访问 Amazon S3 的私有子网的策略示例 - Amazon EMR
可用区

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

访问 Amazon S3 的私有子网的策略示例

对于私有子网,您必须至少为亚马逊提供访问亚马逊 EMR Linux 存储库的权限。此私有子网策略是用于访问 Amazon S3 的VPC终端节点策略的一部分。在 Amazon EMR 5.25.0 或更高版本中,要启用对永久性 Spark 历史服务器的一键访问,您EMR必须允许亚马逊访问收集 Spark 事件日志的系统存储桶。如果您启用了日志记录,请为aws157-logs-*存储桶提供PUT权限。有关更多信息,请参阅一键访问持久性 Spark 历史记录服务器

由您决定满足业务需求的策略限制。以下示例策略提供了访问亚马逊 Linux 存储库和用于收集 Spark 事件日志的亚马逊EMR系统存储桶的权限。它显示了存储桶的一些示例资源名称。

有关对亚马逊VPC终端节点使用IAM策略的更多信息,请参阅 Amaz on S3 的终端节点策略

以下策略示例包含 us-east-1 区域的示例资源。

{
   "Version": "2008-10-17",
   "Statement": [
       {
           "Sid": "AmazonLinuxAMIRepositoryAccess",
           "Effect": "Allow",
           "Principal": "*",
           "Action": "s3:GetObject",
           "Resource": [
           	"arn:aws:s3:::packages.us-east-1.amazonaws.com/*",
           	"arn:aws:s3:::repo.us-east-1.amazonaws.com/",
           	"arn:aws:s3:::repo.us-east-1.amazonaws.com/*"
           ]
       },
       {
           "Sid": "EnableApplicationHistory",
           "Effect": "Allow",
           "Principal": "*",
           "Action": [
               "s3:Put*",
               "s3:Get*",
               "s3:Create*",
               "s3:Abort*",
               "s3:List*"
           ],
           "Resource": [
           	"arn:aws:s3:::prod.us-east-1.appinfo.src/*"
           ]
       }
   ]
}

以下示例策略提供了访问 Amazon Linux 2 存储库所需的权限。亚马逊 Linux 2 AMI 是默认设置。

{
   "Statement": [
       {
           "Sid": "AmazonLinux2AMIRepositoryAccess",
           "Effect": "Allow",
           "Principal": "*",
           "Action": "s3:GetObject",
           "Resource": [
           	"arn:aws:s3:::amazonlinux.us-east-1.amazonaws.com/*",
           	"arn:aws:s3:::amazonlinux-2-repos-us-east-1/*"
           ]
       }
   ]
}

可用区

下表包含按地区列出的存储桶,包括存储库的 Amazon 资源名称 (ARN) 和代表存储库的字符串。ARN appinfo.src或 ARN Amazon 资源名称是一个用于唯一标识 AWS 资源的字符串。

