本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用资源名称和标签进行精细访问控制
您可以使用资源名称和基于 Amazon 资源名称 (ARN) 的资源标签来管理对 AWS DMS 资源的访问。为此,请在 IAM 策略中定义允许的操作或包括条件语句。
使用资源名称控制访问
您可以创建一个 IAM 用户账户,并根据 AWS DMS 资源的 ARN 分配策略。
以下策略拒绝访问 ARN 为 arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV 的 AWS DMS 复制实例:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" } ] }
例如,在该策略生效时,以下命令将失败:
$ aws dms delete-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV $ aws dms modify-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV
您还可以指定限制访问 AWS DMS 终端节点和复制任务的 IAM 策略。
以下策略使用终端节点的 ARN 限制对 AWS DMS 终端节点的访问。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" } ] }
例如,在使用终端节点的 ARN 的策略生效时,以下命令将失败。
$ aws dms delete-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX $ aws dms modify-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX
以下策略使用任务的 ARN 限制对 AWS DMS 任务的访问。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT" } ] }
例如,在使用任务的 ARN 的策略生效时,以下命令将失败。
$ aws dms delete-replication-task --replication-task-arn "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT" A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT
使用标签控制访问
AWS DMS 定义了一组可用于客户定义的策略的常见键值对,而没有任何额外的标记要求。有关标记 AWS DMS 资源的更多信息,请参阅在 AWS Database Migration Service 中标记资源。
下面列出了可用于 AWS DMS 的标准标签:
-
aws:CurrentTime – 表示请求日期和时间,从而允许根据时间条件限制访问。
-
aws:EpochTime – 该标签类似于上面的 aws:CurrentTime 标签,所不同的是,当前时间表示为自 Unix 纪元时间以来经过的秒数。
-
aws:MultiFactorAuthPresent – 这是一个布尔值标签,它指示是否通过多重身份验证对请求进行签名。
-
aws:MultiFactorAuthAge – 提供对多重身份验证令牌期限 (秒) 的访问。
-
aws:principaltype – 提供对当前请求的主体类型(用户、账户、联合用户等)的访问。
-
aws:SourceIp – 表示发出请求的用户的源 IP 地址。
-
aws:UserAgent – 提供有关请求资源的客户端应用程序的信息。
-
aws:userid – 提供对发出请求的用户的 ID 的访问。
-
aws:username – 提供对发出请求的用户的名称的访问。
-
dms:InstanceClass – 提供对复制实例主机的计算大小的访问。
-
dms:StorageSize – 提供对存储卷大小 (GB) 的访问。
您还可以定义自己的标签。客户定义的标签是保留在 AWS 标记服务中的简单键值对。您可以将它们添加到 AWS DMS 资源,包括复制实例、终端节点和任务。这些标签是通过使用策略中的 IAM“条件”语句匹配的,并使用特定的条件标签引用这些标签。标签键前面带有“dms”、资源类型和“tag”前缀。下面显示了标签格式。
dms:{resource type}-tag/{tag key}={tag value}
例如,假设您要定义一个策略,以仅允许包含“stage=production”标签的复制实例成功完成 API 调用。以下条件语句会匹配具有给定标签的资源。
"Condition": { "streq": { "dms:rep-tag/stage":"production" } }
您将以下标签添加到与该策略条件匹配的复制实例中。
stage production
除了已分配给 AWS DMS 资源的标签以外,还可以编写策略以限制可应用于给定资源的标签键和值。在此情况下,标签前缀为“req”。
例如,以下策略语句将用户可为给定资源分配的标签限制为特定的允许值列表。
"Condition": { "streq": { "dms:rep-tag/stage": [ "production", "development", "testing" ] } }
以下策略示例根据资源标签限制对 AWS DMS 资源的访问。
以下策略限制对标签值为“Desktop”且标签键为“Env”的复制实例的访问:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:rep-tag/Env": [ "Desktop" ] } } } ] }
根据在标签值为“Desktop”且标签键为“Env”时限制访问的 IAM 策略,以下命令成功或失败。
$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --endpoint-url http://localhost:8000 { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN" A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms modify-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN" A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
以下策略限制对标签值为“Desktop”且标签键为“Env”的 AWS DMS 终端节点的访问。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:endpoint-tag/Env": [ "Desktop" ] } } } ] }
根据在标签值为“Desktop”且标签键为“Env”时限制访问的 IAM 策略,以下命令成功或失败。
$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I" A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms modify-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I" A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
以下策略限制对标签值为“Desktop”且标签键为“Env”的复制任务的访问。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:task-tag/Env": [ "Desktop" ] } } } ] }
根据在标签值为“Desktop”且标签键为“Env”时限制访问的 IAM 策略,以下命令成功或失败。
$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-replication-task --replication-task-arn "arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3" A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
