我可以根据资源或条件限制 CloudWatch 操作吗?
Can I restrict CloudWatch Actions based on Resource or Condition?
我正在尝试将 CloudWatch 操作限制为特定 VPC 或资源。我可以这样做吗?以下是政策
{
"Sid": "AllowCloudWatchActions",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
我可以为此指定任何条件吗?
CloudWatch 没有任何资源级权限。引用 AWS 文档:
CloudWatch doesn't have any specific resources for you to control access to. Therefore, there are no CloudWatch ARNs for you to use in an IAM policy. You use * as the resource when writing a policy to control access to CloudWatch actions.
来源:http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html
因此无法创建将数据限制为来自特定资源(VPC 等)的指标的策略
"Conditions" 通常不适用于所请求的数据或资源(即您的指标)。相反,"Condition" 适用于请求的来源,例如 VPC 或 IP 地址。
根据 AWS doco,条件键可用于限制对 CloudWatch 命名空间的访问。
https://docs.amazonaws.cn/en_us/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html
实际上,我向 AWS 提交了一张票以限制获取 CloudWatch 指标,并得到确认说它适用于 PutMetricData 但不适用于 GetMetricData。
我正在尝试将 CloudWatch 操作限制为特定 VPC 或资源。我可以这样做吗?以下是政策
{
"Sid": "AllowCloudWatchActions",
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
我可以为此指定任何条件吗?
CloudWatch 没有任何资源级权限。引用 AWS 文档:
CloudWatch doesn't have any specific resources for you to control access to. Therefore, there are no CloudWatch ARNs for you to use in an IAM policy. You use * as the resource when writing a policy to control access to CloudWatch actions.
来源:http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html
因此无法创建将数据限制为来自特定资源(VPC 等)的指标的策略
"Conditions" 通常不适用于所请求的数据或资源(即您的指标)。相反,"Condition" 适用于请求的来源,例如 VPC 或 IP 地址。
根据 AWS doco,条件键可用于限制对 CloudWatch 命名空间的访问。 https://docs.amazonaws.cn/en_us/AmazonCloudWatch/latest/monitoring/iam-cw-condition-keys-namespace.html
实际上,我向 AWS 提交了一张票以限制获取 CloudWatch 指标,并得到确认说它适用于 PutMetricData 但不适用于 GetMetricData。