本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS 受管理的政策 AWS Batch
您可以使用 AWS 受管理的原則,為您的團隊和佈建的 AWS 資源簡化身分存取管理。 AWS 受管政策涵蓋各種常見使用案例,依預設可在您的 AWS 帳戶中使用,並代表您進行維護和更新。您無法變更 AWS 受管理原則中的權限。如果您需要更大的彈性,也可以選擇建立 IAM 客戶受管政策。如此一來,您就可以僅為團隊佈建的資源提供他們所需的確切權限。
如需 AWS 受管政策的詳細資訊,請參閱 IAM 使用者指南中的AWS 受管政策。
AWS 服務會代表您維護及更新 AWS 受管理的政策。 AWS 服務會定期將其他權限新增至受 AWS 管理的策略。 AWS 當新功能啟動或作業可用時,最有可能會更新受管理的策略。這些更新會自動影響附加原則的所有身分識別 (使用者、群組和角色)。但是,它們不會移除權限或破壞您現有的權限。
此外,還 AWS 支援跨多個服務之工作職能的受管理原則。例如,ReadOnlyAccess AWS 受管理的策略提供對所有 AWS 服務和資源的唯讀存取權。當服務啟動新功能時,會為新作業和資源新 AWS 增唯讀權限。如需任務職能政策的清單和說明,請參閱 IAM 使用者指南中有關任務職能的AWS 受管政策。
AWS 受管理的策略:BatchServiceRolePolicy
AWSServiceRoleForBatch服務連結角色會使用受BatchServiceRolePolicy管 IAM 政策。這允 AWS Batch 許代表您執行操作。您無法將此政策連接至 IAM 實體。如需詳細資訊,請參閱 使用服務連結角色 AWS Batch。
此原則可 AWS Batch 針對特定資源完成下列動作:
-
autoscaling— 允許創 AWS Batch 建和管理 Amazon EC2 Auto Scaling 資源。 AWS Batch 為大多數運算環境建立和管理 Amazon EC2 Auto Scaling 群組。 -
ec2— AWS Batch 允許控制 Amazon EC2 執行個體的生命週期,以及建立和管理啟動範本和標籤。 AWS Batch 為某些 EC2 競價型運算環境建立和管理 EC2 競價型叢集請求。 -
ecs-允許 AWS Batch 建立和管理 Amazon ECS 叢集、任務定義和任務執行任務。 -
eks-允許描述 AWS Batch 用於驗證的 Amazon EKS 叢集資源。 -
iam- AWS Batch 允許驗證所有者提供的角色並將其傳遞給 Amazon EC2,Amazon EC2 Auto Scaling 和 Amazon ECS。 -
logs— 可建 AWS Batch 立和管理 AWS Batch 工作的記錄群組和記錄資料流。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:RequestSpotFleet", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "eks:DescribeCluster", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:DeregisterTaskDefinition", "ecs:TagResource", "ecs:ListAccountSettings", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*" }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*:log-stream:*" }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement6", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement7", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement8", "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:DeleteLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement9", "Effect": "Allow", "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement10", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement11", "Effect": "Allow", "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:cluster/AWSBatch*" }, { "Sid": "AWSBatchPolicyStatement12", "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task-definition/*" }, { "Sid": "AWSBatchPolicyStatement13", "Effect": "Allow", "Action": [ "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Sid": "AWSBatchPolicyStatement14", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:RegisterTaskDefinition" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement15", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:placement-group/*", "arn:aws:ec2:*:*:capacity-reservation/*", "arn:aws:ec2:*:*:elastic-gpu/*", "arn:aws:elastic-inference:*:*:elastic-inference-accelerator/*", "arn:aws:resource-groups:*:*:group/*" ] }, { "Sid": "AWSBatchPolicyStatement16", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Sid": "AWSBatchPolicyStatement17", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateLaunchTemplate", "RequestSpotFleet" ] } } } ] }
AWS 管理策略:AWSBatchServiceRole策略
名為的角色權限原則AWSBatchServiceRole AWS Batch 允許對特定資源完成下列動作:
受AWSBatchServiceRole管 IAM 政策通常由名為的角色使用,AWSBatchServiceRole並包含以下許可。遵循授與最少權限的標準安全性建議,可以使用AWSBatchServiceRole受管理的策略作為指南。如果您的使用案例不需要受管政策中授予的任何許可,請建立自訂政策並僅新增您需要的許可。這個 AWS Batch less-error-prone受管理的原則和角色可用於大部分的運算環境類型,但服務連結角色的使用方式較適合用於更佳範圍和改善的受管理體驗。
