本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 在 Amazon SAM 模板中设置和管理资源访问权限
为了使您的 Amazon 资源相互交互,必须在您的资源之间配置适当的访问权限和权限。为此,需要配置 Amazon Identity and Access Management (IAM) 用户、角色和策略,以安全的方式完成互动。
本节中的主题都与设置对模板中定义的资源的访问相关。本节从一般最佳实践开始。接下来的两个主题回顾了在无服务器应用程序中引用的资源之间设置访问权限和权限的两个选项: Amazon SAM 连接器和 Amazon SAM 策略模板。最后一个主题详细介绍了如何使用与管理用户相同的机制 Amazon CloudFormation 来管理用户访问权限。
要了解更多信息,请参阅*《Amazon CloudFormation 用户指南》*中的[使用 Amazon Identity and Access Management控制访问](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-iam-template.html)。
Amazon Serverless Application Model (Amazon SAM) 提供了两个选项,可简化对无服务器应用程序的访问和权限的管理。
1. Amazon SAM 连接器
1. Amazon SAM 策略模板
## Amazon SAM 连接器
连接器是在两个资源之间配置权限的一种方式。为此,您可以通过在 Amazon SAM 模板中描述它们应如何相互交互来实现。可以使用 `Connectors` 资源属性或 `AWS::Serverless::Connector` 资源类型进行定义。连接器支持在资源组合之间配置`Read`和`Write`访问数据和事件。 Amazon 要了解有关 Amazon SAM 连接器的更多信息,请参阅[使用 Amazon SAM 连接器管理资源权限](managing-permissions-connectors.md)。
## Amazon SAM 策略模板
Amazon SAM 策略模板是预定义的权限集,您可以将其添加到 Amazon SAM 模板中,以管理您的 Amazon Lambda 函数、 Amazon Step Functions 状态机及其与之交互的资源之间的访问权限和权限。要了解有关 Amazon SAM 策略模板的更多信息,请参阅[Amazon SAM策略模板](serverless-policy-templates.md)。
## Amazon CloudFormation 机制
Amazon CloudFormation 机制包括配置 IAM 用户、角色和策略,以管理您的 Amazon 资源之间的权限。要了解更多信息,请参阅[使用 Amazon CloudFormation 机制管理 Amazon SAM 权限](sam-permissions-cloudformation.md)。
## 最佳实践
在整个无服务器应用程序中,您可以使用多种方法来配置资源之间的权限。因此,您可以为每个场景选择最佳选项,并在整个应用程序中结合使用多个选项。选择最适合您的选项时,需要考虑以下几点:
+ Amazon SAM 连接器和策略模板都减少了促进 Amazon 资源之间安全交互所需的 IAM 专业知识。如果受支持,请使用连接器和策略模板。
+ Amazon SAM 连接器提供了一种简单直观的简短语法,用于在 Amazon SAM 模板中定义权限,并且只需要最少的 IAM 专业知识。当同时支持 Amazon SAM 连接器和策略模板时,请使用 Amazon SAM 连接器。
+ Amazon SAM 连接器可以在支持的 Amazon SAM 源资源和目标资源之间配置`Read`和`Write`访问数据和事件。有关受支持的资源的列表,请参阅 [Amazon SAM 连接器参考](reference-sam-connector.md)。如果支持,请使用 Amazon SAM 连接器。
+ 虽然 Amazon SAM 策略模板仅限于您的 Lambda 函数、Step Functions 状态机及其与之交互的 Amazon 资源之间的权限,但策略模板确实支持所有 CRUD 操作。如果支持并且有适用于您的场景的 Amazon SAM 策略模板,请使用 Amazon SAM 策略模板。有关可用策略模板的列表,请参阅 [Amazon SAM策略模板](serverless-policy-templates.md)。
+ 对于所有其他场景,或者需要精细度时,请使用 Amazon CloudFormation 机制。
# 使用 Amazon SAM 连接器管理资源权限
连接器是一种 Amazon Serverless Application Model (Amazon SAM) 抽象资源类型,标识为`AWS::Serverless::Connector`,它在您的无服务器应用程序资源之间提供简单且范围明确的权限。
## Amazon SAM 连接器的好处
通过在资源之间自动编写适当的访问策略,连接器使您能够编写无服务器应用程序并专注于应用程序架构,而无需在 Amazon 授权功能、策略语言和特定于服务的安全设置方面的专业知识。因此,对于可能不熟悉无服务器开发的开发人员或希望提高开发速度的经验丰富的开发人员来说,连接器十分有用。
## 使用 Amazon SAM 连接器
通过将 `Connectors` 资源属性嵌入到**源**资源中来使用它。然后,定义您的**目标**资源并描述数据或事件应如何在这些资源之间流动。 Amazon SAM 然后制定必要的访问策略,以促进所需的交互。
以下内容概述了此资源属性的编写方式:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
:
Type:
...
Connectors:
:
Properties:
Destination:
Permissions:
...
```
## 连接器的工作原理
**注意**
本节介绍连接器如何在幕后提供必要的资源。使用连接器时,这种情况会自动发生。
首先,嵌入的 `Connectors` 资源属性转换为 `AWS::Serverless::Connector` 资源类型。其逻辑 ID 会自动创建为**。
例如,这是嵌入式连接器:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Lambda::Function
Connectors:
MyConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Read
- Write
MyTable:
Type: AWS::DynamoDB::Table
```
这将生成以下 `AWS::Serverless::Connector` 资源:
```
Transform: AWS::Serverless-2016-10-31
Resources:
...
