쿠키 기본 설정 선택

당사는 사이트와 서비스를 제공하는 데 필요한 필수 쿠키 및 유사한 도구를 사용합니다. 고객이 사이트를 어떻게 사용하는지 파악하고 개선할 수 있도록 성능 쿠키를 사용해 익명의 통계를 수집합니다. 필수 쿠키는 비활성화할 수 없지만 '사용자 지정' 또는 ‘거부’를 클릭하여 성능 쿠키를 거부할 수 있습니다.

사용자가 동의하는 경우 AWS와 승인된 제3자도 쿠키를 사용하여 유용한 사이트 기능을 제공하고, 사용자의 기본 설정을 기억하고, 관련 광고를 비롯한 관련 콘텐츠를 표시합니다. 필수가 아닌 모든 쿠키를 수락하거나 거부하려면 ‘수락’ 또는 ‘거부’를 클릭하세요. 더 자세한 내용을 선택하려면 ‘사용자 정의’를 클릭하세요.

Permissions required for Managed kdb - Amazon FinSpace
이 페이지는 귀하의 언어로 번역되지 않았습니다. 번역 요청

Permissions required for Managed kdb

You must have certain IAM permissions to use Managed kdb. In addition to the finspace:*permissions, you might need additional permissions to use the resources in your AWS account. FinSpace uses these permissions on your behalf to configure resources in your account where it needs to function. Add these permissions by using the IAM policies to IAM roles that you use to interact with Managed kdb.

The following table shows a list of permissions and what they are needed for.

Permissions (IAM actions) Use for Used by
"logs:CreateLogDelivery" Creating and deleting CloudWatch logs Users who create or delete the clusters
"logs:GetLogDelivery"
"logs:UpdateLogDelivery"
"logs:DeleteLogDelivery"
"logs:ListLogDeliveries"
"logs:PutResourcePolicy"
"logs:DescribeResourcePolicies"
"logs:DescribeLogGroup"
"logs:CreateLogGroup"
"ec2:CreateVpcEndpoint" Managing kdb clusters Users who create or delete the clusters
"ec2:DeleteVpcEndpoints"
"ec2:DescribeSubnets"
"ec2:AcceptTransitGatewayVpcAttachment" Creating a connection between your Managed kdb environment and your transit gateway Administrators who configure the transit gateway environment using the UpdateKxEnvironmentNetwork API
"ec2:DescribeSubnets"
"ram:CreateResourceShare" Creating a resource share on the transit gateway Users who update kdb environment
“ram:GetResourceShareInvitiations” Accepting resource share on private certificate authority for cluster TLS connection Users who create kdb environment
"ram:AcceptResourceShareInvitation"
"iam:CreateServiceLinkedRole" Creating the FinSpace service-linked role (SLR) when creating a kdb environment Users who create kdb environment
"ec2:DescribeTags" Creating and describing tags on FinSpace managed VPC endpoints Users who create and delete clusters
"ec2:CreateTags"
"finspace:*" Performing actions to manage FinSpace resources Users that manage resources in FinSpace
"kms:CreateGrant" Encrypting any customer data at rest Users who create kdb environment
"kms:RetireGrant"
"ec2:DescribeTransitGateways" Checking if the transit gateway exists Users who configure the transit gateway environment using the UpdateKxEnvironmentNetwork API
"s3:GetObject" Controlling access for ingesting code and data into the service. Users who create clusters, update code on clusters, or create changesets. See the sections below for additional details.
"s3:GetObjectTagging"
"s3:GetObjectVersion"
"s3:ListBucket"

Permissions FinSpace needs to resources in your account

You will need to grant permission to FinSpace to access certain resources in your account. To do this, follow steps in the following sections.

Granting permission to your AWS KMS key to encrypt data and code stored in Managed kdb

You must grant the FinSpace service access by using the AWS KMS key policy to create Managed kdb changesets and load code onto a cluster. The following is an example of such a policy.

In the following example, replace each user input placeholder with your own values.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Sid": "FinSpace Permissions", "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:us-east-1:555555555555:key/f935d84c-d365-4753-875Y-1c014ab4f61Z", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" } } } ] }

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Sid": "FinSpace Permissions", "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:us-east-1:555555555555:key/f935d84c-d365-4753-875Y-1c014ab4f61Z", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" } } } ] }

Granting permission to your Amazon S3 code bucket to load code onto your Managed kdb cluster

To load code onto your cluster you must first grant the FinSpace service access to the Amazon S3 bucket that stores the code you want to load. The following is an example of the policy that you can use to grant access to code location.

In the following example, replace each user input placeholder with your own values.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-code/*", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } }, { "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-code", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } } ] }

In the following example, replace each user input placeholder with your own values.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-code/*", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } }, { "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-code", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } } ] }

After you grant the FinSpace service access to the S3 bucket , you must ensure that the IAM role that you use when you create a cluster or when you update the code on a cluster has permission to access the files on the Amazon S3 bucket. The following is an example of the policy that you can use to grant access to the role.

In the following example, replace each user input placeholder with your own values.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-code/*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-code" } ] }

When you set permissions on the role, you can control which Amazon S3 locations a user can access. You can also set Deny policies on this role to prevent access to resources. For example, you can use the Deny policy to prevent access to resources in another account.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-code/*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-code" } ] }

When you set permissions on the role, you can control which Amazon S3 locations a user can access. You can also set Deny policies on this role to prevent access to resources. For example, you can use the Deny policy to prevent access to resources in another account.

Granting permission to your Amazon S3 data staging bucket to ingest data into Managed kdb

To ingest data from Amazon S3 into your database through a changeset, you must first grant FinSpace access to the S3 bucket that stores the data you want to import as Managed kdb changesets. The following is an example of such a policy.

In the following example, replace each user input placeholder with your own values.

In the following example, replace each user input placeholder with your own values.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-data/*", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } }, { "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-data", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } } ] }

In the following example, replace each user input placeholder with your own values.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-data/*", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } }, { "Effect": "Allow", "Principal": { "Service": "finspace.amazonaws.com" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-data", "Condition": { "StringEquals": { "aws:SourceAccount": "555555555555" }, "ArnLike": { "aws:SourceArn": "arn:aws:finspace:us-east-1:555555555555:kxEnvironment/<EnvironmentID>/*" } } } ] }

After you grant FinSpace access to the Amazon S3 bucket, you must ensure that the IAM role you use when you create a changeset has permission to access the files on the Amazon S3 bucket. The following is an example of such a policy.

In the following example, replace each user input placeholder with your own values.

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-data/*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-data" } ] }

{ "Version": "2012-10-17", "Id": "FinSpaceServiceAccess", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::managed-kdb-data/*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::managed-kdb-data" } ] }

When you set permissions on the role, you can control which Amazon S3 locations a user can access. You can also set Deny policies on this role to prevent access to resources. For example, you can use the Deny policy to prevent access to resources in another account.

프라이버시사이트 이용 약관쿠키 기본 설정
© 2025, Amazon Web Services, Inc. 또는 계열사. All rights reserved.