-
autoscaling— 允許創 AWS Batch 建和管理 Amazon EC2 Auto Scaling 資源。 AWS Batch 為大多數運算環境建立和管理 Amazon EC2 Auto Scaling 群組。 -
ec2— AWS Batch 允許管理 Amazon EC2 執行個體的生命週期,以及建立和管理啟動範本和標籤。 AWS Batch 為某些 EC2 競價型運算環境建立和管理 EC2 競價型叢集請求。 -
ecs-允許 AWS Batch 建立和管理 Amazon ECS 叢集、任務定義和任務執行任務。 -
iam- AWS Batch 允許驗證所有者提供的角色並將其傳遞給 Amazon EC2,Amazon EC2 Auto Scaling 和 Amazon ECS。 -
logs— 可建 AWS Batch 立和管理 AWS Batch 工作的記錄群組和記錄資料流。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSBatchPolicyStatement1", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeScalingActivities", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Sid": "AWSBatchPolicyStatement2", "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Sid": "AWSBatchPolicyStatement3", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement4", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Sid": "AWSBatchPolicyStatement5", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }
AWS 受管理的策略:AWSBatchFullAccess
此原AWSBatchFullAccess則會授與 AWS Batch 動作對 AWS Batch 資源的完整存取權。它還授予 Amazon EC2、Amazon ECS、亞馬遜 EKS 和 IAM 服務的描述和列出動作存取權限。 CloudWatch如此一來,IAM 身分 (使用者或角色) 都可以檢視代表他們建立的 AWS Batch 受管資源。最後,此政策還允許將選定的 IAM 角色傳遞給這些服務。
您可以附加AWSBatchFullAccess到 IAM 實體。 AWS Batch 也會將此原則附加至允許代表您執 AWS Batch 行動作的服務角色。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "batch:*", "cloudwatch:GetMetricStatistics", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeImages", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ecs:DescribeClusters", "ecs:Describe*", "ecs:List*", "eks:DescribeCluster", "eks:ListClusters", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents", "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws:iam::*:role/AWSBatchServiceRole", "arn:aws:iam::*:role/service-role/AWSBatchServiceRole", "arn:aws:iam::*:role/ecsInstanceRole", "arn:aws:iam::*:instance-profile/ecsInstanceRole", "arn:aws:iam::*:role/iaws-ec2-spot-fleet-role", "arn:aws:iam::*:role/aws-ec2-spot-fleet-role", "arn:aws:iam::*:role/AWSBatchJobRole*" ] }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/*Batch*", "Condition": { "StringEquals": { "iam:AWSServiceName": "batch.amazonaws.com" } } } ] }
AWS BatchAWS 受管理策略的更新
檢視 AWS Batch 自此服務開始追蹤這些變更以來的 AWS 受管理策略更新詳細資料。如需有關此頁面變更的自動警示,請訂閱「 AWS Batch 文件歷史記錄」頁面上的 RSS 摘要。
| 變更 | 描述 | 日期 |
|---|---|---|
|
已更新以新增描述 Spot 叢集請求歷史記錄和 Amazon EC2 Auto Scaling 活動的支援。 |
2023 年 12 月 5 日 |
|
|
AWSBatchServiceRole已新增原則 |
已更新為新增陳述式 ID、授 |
2023 年 12 月 5 日 |
|
已更新以新增對描述 Amazon EKS 叢集的支援。 |
2022 年 10 月 20 日 |
|
|
AWSBatchFullAccess政策已更新 |
已更新為新增列出和描述 Amazon EKS 叢集的支援。 |
2022 年 10 月 20 日 |
|
已更新為新增對受管理之 Amazon EC2 容量保留群組的支援 AWS Resource Groups。如需詳細資訊,請參閱 Amazon EC2 使用者指南中的使用容量保留群組。 |
2022 年 5 月 18 日 |
|
|
已更新以新增說明 Amazon EC2 中 AWS Batch 受管執行個體狀態的支援,以便取代運作狀態不良的執行個體。 |
2021 年 12 月 6 日 |
|
|
已更新,可在 Amazon EC2 中新增對置放群組、容量保留、彈性 GPU 和 Elastic Inference 資源的支援。 |
2021 年 3 月 26 日 |
|
|
透過AWSServiceRoleForBatch服務連結角色的BatchServiceRolePolicy受管理原則,您可以使用由所管理的服務連結角色。 AWS Batch有了這個原則,您就不需要維護自己的角色,就能在您的運算環境中使用。 |
2021 年 3 月 10 日 |
|
|
AWSBatchFullAccess-新增新增服務連結角色的權限 |
新增 IAM 許可,以允許將AWSServiceRoleForBatch服務連結角色新增至帳戶。 |
2021 年 3 月 10 日 |
|
AWS Batch 開始追蹤變更 |
AWS Batch 開始追蹤其 AWS 受管理策略的變更。 |
2021 年 3 月 10 日 |