MyFunctionMyConn:
Type: AWS::Serverless::Connector
Properties:
Source:
Id: MyFunction
Destination:
Id: MyTable
Permissions:
- Read
- Write
```
**注意**
您也可以使用此语法在 Amazon SAM 模板中定义连接器。如果源资源定义于与连接器不同的模板上,则建议使用此方法。
接下来,将自动编写该连接必要的访问策略。有关连接器生成的资源的更多信息,请参阅 [Amazon CloudFormation 指定时生成的资源 AWS::Serverless::Connector](sam-specification-generated-resources-connector.md)。
## 连接器示例
以下示例说明如何使用连接器将数据从 Amazon Lambda 函数写入 Amazon DynamoDB 表。
![\[Lambda 函数使用 Amazon SAM 连接器将数据写入 DynamoDB 表。\]](http://docs.amazonaws.cn/serverless-application-model/latest/developerguide/images/managing-connectors-example.png)
```
Transform: AWS::Serverless-2016-10-31
Resources:
MyTable:
Type: AWS::Serverless::SimpleTable
MyFunction:
Type: AWS::Serverless::Function
Connectors:
MyConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Write
Properties:
Runtime: nodejs16.x
Handler: index.handler
InlineCode: |
const AWS = require("aws-sdk");
const docClient = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event, context) => {
await docClient.put({
TableName: process.env.TABLE_NAME,
Item: {
id: context.awsRequestId,
event: JSON.stringify(event)
}
}).promise();
}
Environment:
Variables:
TABLE_NAME: !Ref MyTable
```
`Connectors` 资源属性嵌入在 Lambda 函数源资源中。使用 `Id` 属性将 DynamoDB 表定义为目标资源。连接器将在这两个资源之间提供 `Write` 权限。
当您将 Amazon SAM 模板部署到时 Amazon CloudFormation, Amazon SAM 将自动编写此连接正常运行所需的必要访问策略。
## 源资源和目标资源之间支持的连接
连接器支持源和目标资源连接的精选组合之间的 `Read` 和 `Write` 数据和事件权限类型。例如,连接器支持 `AWS::ApiGateway::RestApi` 源资源和 `AWS::Lambda::Function` 目标资源之间的 `Write` 连接。
可以使用支持的属性的组合来定义源资源和目标资源。属性要求将取决于您正在建立的连接以及资源定义的位置。
**注意**
连接器可以在支持的无服务器和非无服务器资源类型之间配置权限。
有关支持的资源连接及其属性要求的列表,请参阅 [连接器支持的源资源和目的地资源类型](reference-sam-connector.md#supported-connector-resource-types)。
# 在中定义读取和写入权限 Amazon SAM
在`Read`和中 Amazon SAM,可以在单个连接器中配置`Write`权限:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Lambda::Function
Connectors:
MyTableConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Read
- Write
MyTable:
Type: AWS::DynamoDB::Table
```
有关使用连接器的更多信息,请参阅 [Amazon SAM 连接器参考](reference-sam-connector.md)。
# 使用中其他支持的属性来定义资源 Amazon SAM
对于源资源和目标资源,如果在同一个模板中定义,则使用 `Id` 属性。或者,可以添加 `Qualifier` 以缩小您定义的资源范围。当资源不在同一个模板中时,请使用受支持属性的组合。
+ 有关源资源和目标资源支持的属性组合列表,请参阅 [连接器支持的源资源和目的地资源类型](reference-sam-connector.md#supported-connector-resource-types)。
+ 有关可用于连接器的属性的说明,请参见 [AWS::Serverless::Connector](sam-resource-connector.md)。
在定义具有 `Id` 之外属性的源资源时,请使用 `SourceReference` 属性。
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
:
Type:
...
Connectors:
:
Properties:
SourceReference:
Qualifier:
Destination:
Permissions:
```
以下示例使用 `Qualifier` 缩小 Amazon API Gateway 资源的范围:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyApi:
Type: AWS::Serverless::Api
Connectors:
ApiToLambdaConn:
Properties:
SourceReference:
Qualifier: Prod/GET/foobar
Destination:
Id: MyFunction
Permissions:
- Write
...
```
以下示例使用支持的 `Arn` 和 `Type` 组合定义来自另一个模板的目标资源:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
TableConn:
Properties:
Destination:
Type: AWS::DynamoDB::Table
Arn: !GetAtt MyTable.Arn
...
```
有关使用连接器的更多信息,请参阅 [Amazon SAM 连接器参考](reference-sam-connector.md)。
# 从单一来源创建多个连接器 Amazon SAM
在一个源资源中,您可以定义多个连接器,且每个都有不同的目标资源。
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
BucketConn:
Properties:
Destination:
Id: amzn-s3-demo-bucket
Permissions:
- Read
- Write
SQSConn:
Properties:
Destination:
Id: MyQueue
Permissions:
- Read
- Write
TableConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Read
- Write
TableConnWithTableArn:
Properties:
Destination:
Type: AWS::DynamoDB::Table
Arn: !GetAtt MyTable.Arn
Permissions:
- Read
- Write
...
```
有关使用连接器的更多信息,请参阅 [Amazon SAM 连接器参考](reference-sam-connector.md)。
# 在中创建多目的地连接器 Amazon SAM
在一个源资源中,您可以定义具有多个目标资源的单个连接器。以下是 Lambda 函数源资源的示例,其连接到 Amazon Simple Storage Service(Amazon S3)存储桶和 DynamoDB 表:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
WriteAccessConn:
Properties:
Destination:
- Id: OutputBucket
- Id: CredentialTable
Permissions:
- Write
...
OutputBucket:
Type: AWS::S3::Bucket
CredentialTable:
Type: AWS::DynamoDB::Table
```
有关使用连接器的更多信息,请参阅 [Amazon SAM 连接器参考](reference-sam-connector.md)。
# 使用连接器定义资源属性 Amazon SAM
可以为资源定义资源属性,以指定其他行为和关系。要了解有关资源属性的更多信息,请参阅*《Amazon CloudFormation 用户指南》*中的[资源属性参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-product-attribute-reference.html)。
您可以将资源属性添加到嵌入式连接器,方法是在与连接器属性相同的级别上对其进行定义。在部署时转换 Amazon SAM 模板时,属性将传递给生成的资源。
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
MyConn:
DeletionPolicy: Retain
DependsOn: AnotherFunction
Properties:
...
```
有关使用连接器的更多信息,请参阅 [Amazon SAM 连接器参考](reference-sam-connector.md)。
## 了解详情
有关使用 Amazon SAM 连接器的更多信息,请参阅以下主题:
+ [AWS::Serverless::Connector](sam-resource-connector.md)
+ [在中定义读取和写入权限 Amazon SAM](connector-usage-define.md)
+ [使用中其他支持的属性来定义资源 Amazon SAM](connector-usage-other-properties.md)
+ [从单一来源创建多个连接器 Amazon SAM](connector-usage-single-source.md)
+ [在中创建多目的地连接器 Amazon SAM](connector-usage-multi-destination.md)
+ [在中定义读取和写入权限 Amazon SAM](connector-usage-define.md)
+ [使用连接器定义资源属性 Amazon SAM](connector-usage-resource-attributes.md)
## 提供反馈
要提供有关连接器的反馈,[请在*serverless-application-model Amazon GitHub存储库*中提交新问题](https://github.com/aws/serverless-application-model/issues/new?assignees=&labels=area%2Fconnectors,stage%2Fneeds-triage&template=other.md&title=%28Feature%20Request%29)。
# Amazon SAM策略模板
Amazon Serverless Application Model (Amazon SAM) 允许您从策略模板列表中进行选择,将 Lambda 函数和 Amazon Step Functions 状态机的权限范围限定为应用程序使用的资源。
Amazon SAM 中使用策略模板 Amazon Serverless Application Repository 的应用程序不需要任何特殊的客户确认即可从中部署应用程序。 Amazon Serverless Application Repository
如果要请求添加新的策略模板,请执行以下操作:
1. 针对项目分支中的 policy\$1templates.json 源文件提交拉取请求。`develop` Amazon SAM GitHub 你可以在网站上的 p [olicy\$1templates.](https://github.com/aws/serverless-application-model/blob/develop/samtranslator/policy_templates_data/policy_templates.json) json 中找到源文件。 GitHub
1. 在 Amazon SAM GitHub 项目中提交一个问题,其中包含您的拉取请求的原因和请求链接。使用此链接提交新问题:[Amazon Serverless Application Model:问题](https://github.com/aws/serverless-application-model/issues/new)。
## 语法
对于您在模板文件中指定的每个策略 Amazon SAM 模板,必须始终指定一个包含策略模板占位符值的对象。如果策略模板不需要任何占位符值,则必须指定一个空对象。
### YAML
```
