本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
IAM與備份和還原搭配使用
您可以使用 AWS Identity and Access Management (IAM) 來限制某些資源的 Amazon DynamoDB 備份和還原動作。CreateBackup和在每個表的基礎上RestoreTableFromBackupAPIs進行操作。
如需有關在 DynamoDB 中使用IAM原則的詳細資訊,請參閱。適用於 DynamoDB 的以身分為基礎的政策
以下是您可用來在 DynamoDB 中設定特定備份和還原功能的原IAM則範例。
範例 1:允許 CreateBackup 和 RestoreTableFromBackup 動作
下列IAM原則授與允許對所有表格執行CreateBackup和 RestoreTableFromBackup DynamoDB 動作的權限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" } ] }
重要
DynamoDB RestoreTableFromBackup 權限對於來源備份是必要的,還原功能需要目標資料表上的 DynamoDB 讀取和寫入權限。
DynamoDB RestoreTableToPointInTime 權限在來源資料表上是必要的,還原功能需要目標資料表上的 DynamoDB 讀取和寫入權限。
範例 2:允許 CreateBackup 和拒絕 RestoreTableFromBackup
下列IAM原則會授與CreateBackup動作的權限,並拒絕RestoreTableFromBackup動作:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:RestoreTableFromBackup"], "Resource": "*" } ] }
範例 3:允許 ListBackups 和拒絕 CreateBackup 以及 RestoreTableFromBackup
下列IAM原則會授與ListBackups動作的權限,並拒絕CreateBackup和動RestoreTableFromBackup作:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:CreateBackup", "dynamodb:RestoreTableFromBackup" ], "Resource": "*" } ] }
範例 4:允許 ListBackups 和拒絕 DeleteBackup
下列IAM原則會授與ListBackups動作的權限,並拒絕DeleteBackup動作:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" }, { "Effect": "Deny", "Action": ["dynamodb:DeleteBackup"], "Resource": "*" } ] }
範例 5: DescribeBackup 對所有資源允許 RestoreTableFromBackup 和拒絕 DeleteBackup 特定備份
下列IAM策略會授RestoreTableFromBackup與和動DescribeBackup作的權限,並拒絕特定備份資源的DeleteBackup動作:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeBackup", "dynamodb:RestoreTableFromBackup", ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "dynamodb:DeleteBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/01489173575360-b308cd7d" } ] }
重要
DynamoDB RestoreTableFromBackup 權限對於來源備份是必要的,還原功能需要目標資料表上的 DynamoDB 讀取和寫入權限。
DynamoDB RestoreTableToPointInTime 權限在來源資料表上是必要的,還原功能需要目標資料表上的 DynamoDB 讀取和寫入權限。
範例 6:允許 CreateBackup 特定資料表
下列IAM原則僅授與資Movies料表上CreateBackup動作的權限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:CreateBackup"], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Movies" ] } ] }
範例 7:允許 ListBackups
下列IAM原則會授與ListBackups動作的權限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["dynamodb:ListBackups"], "Resource": "*" } ] } }
重要
您無法授與特定資料表上ListBackups動作的權限。
範例 8:允許存取 AWS Backup 功能
若要成功備份具有進階功能,您將需要StartAwsBackupJob動作的API權限,以及成功還原該備份的dynamodb:RestoreTableFromAwsBackup動作。
下列原IAM則授 AWS Backup 與使用進階功能和還原觸發備份的權限。另外請注意,如果表格已加密,則政策將需要存取AWS KMS金鑰。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeQueryScanBooksTable", "Effect": "Allow", "Action": [ "dynamodb:StartAwsBackupJob", "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:account-id:table/Books" }, { "Sid": "AllowRestoreFromAwsBackup", "Effect": "Allow", "Action": ["dynamodb:RestoreTableFromAwsBackup"], "Resource": "*" }, ] }
範例 9:特定來源資料表 RestoreTableToPointInTime 的拒絕
下列IAM原則會拒絕特定來源表格RestoreTableToPointInTime動作的權限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableToPointInTime" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music" } ] }
範例 10:拒絕 RestoreTableFromBackup 特定來源表格的所有備份
下列IAM原則會拒絕特定來源表格之所有備份RestoreTableToPointInTime動作的權限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Music/backup/*" } ] }
