Alexa:Alexa 的 DynamoDB IAM 权限是否也会自动添加一堆其他 AWS 服务?
Alexa: Does DynamoDB IAM permissions for Alexa also automatically add a bunch of other AWS services?
我刚刚为 lambda 创建了一个新的 dynamoDB IAM 策略。我只添加了 DynamoFullAccessPermission 。
不过,在Lambda中,貌似很多其他服务都是自动添加的?
DynamoFullAccessPermission IAM 是否自动包含此功能?
是的,您可以自己查一下,但我自己只是在学习 AWS,所以我很好奇..
显然,是的,这个角色包括来自 EC2、SNS 等的一堆东西。允许摘自 AmazonDynamoDBFullAccess IAM-Role:
"Action": [
"dynamodb:*",
"dax:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"datapipeline:ActivatePipeline",
"datapipeline:CreatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:GetRole",
"iam:ListRoles",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes",
"lambda:CreateFunction",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction"
],
"Effect": "Allow",
"Resource": "*"
进一步观察 Dynamo(dynamodb、dax)之外的东西在我看来都是合法的:EC2 是 network/security 的仅查看,用于排队的 SNS from/to DynamoDB 等..
我刚刚为 lambda 创建了一个新的 dynamoDB IAM 策略。我只添加了 DynamoFullAccessPermission 。
不过,在Lambda中,貌似很多其他服务都是自动添加的?
DynamoFullAccessPermission IAM 是否自动包含此功能?
是的,您可以自己查一下,但我自己只是在学习 AWS,所以我很好奇..
显然,是的,这个角色包括来自 EC2、SNS 等的一堆东西。允许摘自 AmazonDynamoDBFullAccess IAM-Role:
"Action": [
"dynamodb:*",
"dax:*",
"application-autoscaling:DeleteScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm",
"datapipeline:ActivatePipeline",
"datapipeline:CreatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iam:GetRole",
"iam:ListRoles",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes",
"lambda:CreateFunction",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:CreateEventSourceMapping",
"lambda:DeleteEventSourceMapping",
"lambda:GetFunctionConfiguration",
"lambda:DeleteFunction"
],
"Effect": "Allow",
"Resource": "*"
进一步观察 Dynamo(dynamodb、dax)之外的东西在我看来都是合法的:EC2 是 network/security 的仅查看,用于排队的 SNS from/to DynamoDB 等..