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- PolicyTemplateName1: # Policy template with placeholder value
Key1: Value1
- PolicyTemplateName2: {} # Policy template with no placeholder value
```
**注意**
若您已设置常规 IAM 策略或通过 Lambda 管理策略,则无需使用空对象即可设置策略模板。
## 示例
### 示例 1:具有占位符值的策略模板
以下示例显示 [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) 策略模板期待 `QueueName` 作为资源。 Amazon SAM 模板检索 “`MyQueue`” Amazon SQS 队列的名称,您可以在同一个应用程序中创建该队列,也可以将其作为应用程序的参数进行请求。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - SQSPollerPolicy:
9. QueueName:
10. !GetAtt MyQueue.QueueName
```
### 示例 2:不具有占位符值的策略模板
以下示例包含 [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) 策略模板,该模板没有占位符值。
**注意**
即使没有占位符值,也必须指定一个空对象,否则会导致错误。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - CloudWatchPutMetricPolicy: {}
```
### 示例 3:包含占位符值和常规 IAM 策略的策略模板
以下示例包含 Amazon A SQSFull cess 策略和[DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy)策略模板。Amazon A SQSFull ccess Amazon SAM 策略是一项 IAM 策略而不是策略,因此您不必指定空对象,因为该策略将直接传递给 Amazon CloudFormation。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - AmazonSQSFullAccess // IAM policy could be set without passing an empty object
9. - DynamoDBCrudPolicy: // SAM specific policy, has a defined structure
10. TableName:
11. !Ref SampleTable
```
## 策略模板表
下表列出了可用的策略模板。
****
| 策略模板 | 说明 |
| --- | --- |
| [AcmGetCertificatePolicy](serverless-policy-template-list.md#acm-get-certificate-policy) | 授予读取证书的权限 Amazon Certificate Manager。 |
| [AMIDescribePolicy](serverless-policy-template-list.md#ami-describe-policy) | 授予描述 Amazon 机器映像的权限 (AMIs)。 |
| [AthenaQueryPolicy](serverless-policy-template-list.md#athena-query-policy) | 授予执行 Athena 查询的权限。 |
| [AWSSecretsManagerGetSecretValuePolicy](serverless-policy-template-list.md#secrets-manager-get-secret-value-policy) | 授予获取指定 Amazon Secrets Manager 密钥的密钥值的权限。 |
| [AWSSecretsManagerRotationPolicy](serverless-policy-template-list.md#secrets-manager-rotation-policy) | 授予在 Amazon Secrets Manager中轮换密钥的权限。 |
| [CloudFormationDescribeStacksPolicy](serverless-policy-template-list.md#cloud-formation-describe-stacks-policy) | 授予描述 Amazon CloudFormation 堆栈的权限。 |
| [CloudWatchDashboardPolicy](serverless-policy-template-list.md#cloudwatch-dashboard-policy) | 授予在 CloudWatch 仪表板上放置要操作的指标的权限。 |
| [CloudWatchDescribeAlarmHistoryPolicy](serverless-policy-template-list.md#cloudwatch-describe-alarm-history-policy) | 授予描述 CloudWatch 警报历史记录的权限。 |
| [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) | 授予向发送指标的权限 CloudWatch。 |
| [CodeCommitCrudPolicy](serverless-policy-template-list.md#codecommit-crud-policy) | 为特定 CodeCommit存储库中的create/read/update/delete对象授予权限。 |
| [CodeCommitReadPolicy](serverless-policy-template-list.md#codecommit-read-policy) | 授予读取特定 CodeCommit 存储库中对象的权限。 |
| [CodePipelineLambdaExecutionPolicy](serverless-policy-template-list.md#code-pipeline-lambda-execution-policy) | 允许调用的 Lambda 函数报告任务状态。 CodePipeline |
| [CodePipelineReadOnlyPolicy](serverless-policy-template-list.md#code-pipeline-readonly-policy) | 授予读取权限以获取有关 CodePipeline 管道的详细信息。 |
| [ComprehendBasicAccessPolicy](serverless-policy-template-list.md#comprehend-basic-access-policy) | 授予检测实体、关键短语、语言和情绪的权限。 |
| [CostExplorerReadOnlyPolicy](serverless-policy-template-list.md#cost-explorer-readonly-policy) | 向只读的 Cost Explorer 授予账单历史记录 APIs 的只读权限。 |
| [DynamoDBBackupFullAccessPolicy](serverless-policy-template-list.md#ddb-back-full-policy) | 授予对表进行 DynamoDB 按需备份的读和写权限。 |
| [DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy) | 授予对 Amazon DynamoDB 表的创建、读取、更新和删除权限。 |
| [DynamoDBReadPolicy](serverless-policy-template-list.md#dynamo-db-read-policy) | 授予对 DynamoDB 表的只读权限。 |
| [DynamoDBReconfigurePolicy](serverless-policy-template-list.md#dynamo-db-reconfigure-policy) | 授予重新配置 DynamoDB 表的权限。 |
| [DynamoDBRestoreFromBackupPolicy](serverless-policy-template-list.md#ddb-restore-from-backup-policy) | 授予从备份还原 DynamoDB 表的权限。 |
| [DynamoDBStreamReadPolicy](serverless-policy-template-list.md#dynamo-db-stream-read-policy) | 授予描述和读取 DynamoDB 流和记录的权限。 |
| [DynamoDBWritePolicy](serverless-policy-template-list.md#dynamo-db-write-policy) | 授予对 DynamoDB 表的只写权限。 |
| [EC2CopyImagePolicy](serverless-policy-template-list.md#ec2-copy-image-policy) | 授予复制 Amazon EC2 映像的权限。 |
| [EC2DescribePolicy](serverless-policy-template-list.md#ec2-describe-policy) | 授予描述 Amazon Elastic Compute Cloud (Amazon EC2) 实例的权限。 |
| [EcsRunTaskPolicy](serverless-policy-template-list.md#ecs-run-task-policy) | 授予根据任务定义启动新任务的权限。 |
| [EFSWriteAccessPolicy](serverless-policy-template-list.md#efs-write-access-policy) | 授予挂载具有写入访问权限的 Amazon EFS 文件系统的权限。 |
| [EKSDescribePolicy](serverless-policy-template-list.md#eks-describe-policy) | 授予描述或列出 Amazon EKS 集群的权限。 |
| [ElasticMapReduceAddJobFlowStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-add-job-flows-policy) | 授予将新步骤添加到运行的集群中的权限。 |
| [ElasticMapReduceCancelStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-cancel-steps-policy) | 授予取消正在运行中的集群中的一个或多个待处理步骤的权限。 |
| [ElasticMapReduceModifyInstanceFleetPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-fleet-policy) | 授予列出集群内实例集的详细信息和修改这些实例集的容量的权限。 |
| [ElasticMapReduceModifyInstanceGroupsPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-groups-policy) | 授予列出集群内实例组的详细信息和修改这些实例组的设置的权限。 |
| [ElasticMapReduceSetTerminationProtectionPolicy](serverless-policy-template-list.md#elastic-map-reduce-set-termination-protection-policy) | 授予为集群设置终止保护的权限。 |
| [ElasticMapReduceTerminateJobFlowsPolicy](serverless-policy-template-list.md#elastic-map-reduce-terminate-job-flows-policy) | 授予关闭集群的权限。 |
| [ElasticsearchHttpPostPolicy](serverless-policy-template-list.md#elastic-search-http-post-policy) | 向 Amazon OpenSearch 服务授予 POST 权限。 |
| [EventBridgePutEventsPolicy](serverless-policy-template-list.md#eventbridge-put-events-policy) | 授予向发送事件的权限 EventBridge。 |
| [FilterLogEventsPolicy](serverless-policy-template-list.md#filter-log-events-policy) | 授予筛选指定 CloudWatch 日志组中的日志事件的权限。 |
| [FirehoseCrudPolicy](serverless-policy-template-list.md#firehose-crud-policy) | 授予创建、写入、更新和删除 Firehose 传输流的权限。 |
| [FirehoseWritePolicy](serverless-policy-template-list.md#firehose-write-policy) | 授予写入 Firehose 传输流的权限。 |
