentDB 中弹性集群信息的只读权限。附加有这种策略的主体不能进行任何更新或删除现有资源,也不能创建新的 Amazon DocumentDB 资源。例如,拥有这些权限的主体可以查看与其账户关联的集群列表和配置,但不能更改任何集群的配置或设置。此策略中的权限如下分组:

  • Amazon DocumentDB 弹性集群权限允许您列出 Amazon DocumentDB 弹性集群资源,描述它们并获取有关它们的信息。

  • CloudWatch 权限用于验证服务指标。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "docdb-elastic:ListClusters", "docdb-elastic:GetCluster", "docdb-elastic:ListClusterSnapshots", "docdb-elastic:GetClusterSnapshot", "docdb-elastic:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics" ], "Resource": "*" } ] }

AmazonDocDBElasticFullAccess

此策略授予了允许主体完全访问针对 Amazon DocumentDB 弹性集群的所有 Amazon DocumentDB 操作的管理权限。

此策略使用条件内的 Amazon 标签 (https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) 来限制对资源的访问权限。如果您将要使用机密,则必须将它用标签密钥 DocDBElasticFullAccess 和标签值标记。如果您将要使用客户托管的密钥,则必须将它用标签密钥 DocDBElasticFullAccess 和标签值标记。

此策略中的权限如下分组:

  • Amazon DocumentDB 弹性集群权限允许所有 Amazon DocumentDB 操作。

  • 此政策中的一些 Amazon EC2 权限是验证API请求中传递的资源所必需的。这是为了确保 Amazon DocumentDB 能够成功使用资源来准备和维护集群。此策略中的其余亚马逊EC2权限允许 Amazon DocumentDB 创建所需的 Amazon 资源,使您能够像终端节点一样连接到集群。VPC

  • Amazon KMS Amazon DocumentDB 需要权限才能使用传递的密钥对亚马逊文档数据库弹性集群中的静态数据进行加密和解密。

    注意

    客户托管的密钥必须有一个带密钥 DocDBElasticFullAccess 和标签值的标签。

  • SecretsManager 需要权限才能验证给定的密钥并使用它为 Amazon DocumentDB 弹性集群设置管理员用户。

    注意

    用过的机密必须有一个带密钥 DocDBElasticFullAccess 和标签值的标签。

  • IAM创建发布指标和日志所需的服务关联角色需要权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DocdbElasticSid", "Effect": "Allow", "Action": [ "docdb-elastic:CreateCluster", "docdb-elastic:UpdateCluster", "docdb-elastic:GetCluster", "docdb-elastic:DeleteCluster", "docdb-elastic:ListClusters", "docdb-elastic:CreateClusterSnapshot", "docdb-elastic:GetClusterSnapshot", "docdb-elastic:DeleteClusterSnapshot", "docdb-elastic:ListClusterSnapshots", "docdb-elastic:RestoreClusterFromSnapshot", "docdb-elastic:TagResource", "docdb-elastic:UntagResource", "docdb-elastic:ListTagsForResource", "docdb-elastic:CopyClusterSnapshot", "docdb-elastic:StartCluster", "docdb-elastic:StopCluster" ], "Resource": [ "*" ] }, { "Sid": "EC2Sid", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeVpcEndpoints", "ec2:DeleteVpcEndpoints", "ec2:ModifyVpcEndpoint", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeAvailabilityZones", "secretsmanager:ListSecrets" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:CalledViaFirst": "docdb-elastic.amazonaws.com" } } }, { "Sid": "KMSSid", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "docdb-elastic.*.amazonaws.com" ], "aws:ResourceTag/DocDBElasticFullAccess": "*" } } }, { "Sid": "KMSGrantSid", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/DocDBElasticFullAccess": "*", "kms:ViaService": [ "docdb-elastic.*.amazonaws.com" ] }, "Bool": { "kms:GrantIsForAWSResource": true } } }, { "Sid": "SecretManagerSid", "Effect": "Allow", "Action": [ "secretsmanager:ListSecretVersionIds", "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:GetResourcePolicy" ], "Resource": "*", "Condition": { "StringLike": { "secretsmanager:ResourceTag/DocDBElasticFullAccess": "*" }, "StringEquals": { "aws:CalledViaFirst": "docdb-elastic.amazonaws.com" } } }, { "Sid": "CloudwatchSid", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics" ], "Resource": [ "*" ] }, { "Sid": "SLRSid", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic", "Condition": { "StringLike": { "iam:AWSServiceName": "docdb-elastic.amazonaws.com" } } } ] }

AmazonDoc数据库-ElasticServiceRolePolicy

你无法附着AmazonDocDBElasticServiceRolePolicy在你的 Amazon Identity and Access Management 实体上。这种策略附加到允许Amazon DocumentDB 代表您执行操作的服务关联角色。有关更多信息,请参阅 弹性集群中的服务关联角色

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": [ "Amazon/DocDB-Elastic" ] } } } ] }

亚马逊 DocumentDB 更新了托管 Amazon 政策

更改 描述 日期
AmazonDocDBElasticFullAccess, AmazonDocDBConsoleFullAccess - 更改 更新了策略,添加了启动/停止集群以及复制集群快照操作。 2024 年 2 月 21 日
AmazonDocDBElasticReadOnlyAccess, AmazonDocDBElasticFullAccess - 更改 策略已更新以增加 cloudwatch:GetMetricData 操作。 2023 年 6 月 21 日
AmazonDocDBElasticReadOnlyAccess – 新策略 Amazon DocumentDB 弹性集群的新托管策略 2023 年 8 月 6 日
AmazonDocDBElasticFullAccess – 新策略 Amazon DocumentDB 弹性集群的新托管策略 2023 年 5 月 6 日
AmazonDoc数据库-ElasticServiceRolePolicy:新策略 亚马逊 DocumentDB 为亚马逊 Documen Amazon ServiceRoleForDoc tDB 弹性集群创建了一个新的数据库弹性服务关联角色 11/30/2022
AmazonDocDBConsoleFullAccess - 更改 策略已更新,以增加 Amazon DocumentDB 全局权限和弹性集群权限 11/30/2022
AmazonDocDBConsoleFullAccessAmazonDocDBFullAccessAmazonDocDBReadOnlyAccess - 新策略 服务启动 1/19/2017