区域 存储库存储桶 AppInfo 水桶
美国东部(俄亥俄) “arn: aws: s3:: packages.us-east-2.amazonaws.com/”、“arn: aws: s3:: repo.us-east-2.amazonaws.com/”、“arn: aws: s3::: repo.us-east-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.us-east-2.appinfo.src/*”
美国东部(弗吉尼亚北部) “arn: aws: s3:: packages.us-east-1.amazonaws.com/”、“arn: aws: s3:: repo.us-east-1.amazonaws.com/”、“arn: aws: s3::: repo.us-east-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.us-east-1.appinfo.src/*”
美国西部(加利福尼亚北部) “arn: aws: s3:: packages.us-west-1.amazonaws.com/”、“arn: aws: s3:: repo.us-west-1.amazonaws.com/”、“arn: aws: s3::: repo.us-west-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.us-west-1.appinfo.src/*”
美国西部(俄勒冈) “arn: aws: s3:: packages.us-west-2.amazonaws.com/”、“arn: aws: s3:: repo.us-west-2.amazonaws.com/”、“arn: aws: s3::: repo.us-west-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.us-west-2.appinfo.src/*”
非洲(开普敦) “arn: aws: s3:: packages.af-south-1.amazonaws.com/”、“arn: aws: s3:: repo.af-south-1.amazonaws.com/”、“arn: aws: s3::: repo.af-south-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.af-south-1.appinfo.src/*”
非洲(开普敦) “arn: aws: s3:: packages.ap-east-1.amazonaws.com/”、“arn: aws: s3:: repo.ap-east-1.amazonaws.com/”、“arn: aws: s3::: repo.ap-east-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-east-1.appinfo.src/*”
亚太地区(海得拉巴) “arn: aws: s3:: packages.ap-south-2.amazonaws.com/”、“arn: aws: s3:: repo.ap-south-2.amazonaws.com/”、“arn: aws: s3::: repo.ap-south-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-south-2.appinfo.src/*”
亚太地区(雅加达) “arn: aws: s3:: packages.ap-southeast-3.amazonaws.com/”、“arn: aws: s3:: repo.ap-southeast-3.amazonaws.com/”、“arn: aws: s3::: repo.ap-southeast-3.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-southeast-3.appinfo.src/*”
亚太地区(马来西亚) “arn: aws: s3:: packages.ap-southeast-5.amazonaws.com/”、“arn: aws: s3:: repo.ap-southeast-5.amazonaws.com/”、“arn: aws: s3::: repo.ap-southeast-5.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-southeast-5.appinfo.src/*”
亚太地区(墨尔本) “arn: aws: s3:: packages.ap-southeast-4.amazonaws.com/”、“arn: aws: s3:: repo.ap-southeast-4.amazonaws.com/”、“arn: aws: s3::: repo.ap-southeast-4.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-south-2.appinfo.src/*”
亚太地区(雅加达) “arn: aws: s3:: packages.ap-southeast-3.amazonaws.com/”、“arn: aws: s3:: repo.ap-southeast-3.amazonaws.com/”、“arn: aws: s3::: repo.ap-southeast-3.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-southeast-4.appinfo.src/*”
亚太地区(孟买) “arn: aws: s3:: packages.ap-south-1.amazonaws.com/”、“arn: aws: s3:: repo.ap-south-1.amazonaws.com/”、“arn: aws: s3::: repo.ap-south-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-south-1.appinfo.src/*”
亚太地区(大阪) “arn: aws: s3:: packages.ap-southeast-3.amazonaws.com/”、“arn: aws: s3:: repo.ap-southeast-3.amazonaws.com/”、“arn: aws: s3::: repo.ap-southeast-3.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-southeast-4.appinfo.src/*”
亚太地区(首尔) “arn: aws: s3:: packages.ap-northeast-2.amazonaws.com/”、“arn: aws: s3:: repo.ap-northeast-2.amazonaws.com/”、“arn: aws: s3::: repo.ap-northeast-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-northeast-2.appinfo.src/*”
亚太地区(新加坡) “arn: aws: s3:: packages.ap-southeast-1.amazonaws.com/”、“arn: aws: s3:: repo.ap-southeast-1.amazonaws.com/”、“arn: aws: s3::: repo.ap-southeast-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-southeast-1.appinfo.src/*”
亚太地区(悉尼) “arn: aws: s3:: packages.ap-southeast-2.amazonaws.com/”、“arn: aws: s3:: repo.ap-southeast-2.amazonaws.com/”、“arn: aws: s3::: repo.ap-southeast-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-southeast-2.appinfo.src/*”