| [KinesisCrudPolicy](serverless-policy-template-list.md#kinesis-crud-policy) | 授予创建、发布和删除 Amazon Kinesis 流的权限。 |
| [KinesisStreamReadPolicy](serverless-policy-template-list.md#kinesis-stream-read-policy) | 授予列出和读取 Amazon Kinesis 流的权限。 |
| [KMSDecryptPolicy](serverless-policy-template-list.md#kms-decrypt-policy) | 授予使用 Amazon Key Management Service (Amazon KMS) 密钥解密的权限。 |
| [KMSEncryptPolicy](serverless-policy-template-list.md#kms-encrypt-policy) | 允许使用 Amazon Key Management Service (Amazon KMS) 密钥进行加密。 |
| [LambdaInvokePolicy](serverless-policy-template-list.md#lambda-invoke-policy) | 授予调用 Amazon Lambda 函数、别名或版本的权限。 |
| [MobileAnalyticsWriteOnlyAccessPolicy](serverless-policy-template-list.md#mobile-analytics-write-only-access-policy) | 授予对所有应用程序资源放置事件数据的只写权限。 |
| [OrganizationsListAccountsPolicy](serverless-policy-template-list.md#organizations-list-accounts-policy) | 授予列出子女账户名称的只读权限,以及 IDs. |
| [PinpointEndpointAccessPolicy](serverless-policy-template-list.md#pinpoint-endpoint-access-policy) | 授予为 Amazon Pinpoint 应用程序获取并更新端点的权限。 |
| [PollyFullAccessPolicy](serverless-policy-template-list.md#polly-full-access-policy) | 授予对 Amazon Polly 词典资源的完全访问权限。 |
| [RekognitionDetectOnlyPolicy](serverless-policy-template-list.md#rekognition-detect-only-policy) | 授予检测人脸、标签和文本的权限。 |
| [RekognitionFacesManagementPolicy](serverless-policy-template-list.md#rekognition-face-management-policy) | 授予在 Amazon Rekognition 集合中添加、删除和搜索人脸的权限。 |
| [RekognitionFacesPolicy](serverless-policy-template-list.md#rekognition-faces-policy) | 授予比较并检测面部和标签的权限。 |
| [RekognitionLabelsPolicy](serverless-policy-template-list.md#rekognition-labels-policy) | 授予检测对象和审核标签的权限。 |
| [RekognitionNoDataAccessPolicy](serverless-policy-template-list.md#rekognition-no-data-access-policy) | 授予比较并检测面部和标签的权限。 |
| [RekognitionReadPolicy](serverless-policy-template-list.md#rekognition-read-policy) | 授予列出和搜索人脸的权限。 |
| [RekognitionWriteOnlyAccessPolicy](serverless-policy-template-list.md#rekognition-write-only-access-policy) | 授予创建集合和为人脸编制索引的权限。 |
| [Route53ChangeResourceRecordSetsPolicy](serverless-policy-template-list.md#route53-change-resource-record-sets-policy) | 授予更改 Route 53 中的资源记录集的权限。 |
| [S3CrudPolicy](serverless-policy-template-list.md#s3-crud-policy) | 授予创建、读取、更新和删除权限,以便对 Amazon S3 存储桶中的对象执行操作。 |
| [S3FullAccessPolicy](serverless-policy-template-list.md#s3-full-access-policy) | 授予完全访问权限,以便对 Amazon S3 存储桶中的对象执行操作。 |
| [S3ReadPolicy](serverless-policy-template-list.md#s3-read-policy) | 授予读取 Amazon Simple Storage Service (Amazon S3) 存储桶中的对象的只读权限。 |
| [S3WritePolicy](serverless-policy-template-list.md#s3-write-policy) | 授予将对象写入到 Amazon S3 存储桶的写入权限。 |
| [SageMakerCreateEndpointConfigPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-config-policy) | 授予在 SageMaker AI 中创建终端节点配置的权限。 |
| [SageMakerCreateEndpointPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-policy) | 授予在 SageMaker AI 中创建终端节点的权限。 |
| [ServerlessRepoReadWriteAccessPolicy](serverless-policy-template-list.md#serverlessrepo-read-write-access-policy) | 授予在 Amazon Serverless Application Repository 服务中创建和列出应用程序的权限。 |
| [SESBulkTemplatedCrudPolicy](serverless-policy-template-list.md#ses-bulk-templated-crud-policy) | 授予发送电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。 |
| [SESBulkTemplatedCrudPolicy\$1v2](serverless-policy-template-list.md#ses-bulk-templated-crud-policy-v2) | 授予发送 Amazon SES 电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。 |
| [SESCrudPolicy](serverless-policy-template-list.md#ses-crud-policy) | 授予发送电子邮件和验证身份的权限。 |
| [SESEmailTemplateCrudPolicy](serverless-policy-template-list.md#ses-email-template-crud-policy) | 授予创建、获取、列出、更新和删除 Amazon SES 电子邮件模板的权限。 |
| [SESSendBouncePolicy](serverless-policy-template-list.md#ses-send-bounce-policy) | SendBounce 授予亚马逊简单电子邮件服务 (Amazon SES) Service 身份的权限。 |
| [SNSCrudPolicy](serverless-policy-template-list.md#sns-crud-policy) | 授予创建、发布和订阅 Amazon SNS 主题的权限。 |
| [SNSPublishMessagePolicy](serverless-policy-template-list.md#sqs-publish-message-policy) | 授予将消息发布到 Amazon Simple Notification Service (Amazon SNS)主题的权限。 |
| [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) | 授予轮询 Amazon Simple Queue Service (Amazon SQS) 队列的权限。 |
| [SQSSendMessagePolicy](serverless-policy-template-list.md#sqs-send-message-policy) | 授予向 Amazon SQS 队列发送消息的权限。 |
| [SSMParameterReadPolicy](serverless-policy-template-list.md#ssm-parameter-read-policy) | 授予访问来自 Amazon EC2 Systems Manager (SSM) Parameter Store 的参数的权限,以便在此账户中加载密钥。在参数名称不包含斜杠前缀时使用。 |
| [SSMParameterWithSlashPrefixReadPolicy](serverless-policy-template-list.md#ssm-parameter-slash-read-policy) | 授予访问来自 Amazon EC2 Systems Manager (SSM) Parameter Store 的参数的权限,以便在此账户中加载密钥。在参数名称包含斜杠前缀时使用。 |
| [StepFunctionsExecutionPolicy](serverless-policy-template-list.md#stepfunctions-execution-policy) | 授予开始执行 Step Functions 状态机的权限。 |
| [TextractDetectAnalyzePolicy](serverless-policy-template-list.md#textract-detect-analyze-policy) | 授予使用 Amazon Textract 检测和分析文档的权限。 |
| [TextractGetResultPolicy](serverless-policy-template-list.md#textract-get-result-policy) | 授予从 Amazon Textract 中获取检测到和分析过的文档的权限。 |
| [TextractPolicy](serverless-policy-template-list.md#textract-policy) | 授予对 Amazon Textract 的完全访问权限。 |
| [VPCAccessPolicy](serverless-policy-template-list.md#vpc-access-policy) | 授予访问权限以创建、删除、描述和分离弹性网络接口。 |
## 问题排查
### SAM CLI 错误:“必须为策略模板'< policy-template-name >'指定有效的参数值”
执行 `sam build` 时,您会看到以下错误:
```
"Must specify valid parameter values for policy template ''"
```
这意味着您在声明没有任何占位符值的策略模板时没有传递空对象。
要解决此问题,请如以下示例所示声明策略:[CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy)。
```
1. MyFunction:
2. Policies:
3. - CloudWatchPutMetricPolicy: {}
```
# Amazon SAM 策略模板列表
以下是可用的策略模板以及应用于每个模板的权限。 Amazon Serverless Application Model (Amazon SAM) 会自动使用相应信息填充占位符项目(例如 Amazon 区域和账户 ID)。
**Topics**
+ [
## AcmGetCertificatePolicy
](#acm-get-certificate-policy)
+ [
## AMIDescribePolicy
](#ami-describe-policy)
+ [
## AthenaQueryPolicy
](#athena-query-policy)
+ [
## AWSSecretsManagerGetSecretValuePolicy
](#secrets-manager-get-secret-value-policy)
+ [
