Application Discovery Service 的服務連結角色許可 - AWS 應用程式探索服務

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Application Discovery Service 的服務連結角色許可

Application Discovery Service 使用名為 AWSServiceRoleForApplicationDiscoveryServiceContinuousExport 的服務連結角色 – 允許存取使用或管理的 AWS 服務和資源 AWS Application Discovery Service。

AWSServiceRoleForApplicationDiscoveryServiceContinuousExport 服務連結角色信任下列服務擔任該角色:

  • continuousexport.discovery.amazonaws.com

角色許可政策允許 Application Discovery Service 完成下列動作:

glue

CreateDatabase

UpdateDatabase

CreateTable

UpdateTable

firehose

CreateDeliveryStream

DeleteDeliveryStream

DescribeDeliveryStream

PutRecord

PutRecordBatch

UpdateDestination

s3

CreateBucket

ListBucket

GetObject

日誌

CreateLogGroup

CreateLogStream

PutRetentionPolicy

iam

PassRole

此為顯示以上動作可套用於哪些資源的完整政策:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "glue:CreateDatabase",
                "glue:UpdateDatabase",
                "glue:CreateTable",
                "glue:UpdateTable",
                "firehose:CreateDeliveryStream",
                "firehose:DescribeDeliveryStream",
                "logs:CreateLogGroup"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "firehose:DeleteDeliveryStream",
                "firehose:PutRecord",
                "firehose:PutRecordBatch",
                "firehose:UpdateDestination"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:firehose:*:*:deliverystream/aws-application-discovery-service*"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:PutBucketLogging",
                "s3:PutEncryptionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::aws-application-discovery-service*"
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::aws-application-discovery-service*/*"
        },
        {
            "Action": [
                "logs:CreateLogStream",
                "logs:PutRetentionPolicy"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:logs:*:*:log-group:/aws/application-discovery-service/firehose*"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/AWSApplicationDiscoveryServiceFirehose",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "firehose.amazonaws.com"
                }
            }
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/service-role/AWSApplicationDiscoveryServiceFirehose",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "firehose.amazonaws.com"
                }
            }
        }
    ]
}

您必須設定許可,IAM 實體 (如使用者、群組或角色) 才可建立、編輯或刪除服務連結角色。如需詳細資訊,請參閱《IAM 使用者指南》中的服務連結角色許可