附录:创建自定义 IAM 策略 - Amazon Kinesis Data Analytics
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

附录:创建自定义 IAM 策略

您通常使用托管 IAM 策略允许应用程序访问依赖资源。如果您需要更好地控制应用程序的权限,则可以使用自定义 IAM 策略。此部分包含自定义 IAM 策略的示例。

注意

在以下策略示例中,将占位符文本替换为您的应用程序的值。

Amazon Glue

以下示例策略授予权限以访问Amazon Glue数据库。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueTable", "Effect": "Allow", "Action": [ "glue:GetConnection", "glue:GetTable", "glue:GetTables", "glue:GetDatabase", "glue:CreateTable", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:<region>:<accountId>:connection/*", "arn:aws:glue:<region>:<accountId>:table/<database-name>/*", "arn:aws:glue:<region>:<accountId>:database/<database-name>", "arn:aws:glue:<region>:<accountId>:database/hive", "arn:aws:glue:<region>:<accountId>:catalog" ] }, { "Sid": "GlueDatabase", "Effect": "Allow", "Action": "glue:GetDatabases", "Resource": "*" } ] }

CloudWatch 日志

以下策略授予访问的权限。CloudWatch日志:

{ "Sid": "ListCloudwatchLogGroups", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:<region>:<accountId>:log-group:*" ] }, { "Sid": "ListCloudwatchLogStreams", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams" ], "Resource": [ "<logGroupArn>:log-stream:*" ] }, { "Sid": "PutCloudwatchLogs", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": [ "<logStreamArn>" ] }
注意

如果您使用控制台创建应用程序,则控制台将添加必要的策略来访问CloudWatch日志到你的应用程序角色。

Kinesis Streams

您的应用程序可以将 Kinesis Stream 用于源或目标。您的应用程序需要读取权限才能从源流中读取,并需要写入目标流的写入权限。

以下策略授予从用作源的 Kinesis Stream 中读取的权限:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "KinesisShardDiscovery", "Effect": "Allow", "Action": "kinesis:ListShards", "Resource": "*" }, { "Sid": "KinesisShardConsumption", "Effect": "Allow", "Action": [ "kinesis:GetShardIterator", "kinesis:GetRecords", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:RegisterStreamConsumer", "kinesis:DeregisterStreamConsumer" ], "Resource": "arn:aws:kinesis:<region>:<accountId>:stream/<stream-name>" }, { "Sid": "KinesisEfoConsumer", "Effect": "Allow", "Action": [ "kinesis:DescribeStreamConsumer", "kinesis:SubscribeToShard" ], "Resource": "arn:aws:kinesis:<region>:<account>:stream/<stream-name>/consumer/*" } ] }

以下策略授予写入用作目标的 Kinesis Stream 的权限:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "KinesisStreamSink", "Effect": "Allow", "Action": [ "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:DescribeStreamSummary", "kinesis:DescribeStream" ], "Resource": "arn:aws:kinesis:<region>:<accountId>:stream/<stream-name>" } ] }

如果您的应用程序访问加密的 Kinesis 流,则必须授予其他权限才能访问该流和该流的加密密钥。

以下策略授予访问加密源流和该流的加密密钥的权限:

{ "Sid": "ReadEncryptedKinesisStreamSource", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "<inputStreamKeyArn>" ] } ,

以下策略授予访问加密目标流和该流的加密密钥的权限:

{ "Sid": "WriteEncryptedKinesisStreamSink", "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": [ "<outputStreamKeyArn>" ] }

Amazon MSK 集群

要授予对 Amazon MSK 群集的访问权限,您可以授予对群集 VPC 的访问权限。有关访问 Amazon VPC 的策略示例,请参阅VPC 应用程序权限.