## AWSSecretsManagerRotationPolicy
](#secrets-manager-rotation-policy)
+ [
## CloudFormationDescribeStacksPolicy
](#cloud-formation-describe-stacks-policy)
+ [
## CloudWatchDashboardPolicy
](#cloudwatch-dashboard-policy)
+ [
## CloudWatchDescribeAlarmHistoryPolicy
](#cloudwatch-describe-alarm-history-policy)
+ [
## CloudWatchPutMetricPolicy
](#cloudwatch-put-metric-policy)
+ [
## CodePipelineLambdaExecutionPolicy
](#code-pipeline-lambda-execution-policy)
+ [
## CodePipelineReadOnlyPolicy
](#code-pipeline-readonly-policy)
+ [
## CodeCommitCrudPolicy
](#codecommit-crud-policy)
+ [
## CodeCommitReadPolicy
](#codecommit-read-policy)
+ [
## ComprehendBasicAccessPolicy
](#comprehend-basic-access-policy)
+ [
## CostExplorerReadOnlyPolicy
](#cost-explorer-readonly-policy)
+ [
## DynamoDBBackupFullAccessPolicy
](#ddb-back-full-policy)
+ [
## DynamoDBCrudPolicy
](#dynamo-db-crud-policy)
+ [
## DynamoDBReadPolicy
](#dynamo-db-read-policy)
+ [
## DynamoDBReconfigurePolicy
](#dynamo-db-reconfigure-policy)
+ [
## DynamoDBRestoreFromBackupPolicy
](#ddb-restore-from-backup-policy)
+ [
## DynamoDBStreamReadPolicy
](#dynamo-db-stream-read-policy)
+ [
## DynamoDBWritePolicy
](#dynamo-db-write-policy)
+ [
## EC2CopyImagePolicy
](#ec2-copy-image-policy)
+ [
## EC2DescribePolicy
](#ec2-describe-policy)
+ [
## EcsRunTaskPolicy
](#ecs-run-task-policy)
+ [
## EFSWriteAccessPolicy
](#efs-write-access-policy)
+ [
## EKSDescribePolicy
](#eks-describe-policy)
+ [
## ElasticMapReduceAddJobFlowStepsPolicy
](#elastic-map-reduce-add-job-flows-policy)
+ [
## ElasticMapReduceCancelStepsPolicy
](#elastic-map-reduce-cancel-steps-policy)
+ [
## ElasticMapReduceModifyInstanceFleetPolicy
](#elastic-map-reduce-modify-instance-fleet-policy)
+ [
## ElasticMapReduceModifyInstanceGroupsPolicy
](#elastic-map-reduce-modify-instance-groups-policy)
+ [
## ElasticMapReduceSetTerminationProtectionPolicy
](#elastic-map-reduce-set-termination-protection-policy)
+ [
## ElasticMapReduceTerminateJobFlowsPolicy
](#elastic-map-reduce-terminate-job-flows-policy)
+ [
## ElasticsearchHttpPostPolicy
](#elastic-search-http-post-policy)
+ [
## EventBridgePutEventsPolicy
](#eventbridge-put-events-policy)
+ [
## FilterLogEventsPolicy
](#filter-log-events-policy)
+ [
## FirehoseCrudPolicy
](#firehose-crud-policy)
+ [
## FirehoseWritePolicy
](#firehose-write-policy)
+ [
## KinesisCrudPolicy
](#kinesis-crud-policy)
+ [
## KinesisStreamReadPolicy
](#kinesis-stream-read-policy)
+ [
## KMSDecryptPolicy
](#kms-decrypt-policy)
+ [
## KMSEncryptPolicy
](#kms-encrypt-policy)
+ [
## LambdaInvokePolicy
](#lambda-invoke-policy)
+ [
## MobileAnalyticsWriteOnlyAccessPolicy
](#mobile-analytics-write-only-access-policy)
+ [
## OrganizationsListAccountsPolicy
](#organizations-list-accounts-policy)
+ [
## PinpointEndpointAccessPolicy
](#pinpoint-endpoint-access-policy)
+ [
## PollyFullAccessPolicy
](#polly-full-access-policy)
+ [
## RekognitionDetectOnlyPolicy
](#rekognition-detect-only-policy)
+ [
## RekognitionFacesManagementPolicy
](#rekognition-face-management-policy)
+ [
## RekognitionFacesPolicy
](#rekognition-faces-policy)
+ [
## RekognitionLabelsPolicy
](#rekognition-labels-policy)
+ [
## RekognitionNoDataAccessPolicy
](#rekognition-no-data-access-policy)
+ [
## RekognitionReadPolicy
](#rekognition-read-policy)
+ [
## RekognitionWriteOnlyAccessPolicy
](#rekognition-write-only-access-policy)
+ [
## Route53ChangeResourceRecordSetsPolicy
](#route53-change-resource-record-sets-policy)
+ [
## S3CrudPolicy
](#s3-crud-policy)
+ [
## S3FullAccessPolicy
](#s3-full-access-policy)
+ [
## S3ReadPolicy
](#s3-read-policy)
+ [
## S3WritePolicy
](#s3-write-policy)
+ [
## SageMakerCreateEndpointConfigPolicy
](#sagemaker-create-endpoint-config-policy)
+ [
## SageMakerCreateEndpointPolicy
](#sagemaker-create-endpoint-policy)
+ [
## ServerlessRepoReadWriteAccessPolicy
](#serverlessrepo-read-write-access-policy)
+ [
## SESBulkTemplatedCrudPolicy
](#ses-bulk-templated-crud-policy)
+ [
## SESBulkTemplatedCrudPolicy\$1v2
](#ses-bulk-templated-crud-policy-v2)
+ [
## SESCrudPolicy
](#ses-crud-policy)
+ [
## SESEmailTemplateCrudPolicy
](#ses-email-template-crud-policy)
+ [
## SESSendBouncePolicy
](#ses-send-bounce-policy)
+ [
## SNSCrudPolicy
](#sns-crud-policy)
+ [
## SNSPublishMessagePolicy
](#sqs-publish-message-policy)
+ [
## SQSPollerPolicy
](#sqs-poller-policy)
+ [
## SQSSendMessagePolicy
](#sqs-send-message-policy)
+ [
## SSMParameterReadPolicy
](#ssm-parameter-read-policy)
+ [
## SSMParameterWithSlashPrefixReadPolicy
](#ssm-parameter-slash-read-policy)
+ [
## StepFunctionsExecutionPolicy
](#stepfunctions-execution-policy)
+ [
## TextractDetectAnalyzePolicy
](#textract-detect-analyze-policy)
+ [
## TextractGetResultPolicy
](#textract-get-result-policy)
+ [
## TextractPolicy
](#textract-policy)
+ [
## VPCAccessPolicy
](#vpc-access-policy)
## AcmGetCertificatePolicy
授予读取证书的权限 Amazon Certificate Manager。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:GetCertificate"
],
"Resource": {
"Fn::Sub": [
"${certificateArn}",
{
"certificateArn": {
"Ref": "CertificateArn"
}
}
]
}
}
]
```
## AMIDescribePolicy
授予描述 Amazon 机器映像的权限 (AMIs)。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages"
],
"Resource": "*"
}
]
```
## AthenaQueryPolicy
授予执行 Athena 查询的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListWorkGroups",
"athena:GetExecutionEngine",
"athena:GetExecutionEngines",
"athena:GetNamespace",
"athena:GetCatalogs",
"athena:GetNamespaces",
"athena:GetTables",
"athena:GetTable"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:DeleteNamedQuery",
"athena:GetNamedQuery",
"athena:ListQueryExecutions",
"athena:StopQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListNamedQueries",
"athena:CreateNamedQuery",
"athena:GetQueryExecution",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:GetWorkGroup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
{
"workgroupName": {
"Ref": "WorkGroupName"
}
}
]
}
}
]
```
## AWSSecretsManagerGetSecretValuePolicy
授予获取指定 Amazon Secrets Manager 密钥的密钥值的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": {
"Fn::Sub": [
"${secretArn}",
{
"secretArn": {