亚太地区(东京) “arn: aws: s3:: packages.ap-northeast-1.amazonaws.com/”、“arn: aws: s3:: repo.ap-northeast-1.amazonaws.com/”、“arn: aws: s3::: repo.ap-northeast-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-northeast-1.appinfo.src/*”
加拿大(中部) “arn: aws: s3:: packages.ca-central-1.amazonaws.com/”、“arn: aws: s3:: repo.ca-central-1.amazonaws.com/”、“arn: aws: s3::: repo.ca-central-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.ca-central-1.appinfo.src/*”
加拿大西部(卡尔加里) “arn: aws: s3:: packages.ap-northeast-1.amazonaws.com/”、“arn: aws: s3:: repo.ap-northeast-1.amazonaws.com/”、“arn: aws: s3::: repo.ap-northeast-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.ap-northeast-1.appinfo.src/*”
欧洲地区(法兰克福) “arn: aws: s3:: packages.eu-central-1.amazonaws.com/”、“arn: aws: s3:: repo.eu-central-1.amazonaws.com/”、“arn: aws: s3::: repo.eu-central-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-central-1.appinfo.src/*”
欧洲地区(爱尔兰) “arn: aws: s3:: packages.eu-west-1.amazonaws.com/”、“arn: aws: s3:: repo.eu-west-1.amazonaws.com/”、“arn: aws: s3::: repo.eu-west-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-west-1.appinfo.src/*”
欧洲地区(伦敦) “arn: aws: s3:: packages.eu-west-2.amazonaws.com/”、“arn: aws: s3:: repo.eu-west-2.amazonaws.com/”、“arn: aws: s3::: repo.eu-west-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-west-2.appinfo.src/*”
欧洲地区(米兰) “arn: aws: s3:: packages.eu-south-1.amazonaws.com/”、“arn: aws: s3:: repo.eu-south-1.amazonaws.com/”、“arn: aws: s3::: repo.eu-south-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-south-1.appinfo.src/*”
欧洲(巴黎) “arn: aws: s3:: packages.eu-west-3.amazonaws.com/”、“arn: aws: s3:: repo.eu-west-3.amazonaws.com/”、“arn: aws: s3::: repo.eu-west-3.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-west-3.appinfo.src/*”
欧洲(西班牙) “arn: aws: s3:: packages.eu-south-2.amazonaws.com/”、“arn: aws: s3:: repo.eu-south-2.amazonaws.com/”、“arn: aws: s3::: repo.eu-south-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-south-2.appinfo.src/*”
欧洲地区(斯德哥尔摩) “arn: aws: s3:: packages.eu-north-1.amazonaws.com/”、“arn: aws: s3:: repo.eu-north-1.amazonaws.com/”、“arn: aws: s3::: repo.eu-north-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-north-1.appinfo.src/*”
欧洲(苏黎世) “arn: aws: s3:: packages.eu-central-2.amazonaws.com/”、“arn: aws: s3:: repo.eu-central-2.amazonaws.com/”、“arn: aws: s3::: repo.eu-central-2.emr.amazonaws.com/*” “arn: aws: s3::: prod.eu-central-2.appinfo.src/*”
以色列(特拉维夫) “arn: aws: s3:: packages.il-central-1.amazonaws.com/”、“arn: aws: s3:: repo.il-central-1.amazonaws.com/”、“arn: aws: s3::: repo.il-central-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.il-central-1.appinfo.src/*”
中东(巴林) “arn: aws: s3:: packages.me-south-1.amazonaws.com/”、“arn: aws: s3:: repo.me-south-1.amazonaws.com/”、“arn: aws: s3::: repo.me-south-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.me-south-1.appinfo.src/*”
中东 (UAE) “arn: aws: s3:: packages.me-central-1.amazonaws.com/”、“arn: aws: s3:: repo.me-central-1.amazonaws.com/”、“arn: aws: s3::: repo.me-central-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.me-central-1.appinfo.src/*”
南美洲(圣保罗) “arn: aws: s3:: packages.sa-east-1.amazonaws.com/”、“arn: aws: s3:: repo.sa-east-1.amazonaws.com/”、“arn: aws: s3::: repo.sa-east-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.sa-east-1.appinfo.src/*”
AWS GovCloud (美国东部) “arn: aws: s3:: packages。 us-gov-east-1.amazonaws.com/”,“arn: aws: s3::: repo。 us-gov-east-1.amazonaws.com/”,“arn: aws: s3::: repo。 us-gov-east-1.emr.amazonaws.com/*” “arn: aws: s3::: prod。 us-gov-east-1.appinfo.src/*”
AWS GovCloud (美国西部) “arn: aws: s3:: packages。 us-gov-west-1.amazonaws.com/”,“arn: aws: s3::: repo。 us-gov-west-1.amazonaws.com/”,“arn: aws: s3::: repo。 us-gov-west-1.emr.amazonaws.com/*” “arn: aws: s3::: prod.me-south-1.appinfo.src/*”