将 IAM 与 DynamoDB Backup 和还原结合使用 - Amazon DynamoDB

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

将 IAM 与 DynamoDB Backup 和还原结合使用

您可以使用AWS Identity and Access Management(IAM) 来限制对某些资源执行 Amazon DynamoDB 备份和还原操作。这些区域有:CreateBackupRestoreTableFromBackupAPI 基于每个表进行操作。

有关在 DynamoDB 中使用 IAM 策略的更多信息,请参阅将基于身份的策略(IAM 策略)与 Amazon DynamoDB 结合使用

以下是可用于在 DynamoDB 中配置特定备份和还原功能的 IAM 策略的示例。

示例 1:允许 CreateBackup 和可重定向从装载操作

以下 IAM 策略授予允许CreateBackupRestoreTableFromBackup对所有表执行的 DynamoDB 操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" } ] }
重要

DynamoDB 写入权限是恢复功能所必需的。

示例 2:允许 CreateBackup 和 RestoreTableFromBackup

以下 IAM 策略授予CreateBackup操作并拒绝RestoreTableFromBackup操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:RestoreTableFromBackup"], "Resource": "*" } ] }

示例 3:允许 ListBackups 和拒绝 CreateBackup 和 RestoreTableFromBackup

以下 IAM 策略授予ListBackups操作并拒绝CreateBackupRestoreTableFromBackup操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup" ], "Resource": "*" } ] }

示例 4:允许 ListBackups 和拒绝 DeleteBackup

以下 IAM 策略授予ListBackups操作并拒绝DeleteBackup操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:DeleteBackup"], "Resource": "*" } ] }

示例 5:允许 RestoreTableFromBackup Backup 和 DescribeBackup 所有资源并拒绝删除特定备份的备份

以下 IAM 策略授予RestoreTableFromBackupDescribeBackup操作并拒绝DeleteBackup对于特定备份资源的操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" } ] }
重要

DynamoDB 写入权限是恢复功能所必需的。

示例 6:允许对特定表 CreateBackup

以下 IAM 策略授予CreateBackup操作。Movies仅表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Movies" ] } ] }

示例 7:允许 ListBackups

以下 IAM 策略授予ListBackups操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" } ] }
重要

您不能授予ListBackups对特定表的操作。