"Ref": "SecretArn"
}
}
]
}
}
]
```
## AWSSecretsManagerRotationPolicy
授予在 Amazon Secrets Manager中轮换密钥的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*"
},
"Condition": {
"StringEquals": {
"secretsmanager:resource/AllowRotationLambdaArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
}
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword"
],
"Resource": "*"
}
]
```
## CloudFormationDescribeStacksPolicy
授予描述 Amazon CloudFormation 堆栈的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
}
}
]
```
## CloudWatchDashboardPolicy
授予在 CloudWatch 仪表板上放置要操作的指标的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:PutDashboard",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
```
## CloudWatchDescribeAlarmHistoryPolicy
授予描述亚马逊 CloudWatch 警报历史记录的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmHistory"
],
"Resource": "*"
}
]
```
## CloudWatchPutMetricPolicy
授予向发送指标的权限 CloudWatch。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
```
## CodePipelineLambdaExecutionPolicy
允许调用的 Lambda 函数报告任务状态。 Amazon CodePipeline
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:PutJobSuccessResult",
"codepipeline:PutJobFailureResult"
],
"Resource": "*"
}
]
```
## CodePipelineReadOnlyPolicy
授予读取权限以获取有关 CodePipeline 管道的详细信息。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:ListPipelineExecutions"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}",
{
"pipelinename": {
"Ref": "PipelineName"
}
}
]
}
}
]
```
## CodeCommitCrudPolicy
授予在特定 CodeCommit存储库中创建、读取、更新和删除对象的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush",
"codecommit:CreateBranch",
"codecommit:DeleteBranch",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:UpdateDefaultBranch",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:CreateUnreferencedMergeCommit",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:CreatePullRequest",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay",
"codecommit:PostCommentForPullRequest",
"codecommit:UpdatePullRequestDescription",
"codecommit:UpdatePullRequestStatus",
"codecommit:UpdatePullRequestTitle",
"codecommit:DeleteFile",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:PutFile",
"codecommit:DeleteCommentContent",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:PostCommentForComparedCommit",
"codecommit:PostCommentReply",
"codecommit:UpdateComment",
"codecommit:BatchGetCommits",
"codecommit:CreateCommit",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:UpdateRepositoryDescription",
"codecommit:ListTagsForResource",
"codecommit:TagResource",
"codecommit:UntagResource",
"codecommit:GetRepositoryTriggers",
"codecommit:PutRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## CodeCommitReadPolicy
授予读取特定 CodeCommit 存储库中对象的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:BatchGetCommits",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:ListTagsForResource",
"codecommit:GetRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## ComprehendBasicAccessPolicy
授予检测实体、关键短语、语言和情绪的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"comprehend:BatchDetectKeyPhrases",
"comprehend:DetectDominantLanguage",
"comprehend:DetectEntities",
"comprehend:BatchDetectEntities",
"comprehend:DetectKeyPhrases",
"comprehend:DetectSentiment",
"comprehend:BatchDetectDominantLanguage",
"comprehend:BatchDetectSentiment"
],
"Resource": "*"
}
]
```
## CostExplorerReadOnlyPolicy
向只读 Amazon Cost Explorer (Cost Explorer)授予账单历史记录 APIs 的只读权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetTags"
],
"Resource": "*"
}
]
```
## DynamoDBBackupFullAccessPolicy
授予对表进行 DynamoDB 按需备份的读和写权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:DescribeContinuousBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteBackup",
"dynamodb:DescribeBackup",
"dynamodb:ListBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBCrudPolicy
授予对 Amazon DynamoDB 表的创建、读取、更新和删除权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ConditionCheckItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReadPolicy
授予对 DynamoDB 表的只读权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReconfigurePolicy
授予重新配置 DynamoDB 表的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateTable"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBRestoreFromBackupPolicy
授予从备份还原 DynamoDB 表的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:RestoreTableFromBackup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBStreamReadPolicy
授予描述和读取 DynamoDB 流和记录的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}",
{
"tableName": {
"Ref": "TableName"
},
"streamName": {
"Ref": "StreamName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:ListStreams"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBWritePolicy
授予对 DynamoDB 表的只写权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## EC2CopyImagePolicy
允许复制 Amazon EC2 图片。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CopyImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}",
{
"imageId": {
"Ref": "ImageId"
}
}
]
}
}
]
```
## EC2DescribePolicy
允许描述亚马逊弹性计算云 (Amazon EC2) 实例。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
```
## EcsRunTaskPolicy
授予根据任务定义启动新任务的权限。
```
"Statement": [
{
"Action": [
"ecs:RunTask"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}",
{
"taskDefinition": {
"Ref": "TaskDefinition"
}
}
]
},
"Effect": "Allow"
}
]
```
## EFSWriteAccessPolicy
授予挂载具有写入访问权限的 Amazon EFS 文件系统的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}",
{
"FileSystem": {
"Ref": "FileSystem"
}
}
]
},
"Condition": {
"StringEquals": {
"elasticfilesystem:AccessPointArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}",
{
"AccessPoint": {
"Ref": "AccessPoint"
}
}
]
}
}
}
}
]
```
## EKSDescribePolicy
授予描述或列出 Amazon Elastic Kubernetes Service (Amazon EKS) 集群的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
```
## ElasticMapReduceAddJobFlowStepsPolicy
授予将新步骤添加到运行的集群中的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:AddJobFlowSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceCancelStepsPolicy
授予取消正在运行中的集群中的一个或多个待处理步骤的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:CancelSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceFleetPolicy
