用于完全访问的 IAM 托管策略(v2 托管默认策略) - Amazon EMR
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

用于完全访问的 IAM 托管策略(v2 托管默认策略)

v2 范围 EMR 默认托管策略向用户授予特定访问权限。它们需要预定义的 Amazon EMR 资源标签和 Amazon EMR 使用的资源的 iam:PassRole 条件键,例如用于启动集群的 SubnetSecurityGroup

要为 Amazon EMR 授予对必需操作的权限,可附加 AmazonEMRFullAccessPolicy_v2 托管策略。此更新的默认托管策略将替换 AmazonElasticMapReduceFullAccess 托管策略。

AmazonEMRFullAccessPolicy_v2 取决于对 Amazon EMR 预置或使用的资源的范围缩小访问权限。使用此策略时,您需要在预置集群时传递用户标签 for-use-with-amazon-emr-managed-policies = true。Amazon EMR 将自动传播标签。此外,您可能需要手动向特定类型的资源添加用户标签,例如不是由 Amazon EMR 创建的 EC2 安全组。请参阅 标记资源以使用托管策略

AmazonEMRFullAccessPolicy_v2 策略通过执行以下操作来保护资源:

  • 需要使用预定义的 Amazon EMR 托管式策略标签 for-use-with-amazon-emr-managed-policies 标记资源,以便创建集群和访问 Amazon EMR。

  • iam:PassRole 操作限制为特定的默认角色和对特定服务的 iam:PassedToService 访问权限。

  • 默认情况下,不再提供对 Amazon EC2、Amazon S3 和其他服务的访问权限。

本策略的内容如下所示。

注意

您还可以使用控制台链接 AmazonEMRFullAccessPolicy_v2 查看该策略。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "RunJobFlowExplicitlyWithEMRManagedTag", "Effect": "Allow", "Action": [ "elasticmapreduce:RunJobFlow" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "ElasticMapReduceActions", "Effect": "Allow", "Action": [ "elasticmapreduce:AddInstanceFleet", "elasticmapreduce:AddInstanceGroups", "elasticmapreduce:AddJobFlowSteps", "elasticmapreduce:AddTags", "elasticmapreduce:CancelSteps", "elasticmapreduce:CreateEditor", "elasticmapreduce:CreateSecurityConfiguration", "elasticmapreduce:DeleteEditor", "elasticmapreduce:DeleteSecurityConfiguration", "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeEditor", "elasticmapreduce:DescribeJobFlows", "elasticmapreduce:DescribeSecurityConfiguration", "elasticmapreduce:DescribeStep", "elasticmapreduce:GetBlockPublicAccessConfiguration", "elasticmapreduce:GetManagedScalingPolicy", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListEditors", "elasticmapreduce:ListInstanceFleets", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListInstances", "elasticmapreduce:ListSecurityConfigurations", "elasticmapreduce:ListSteps", "elasticmapreduce:ModifyCluster", "elasticmapreduce:ModifyInstanceFleet", "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:PutAutoScalingPolicy", "elasticmapreduce:PutBlockPublicAccessConfiguration", "elasticmapreduce:PutManagedScalingPolicy", "elasticmapreduce:RemoveAutoScalingPolicy", "elasticmapreduce:RemoveManagedScalingPolicy", "elasticmapreduce:RemoveTags", "elasticmapreduce:SetTerminationProtection", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:TerminateJobFlows", "elasticmapreduce:ViewEventsFromAllClustersInConsole" ], "Resource": "*" }, { "Sid": "ViewMetricsInEMRConsole", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics" ], "Resource": "*" }, { "Sid": "PassRoleForElasticMapReduce", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/EMR_DefaultRole", "Condition": { "StringLike": { "iam:PassedToService": "elasticmapreduce.amazonaws.com*" } } }, { "Sid": "PassRoleForEC2", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/EMR_EC2_DefaultRole", "Condition": { "StringLike": { "iam:PassedToService": "ec2.amazonaws.com*" } } }, { "Sid": "PassRoleForAutoScaling", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/EMR_AutoScaling_DefaultRole", "Condition": { "StringLike": { "iam:PassedToService": "application-autoscaling.amazonaws.com*" } } }, { "Sid": "ElasticMapReduceServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com*/AWSServiceRoleForEMRCleanup*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "elasticmapreduce.amazonaws.com", "elasticmapreduce.amazonaws.com.cn" ] } } }, { "Sid": "ConsoleUIActions", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeNatGateways", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints", "s3:ListAllMyBuckets", "iam:ListRoles" ], "Resource": "*" } ] }