客户托管策略示例 - AWS Snowball
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本指南适用于 Snowball Edge。如果您正在查找 Snowball 的相关文档,请参阅 AWS Snowball 用户指南

客户托管策略示例

在本节,您将查看一些示例用户策略,这些策略可授予执行不同 AWS Snowball 任务管理操作的权限。当您使用 AWS 开发工具包或 AWS CLI 时,可以使用这些策略。当您使用控制台时,您需要授予特定于控制台的其他权限,使用 AWS Snowball 控制台所需要的权限中对此进行了讨论。

注意

所有示例都使用 us-west-2 区域和虚构的账户 ID。

示例 1:允许用户使用 API 创建任务的角色策略

以下权限策略是用于通过任务管理 API 授予任务或集群创建权限的任何策略的必要组成部分。用户还需要使用 AWS Snowball 控制台所需要的权限中指定的部分或全部权限,具体取决于创建的任务类型。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "AWSIE" } } } ] }

示例 2:用于创建导入任务的角色策略

您可以使用以下角色信任策略为 Snowball Edge 创建使用 由 AWS Greengrass 提供支持的 AWS Lambda函数的导入任务。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }

示例 3:用于创建导出任务的角色策略

您可以使用以下角色信任策略为 Snowball Edge 创建使用 由 AWS Greengrass 提供支持的 AWS Lambda函数的导出任务。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }