用于 DynamoDB 表和全局二级索引自动缩放的 AWS 服务相关角色
AWS Service-linked role for DynamoDB tables and global secondary indexes autoscaling
根据文档 here,dynamodb 自动缩放有一个服务相关角色 - AWSServiceRoleForApplicationAutoScaling_DynamoDBTable。
角色权限策略允许 Application Auto Scaling 对所有资源完成以下操作:
Action: dynamodb:DescribeTable
Action: dynamodb:UpdateTable
Action: cloudwatch:DeleteAlarms
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
转换为(来自 here),
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm"
],
"Resource": "*"
}
]
}
例如,当政策如下使用时,
TableLiveProductsReadScalableTarget:
Type: 'AWS::ApplicationAutoScaling::ScalableTarget'
Properties:
MaxCapacity: !Ref TableLiveProductsReadMaxCap
MinCapacity: !Ref TableLiveProductsReadMinCap
ResourceId: !Sub "table/${TableLiveProducts}"
RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable
ScalableDimension: 'dynamodb:table:ReadCapacityUnits'
ServiceNamespace: dynamodb
从安全角度来看是否可以假设,因为该角色只能由 dynamodb.application-autoscaling.amazonaws.com 承担,授予更新 ALL 表的权限没有问题,删除 ALL警报等?
在此处(以及许多 AWS 构建的服务关联角色中)请求此类通配符权限的基本原理是什么?
它们对您的帐户来说是最通用的。因此,一个角色涵盖了您的所有 table。由于原则是 dynamodb.application-autoscaling.amazonaws.com 没有其他服务或 IAM user/role 可以使用这些权限。
您可以提供您自己的角色,并进行更精细的设置。所以要将权限限制为只有一个 table 你可以这样做:
MyDynamoDBRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {'Service': ['dynamodb.application-autoscaling.amazonaws.com']}
Action: ['sts:AssumeRole']
Path: '/'
Policies:
- PolicyName: DynamoDBScaling
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable"
],
"Resource": "${TableLiveProducts.Arn}"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
TableLiveProductsReadScalableTarget:
Type: 'AWS::ApplicationAutoScaling::ScalableTarget'
Properties:
MaxCapacity: !Ref TableLiveProductsReadMaxCap
MinCapacity: !Ref TableLiveProductsReadMinCap
ResourceId: !Sub "table/${TableLiveProducts}"
RoleARN: !GetAtt MyDynamoDBRole.Arn
ScalableDimension: 'dynamodb:table:ReadCapacityUnits'
ServiceNamespace: dynamodb
根据文档 here,dynamodb 自动缩放有一个服务相关角色 - AWSServiceRoleForApplicationAutoScaling_DynamoDBTable。 角色权限策略允许 Application Auto Scaling 对所有资源完成以下操作:
Action: dynamodb:DescribeTable
Action: dynamodb:UpdateTable
Action: cloudwatch:DeleteAlarms
Action: cloudwatch:DescribeAlarms
Action: cloudwatch:PutMetricAlarm
转换为(来自 here),
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm"
],
"Resource": "*"
}
]
}
例如,当政策如下使用时,
TableLiveProductsReadScalableTarget:
Type: 'AWS::ApplicationAutoScaling::ScalableTarget'
Properties:
MaxCapacity: !Ref TableLiveProductsReadMaxCap
MinCapacity: !Ref TableLiveProductsReadMinCap
ResourceId: !Sub "table/${TableLiveProducts}"
RoleARN: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable
ScalableDimension: 'dynamodb:table:ReadCapacityUnits'
ServiceNamespace: dynamodb
从安全角度来看是否可以假设,因为该角色只能由 dynamodb.application-autoscaling.amazonaws.com 承担,授予更新 ALL 表的权限没有问题,删除 ALL警报等?
在此处(以及许多 AWS 构建的服务关联角色中)请求此类通配符权限的基本原理是什么?
它们对您的帐户来说是最通用的。因此,一个角色涵盖了您的所有 table。由于原则是 dynamodb.application-autoscaling.amazonaws.com 没有其他服务或 IAM user/role 可以使用这些权限。
您可以提供您自己的角色,并进行更精细的设置。所以要将权限限制为只有一个 table 你可以这样做:
MyDynamoDBRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {'Service': ['dynamodb.application-autoscaling.amazonaws.com']}
Action: ['sts:AssumeRole']
Path: '/'
Policies:
- PolicyName: DynamoDBScaling
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable"
],
"Resource": "${TableLiveProducts.Arn}"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
TableLiveProductsReadScalableTarget:
Type: 'AWS::ApplicationAutoScaling::ScalableTarget'
Properties:
MaxCapacity: !Ref TableLiveProductsReadMaxCap
MinCapacity: !Ref TableLiveProductsReadMinCap
ResourceId: !Sub "table/${TableLiveProducts}"
RoleARN: !GetAtt MyDynamoDBRole.Arn
ScalableDimension: 'dynamodb:table:ReadCapacityUnits'
ServiceNamespace: dynamodb