授予列出集群内实例集的详细信息和修改这些实例集的容量的权限。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceFleet",
"elasticmapreduce:ListInstanceFleets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceGroupsPolicy
授予列出集群内实例组的详细信息和修改这些实例组的设置的权限。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceGroups",
"elasticmapreduce:ListInstanceGroups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceSetTerminationProtectionPolicy
授予为集群设置终止保护的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:SetTerminationProtection",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceTerminateJobFlowsPolicy
授予关闭集群的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:TerminateJobFlows",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticsearchHttpPostPolicy
向 Amazon OpenSearch 服务授予 POST 和 PUT 权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*",
{
"domainName": {
"Ref": "DomainName"
}
}
]
}
}
]
```
## EventBridgePutEventsPolicy
授予向 Amazon 发送事件的权限 EventBridge。
```
"Statement": [
{
"Effect": "Allow",
"Action": "events:PutEvents",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}",
{
"eventBusName": {
"Ref": "EventBusName"
}
}
]
}
}
]
```
## FilterLogEventsPolicy
授予筛选指定 CloudWatch 日志组中的日志事件的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*",
{
"logGroupName": {
"Ref": "LogGroupName"
}
}
]
}
}
]
```
## FirehoseCrudPolicy
授予创建、写入、更新和删除 Firehose 传输流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
"firehose:UpdateDestination"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## FirehoseWritePolicy
授予写入 Firehose 传输流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## KinesisCrudPolicy
授予创建、发布和删除 Amazon Kinesis 流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:AddTagsToStream",
"kinesis:CreateStream",
"kinesis:DecreaseStreamRetentionPeriod",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetShardIterator",
"kinesis:IncreaseStreamRetentionPeriod",
"kinesis:ListTagsForStream",
"kinesis:MergeShards",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:SplitShard",
"kinesis:RemoveTagsFromStream"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KinesisStreamReadPolicy
授予列出和读取 Amazon Kinesis 流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeLimits"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*"
}
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KMSDecryptPolicy
授予使用 Amazon Key Management Service (Amazon KMS) 密钥解密的权限。请注意,`keyId`必须是 Amazon KMS 密钥 ID,而不是密钥别名。
```
"Statement": [
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## KMSEncryptPolicy
允许使用密 Amazon KMS 钥进行加密。请注意,keyID 必须是 Amazon KMS 密钥 ID,而不是密钥别名。
```
"Statement": [
{
"Action": "kms:Encrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## LambdaInvokePolicy
授予调用 Amazon Lambda 函数、别名或版本的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
]
```
## MobileAnalyticsWriteOnlyAccessPolicy
授予对所有应用程序资源放置事件数据的只写权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents"
],
"Resource": "*"
}
]
```
## OrganizationsListAccountsPolicy
授予列出子女账户名称的只读权限,以及 IDs.
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
]
```
## PinpointEndpointAccessPolicy
授予为 Amazon Pinpoint 应用程序获取并更新端点的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:GetEndpoint",
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:UpdateEndpointsBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*",
{
"pinpointApplicationId": {
"Ref": "PinpointApplicationId"
}
}
]
}
}
]
```
## PollyFullAccessPolicy
授予对 Amazon Polly 词典资源的完全访问权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"polly:GetLexicon",
"polly:DeleteLexicon"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}",
{
"lexiconName": {
"Ref": "LexiconName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"polly:DescribeVoices",
"polly:ListLexicons",
"polly:PutLexicon",
"polly:SynthesizeSpeech"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*"
}
]
}
]
```
## RekognitionDetectOnlyPolicy
授予检测人脸、标签和文本的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels",
"rekognition:DetectText"
],
"Resource": "*"
}
]
```
## RekognitionFacesManagementPolicy
授予在 Amazon Rekognition 集合中添加、删除和搜索人脸的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:IndexFaces",
"rekognition:DeleteFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage",
"rekognition:ListFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionFacesPolicy
授予比较并检测面部和标签的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces"
],
"Resource": "*"
}
]
```
## RekognitionLabelsPolicy
授予检测对象和审核标签的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": "*"
}
]
```
## RekognitionNoDataAccessPolicy
授予比较并检测面部和标签的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionReadPolicy
授予列出和搜索人脸的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:ListCollections",
"rekognition:ListFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionWriteOnlyAccessPolicy
授予创建集合和为人脸编制索引的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CreateCollection",
"rekognition:IndexFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## Route53ChangeResourceRecordSetsPolicy
授予更改 Route 53 中的资源记录集的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}",
{
"HostedZoneId": {
"Ref": "HostedZoneId"
}
}
]
}
}
]
```
## S3CrudPolicy
授予创建、读取、更新和删除权限,以便对 Amazon S3 存储桶中的对象执行操作。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3FullAccessPolicy
授予完全访问权限,以便对 Amazon S3 存储桶中的对象执行操作。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3ReadPolicy
授予读取 Amazon Simple Storage Service (Amazon S3) 存储桶中的对象的只读权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:GetLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3WritePolicy
授予将对象写入到 Amazon S3 存储桶的写入权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## SageMakerCreateEndpointConfigPolicy
授予在 SageMaker AI 中创建终端节点配置的权限。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpointConfig"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}",
{
"endpointConfigName": {
"Ref": "EndpointConfigName"
}
}
]
},
"Effect": "Allow"
}
]
```
## SageMakerCreateEndpointPolicy
授予在 SageMaker AI 中创建终端节点的权限。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpoint"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}",
{
"endpointName": {
"Ref": "EndpointName"
}
}
]
},
"Effect": "Allow"
}
]
```
## ServerlessRepoReadWriteAccessPolicy
授予在 Amazon Serverless Application Repository (Amazon SAM) 服务中创建和列出应用程序的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"serverlessrepo:CreateApplication",
"serverlessrepo:CreateApplicationVersion",
"serverlessrepo:GetApplication",
"serverlessrepo:ListApplications",
"serverlessrepo:ListApplicationVersions"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*"
}
]
}
]
```
## SESBulkTemplatedCrudPolicy
授予发送 Amazon SES 电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。
**注意**
`ses:SendTemplatedEmail` 操作需要模板 ARN。请改用 `SESBulkTemplatedCrudPolicy_v2`。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESBulkTemplatedCrudPolicy\$1v2
授予发送 Amazon SES 电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。
```
"Statement": [
{
"Action": [
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:template/${templateName}",
{
"templateName": {
"Ref": "TemplateName"
}
}
]
}
]
},
{
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:VerifyEmailIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
```
## SESCrudPolicy
授予发送电子邮件和验证身份的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESEmailTemplateCrudPolicy
授予创建、获取、列出、更新和删除 Amazon SES 电子邮件模板的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:CreateTemplate",
"ses:GetTemplate",
"ses:ListTemplates",
"ses:UpdateTemplate",
"ses:DeleteTemplate",
"ses:TestRenderTemplate"
],
"Resource": "*"
}
]
```
## SESSendBouncePolicy
SendBounce 授予亚马逊简单电子邮件服务 (Amazon SES) Service 身份的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendBounce"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SNSCrudPolicy
授予创建、发布和订阅 Amazon SNS 主题的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:ListSubscriptionsByTopic",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SNSPublishMessagePolicy
授予将消息发布到 Amazon Simple Notification Service (Amazon SNS)主题的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SQSPollerPolicy
授予轮询 Amazon Simple Queue Service (Amazon SQS) 队列的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SQSSendMessagePolicy
授予向 Amazon SQS 队列发送消息的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:SendMessage*"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SSMParameterReadPolicy
授予访问来自 Amazon S EC2 ystems Manager (SSM) 参数存储库的参数的权限,以便在此账户中加载密钥。在参数名称不包含斜杠前缀时使用。
**注意**
如果没有使用默认密钥,则还需要 `KMSDecryptPolicy` 策略。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## SSMParameterWithSlashPrefixReadPolicy
授予访问来自 Amazon S EC2 ystems Manager (SSM) 参数存储库的参数的权限,以便在此账户中加载密钥。在参数名称包含斜杠前缀时使用。
**注意**
如果没有使用默认密钥,则还需要 `KMSDecryptPolicy` 策略。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## StepFunctionsExecutionPolicy
授予开始执行 Step Functions 状态机的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
{
"stateMachineName": {
"Ref": "StateMachineName"
}
}
]
}
}
]
```
## TextractDetectAnalyzePolicy
授予使用 Amazon Textract 检测和分析文档的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:DetectDocumentText",
"textract:StartDocumentTextDetection",
"textract:StartDocumentAnalysis",
"textract:AnalyzeDocument"
],
"Resource": "*"
}
]
```
## TextractGetResultPolicy
授予从 Amazon Textract 中获取检测到和分析过的文档的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:GetDocumentTextDetection",
"textract:GetDocumentAnalysis"
],
"Resource": "*"
}
]
```
## TextractPolicy
授予对 Amazon Textract 的完全访问权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:*"
],
"Resource": "*"
}
]
```
## VPCAccessPolicy
授予访问权限以创建、删除、描述和分离弹性网络接口。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface"
],
"Resource": "*"
}
]
```
# 使用 Amazon CloudFormation 机制管理 Amazon SAM 权限
要控制对 Amazon 资源的访问权限, Amazon Serverless Application Model (Amazon SAM) 可以使用与相同的机制 Amazon CloudFormation。有关更多信息,请参阅《*Amazon CloudFormation 用户指南*》中的[使用 Amazon Identity and Access Management进行访问控制](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-iam-template.html)。
有三个选项可用于向用户授予管理无服务器应用程序的权限。每个选项可为用户提供不同级别的访问控制。
+ 授予管理员权限。
+ 附加必要的 Amazon 托管策略。
+ 授予特定 Amazon Identity and Access Management (IAM) 权限。
根据您选择的选项,用户只能管理包含他们有权访问的 Amazon 资源的无服务器应用程序。
以下部分详细介绍了每个选项。
## 授予管理员权限
如果您向用户授予管理员权限,则他们可以管理包含任意 Amazon 资源组合的无服务器应用程序。这是最简单的选项,但也会向用户授予最广泛的权限,使得他们能够执行具有巨大影响的操作。
有关向用户授予管理员权限的详细信息,请参阅 *IAM 用户指南*中的[创建您的第一个 IAM 管理员用户和组](https://docs.amazonaws.cn/IAM/latest/UserGuide/getting-started_create-admin-group.html)。
## 附加必要的 Amazon 托管策略
您可以使用 [Amazon 托管策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)向用户授予部分权限,而不是授予完全管理员权限。如果使用此选项,请确保 Amazon 托管策略集涵盖用户管理的无服务器应用程序所需的所有操作和资源。
例如,以下 Amazon 托管策略足以[部署示例 Hello World 应用程序](serverless-getting-started-hello-world.md):
+ AWSCloudFormationFullAccess
+ IAMFull访问权限
+ AWSLambda\$1FullAccess
+ 亚马逊APIGateway管理员
+ 亚马逊 3 FullAccess
+ Amazon EC2 ContainerRegistryFullAccess
有关附加策略到 IAM 用户的信息,请参阅*《IAM 用户指南》*中的[更改 IAM 用户的权限](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users_change-permissions.html)。
## 授予特定的 IAM 权限
要实现最精细级别的访问控制,您可以使用[策略声明](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_statement.html)向用户授予特定的 IAM 权限。如果使用此选项,请确保策略声明包含用户管理的无服务器应用程序所需的所有操作和资源。
使用此选项的最佳做法是,拒绝用户创建角色(包括 Lambda 执行角色)的权限,这样他们就无法向自己授予升级权限。因此,作为管理员,您必须先创建 [Lambda 执行角色](https://docs.amazonaws.cn/lambda/latest/dg/lambda-intro-execution-role.html)(该角色将在用户要管理的无服务器应用程序中指定)。有关创建 Lambda 执行角色的信息,请参阅[在 IAM 控制台中创建执行角色](https://docs.amazonaws.cn/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-console)。
对于[示例 Hello World 应用程序](serverless-getting-started-hello-world.md),足以运行该应用程序。**AWSLambdaBasicExecutionRole**创建 Lambda 执行角色后,修改示例 Hello World 应用程序的 Amazon SAM 模板文件,将以下属性添加到资源中`AWS::Serverless::Function`:
```
Role: lambda-execution-role-arn
```
修改后的 Hello World 应用程序准备就绪后,以下策略声明会向用户授予部署、更新和删除应用程序所需的足够权限:
**注意**
本节中的示例策略声明向您授予部署、更新和删除[示例 Hello World 应用程序](serverless-getting-started-hello-world.md)所需的足够权限。如果您向应用程序添加其他资源类型,则需要更新政策声明以包含以下内容:
应用程序调用服务操作所需的权限。
服务主体(如果对于服务操作是必需的)。
例如,如果您添加 Step Functions 工作流程,则可能需要添加[此处](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsstepfunctions.html#awsstepfunctions-actions-as-permissions)所列操作的权限以及 `states.amazonaws.com` 服务主体。
有关 IAM policy 的更多信息,请参阅 *IAM 用户指南*中的[管理 IAM policy](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage.html)。