本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用資源名稱和標籤更精細的存取控制
您可以使用以 Amazon 資源名稱 (ARN) 為基礎的資源名稱和資源標籤來管理 AWS DMS 資源的存取。做法是在 IAM 政策中,定義允許的動作或包含條件陳述式。
使用資源名稱以控制存取
您可以建立 IAM 使用者帳戶,並指派以 AWS DMS 資源的 ARN 為基礎的政策。
下列原則會拒絕存取具有 ARN 陣列的 AWS DMS 複寫執行個體:aws: DS: 美國東部 1:152683116: REP: 錯誤碼:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" } ] }
例如,當政策開始生效時,下列命令會失敗。
$ aws dms delete-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV $ aws dms modify-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV" A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV
您也可以指定 IAM 政策來限制 AWS DMS 端點和複寫工作的存取權限。
下列策略會限制使用 AWS DMS 端點 ARN 對端點的存取。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" } ] }
例如,當使用端點 ARN 的政策開始生效時,下列命令會失敗。
$ aws dms delete-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX $ aws dms modify-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX" A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX
下列原則會限制使用 AWS DMS 工作 ARN 的工作存取權。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT" } ] }
例如,當使用任務 ARN 的政策開始生效時,下列命令會失敗。
$ aws dms delete-replication-task --replication-task-arn "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT" A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT
使用標籤控制存取
AWS DMS 定義一組可用於客戶定義政策的一組通用鍵值配對,而無需任何額外的標記要求。如需標記 AWS DMS 資源的更多資訊,請參閱在 AWS Database Migration Service 中標記資源。
以下列出了可用於配合使用的標準標籤 AWS DMS:
-
aws:CurrentTime — 表示請求的日期和時間,允許根據臨時標準限制訪問。
-
aws:EpochTime -此標籤類似於之前的 aws: CurrentTime 標籤,不同之處在於當前時間表示為自 Unix 紀元以來經過的秒數。
-
aws:MultiFactorAuthPresent -這是一個布爾標籤,指示請求是否通過多因素身份驗證簽名。
-
aws:MultiFactorAuthAge — 提供對多因素身份驗證令牌的年齡(以秒為單位)的訪問。
-
aws:principaltype – 可讓您存取目前請求的主體類型 (使用者、帳戶、聯合身分使用者等)。
-
aws:SourceIp — 代表發出請求的使用者的來源 IP 地址。
-
aws:UserAgent — 提供有關請求資源的客戶端應用程序的信息。
-
aws:userid – 可讓您存取發出請求的使用者 ID。
-
aws:username – 可讓您存取發出請求的使用者名稱。
-
dms:InstanceClass — 可存取複寫執行個體主機的運算大小。
-
dms:StorageSize — 可存取儲存磁碟區大小 (以 GB 為單位)。
您也可以定義自己的標籤。客戶定義的標籤是保存在標記服務中的簡單鍵值配對。 AWS 您可以將這些標籤新增至 AWS DMS 資源 (包括複寫執行個體、端點和任務)。這些標籤是透過使用政策中的 IAM「條件」陳述式進行比對,並使用特定條件標籤來參考。標籤索引鍵前面會加上 "dms"、資源類型和 "tag" 前綴。以下顯示標籤格式。
dms:{resource type}-tag/{tag key}={tag value}
例如,假設您想要定義一個政策,只允許包含標籤 "stage=production" 的複寫執行個體才能成功進行 API 呼叫。下列條件陳述式會符合具有指定標籤的資源。
"Condition": { "streq": { "dms:rep-tag/stage":"production" } }
您會將下列標籤新增至符合此政策條件的複寫執行個體。
stage production
除了已指定給 AWS DMS 資源的標籤之外,還可以寫入策略以限制可套用至指定資源的標籤索引鍵和值。在此情況下,標籤字首會是 "req"。
例如,下列政策陳述式會限制標籤,讓使用者可以將指定的資源指派給特定的允許值清單。
"Condition": { "streq": { "dms:rep-tag/stage": [ "production", "development", "testing" ] } }
以下策略範例會根據 AWS DMS 資源標籤限制對資源的存取。
下列政策會限制對複寫執行個體的存取,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:rep-tag/Env": [ "Desktop" ] } } } ] }
下列命令會根據限制存取的 IAM 政策判定成功或失敗,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --endpoint-url http://localhost:8000 { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN" A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms modify-replication-instance --replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN" A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
以下策略限制對標籤值為「桌面」且標籤鍵為「Env」的 AWS DMS 端點的訪問。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:endpoint-tag/Env": [ "Desktop" ] } } } ] }
下列命令會根據限制存取的 IAM 政策判定成功或失敗,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I" A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms modify-endpoint --endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I" A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
下列政策會限制對複寫任務的存取,其中標籤值為 "Desktop",而標籤索引鍵為 "Env"。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dms:*" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "dms:task-tag/Env": [ "Desktop" ] } } } ] }
下列命令會根據限制存取的 IAM 政策判定成功或失敗,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
$ aws dms list-tags-for-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 { "TagList": [ { "Value": "Desktop", "Key": "Env" } ] } $ aws dms delete-replication-task --replication-task-arn "arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3" A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 $ aws dms add-tags-to-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 --tags Key=CostCenter,Value=1234 A client error (AccessDeniedException) occurred when calling the AddTagsToResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 $ aws dms remove-tags-from-resource --resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3 --tag-keys Env A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3