将 IAM 与 DynamoDB 备份和还原结合使用 - Amazon DynamoDB
示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作 示例 2:允许 CreateBackup 并拒绝 RestoreTableFromBackup 示例 3:允许 ListBackups 并拒绝 CreateBackup 和 RestoreTableFromBackup 示例 4:允许 ListBackups 并拒绝 DeleteBackup 示例 5:对所有资源允许 RestoreTableFromBackup 和 DescribeBackup,并对特定备份拒绝 DeleteBackup 示例 6:对特定表允许 CreateBackup 示例 7:允许 ListBackups 示例 8:允许访问 Amazon Backup 功能 示例 9:拒绝特定源表的 RestoreTableToPointInTime 示例 10:拒绝特定源表的所有备份的 RestoreTableFromBackup
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

将 IAM 与 DynamoDB 备份和还原结合使用

您可以使用 Amazon Identity and Access Management (IAM) 限制对某些资源执行 Amazon DynamoDB 备份和还原操作。CreateBackupRestoreTableFromBackup API 按表运行。

有关在 DynamoDB 中使用 IAM 策略的更多信息,请参阅 适用于 DynamoDB 的基于身份的策略

以下是 IAM 策略的示例,您可以使用这些策略配置 DynamoDB 中的特定备份和还原功能。

示例 1:允许 CreateBackup 和 RestoreTableFromBackup 操作

下面的 IAM 策略授予在所有表上允许 CreateBackupRestoreTableFromBackup DynamoDB 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateBackup",
                "dynamodb:RestoreTableFromBackup",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWriteItem"   
            ],
            "Resource": "*"
        }
    ]
}
重要

源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

示例 2:允许 CreateBackup 并拒绝 RestoreTableFromBackup

下面的 IAM 策略授予允许 CreateBackup 操作并拒绝 RestoreTableFromBackup 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["dynamodb:CreateBackup"],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": ["dynamodb:RestoreTableFromBackup"],
            "Resource": "*"
        }
        
    ]
}

示例 3:允许 ListBackups 并拒绝 CreateBackup 和 RestoreTableFromBackup

下面的 IAM 策略授予允许 ListBackups 操作并拒绝 CreateBackupRestoreTableFromBackup 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["dynamodb:ListBackups"],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "dynamodb:CreateBackup",
                "dynamodb:RestoreTableFromBackup"
            ],
            "Resource": "*"
        }
        
    ]
}

示例 4:允许 ListBackups 并拒绝 DeleteBackup

下面的 IAM 策略授予允许 ListBackups 操作并拒绝 DeleteBackup 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["dynamodb:ListBackups"],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": ["dynamodb:DeleteBackup"],
            "Resource": "*"
        }
        
    ]
}

示例 5:对所有资源允许 RestoreTableFromBackup 和 DescribeBackup,并对特定备份拒绝 DeleteBackup

下面的 IAM 策略授予允许 RestoreTableFromBackupDescribeBackup 操作并对特定备份资源拒绝 DeleteBackup 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeBackup",
                "dynamodb:RestoreTableFromBackup",
            ],
            "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d"
        },
        {
             "Effect": "Allow",
             "Action": [
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWriteItem"
            ],
            "Resource": "*" 
        },
        {
            "Effect": "Deny",
            "Action": [
                "dynamodb:DeleteBackup"
            ],
            "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d"
        }
    ]
}
重要

源备份需要 DynamoDB RestoreTableFromBackup 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

源表需要 DynamoDB RestoreTableToPointInTime 权限,而目标表的 DynamoDB 读取和写入权限对于恢复功能是必需的。

示例 6:对特定表允许 CreateBackup

下面的 IAM 策略授予仅允许在 Movies 表上执行 CreateBackup 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["dynamodb:CreateBackup"],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:123456789012:table/Movies"
            ]
        }
    ]
}

示例 7:允许 ListBackups

下面的 IAM 策略授予允许执行 ListBackups 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["dynamodb:ListBackups"],
            "Resource": "*"
        }
    ]
}
}
重要

您不能授予对特定表执行 ListBackups 操作的权限。

示例 8:允许访问 Amazon Backup 功能

您将需要 StartAwsBackupJob 操作的 API 权限,才能使用高级功能实现成功备份,以及需要 dynamodb:RestoreTableFromAwsBackup 操作的 API 权限以成功还原该备份。

下面的 IAM 策略授予 Amazon Backup 使用高级功能触发备份和还原的权限。另请注意,如果表已经加密,则该策略需要访问 Amazon KMS 密钥

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeQueryScanBooksTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:StartAwsBackupJob",
                "dynamodb:DescribeTable",
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books"
        },
        {
            "Sid": "AllowRestoreFromAwsBackup",
            "Effect": "Allow",
            "Action": ["dynamodb:RestoreTableFromAwsBackup"],
            "Resource": "*"
        },

    ]
}

示例 9:拒绝特定源表的 RestoreTableToPointInTime

下面的 IAM 策略拒绝针对特定源表的 RestoreTableToPointInTime 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "dynamodb:RestoreTableToPointInTime"
            ],
            "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music"
        }
    ]
}

示例 10:拒绝特定源表的所有备份的 RestoreTableFromBackup

下面的 IAM 策略拒绝针对特定源表的所有备份的 RestoreTableToPointInTime 操作的权限:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "dynamodb:RestoreTableFromBackup"
            ],
            "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/*"
        }
    ]
}