AWS Cloudformation:RDS 的 CloudWatch Alarm 是否需要 IAM 角色?
AWS Cloudformation : Does CloudWatch Alarm for RDS needs IAM role?
我想在我的 RDS 实例的可用存储空间 space 小于阈值(例如 2GB)时收到通知电子邮件。
出于上述原因,我从监控 FreeStorageSpace 指标的 AWS 控制台创建了一个警报。
现在我想将这个警报片段放在我现有的 Cloudformation 模板中,以便 link 这个警报到我现有的 RDS 实例。我是否需要为 RDS 创建任何类型的 IAM 角色?
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: RDS Low Storage Alarm
AlarmDescription: This alarm is triggered when RDS storage is lower than or equal to 5GB
ActionsEnabled: true
OKActions: []
AlarmActions:
- arn:aws:sns:ap-northeast-1:1234567890:stg1-init-AlertTopic-1WPRQT95IHBJZ
InsufficientDataActions: []
MetricName: FreeStorageSpace
Namespace: AWS/RDS
Statistic: Average
Dimensions:
- Name: DBInstanceIdentifier
Value: xxx1blsxxxxel
Period: 60
EvaluationPeriods: 1
DatapointsToAlarm: 1
Threshold: 5368709120
ComparisonOperator: LessThanOrEqualToThreshold
TreatMissingData: missing
我找到了几篇文章,例如 this,其中解释了上述警报的创建。但是我没有找到关于 IAM 东西的信息。
更新:
我在主 cfn 模板中创建的 SNS 警报主题默认具有以下访问策略。在这种情况下,仅创建上述警报就足够了吗?
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:ap-northeast-1:333333333333:stg1-init-AlertTopic-1WPRQT95IHBJZ",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "333333333333"
}
}
}
]
}
Do I need to create any kind of IAM role for the RDS?
不适用于 RDS。但是SQS主题必须有一个special policy for that。一个例子是(取决于您的设置,也许默认策略也足够了):
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-2:111122223333:alarm:*"
}
}
}
]
}
我想在我的 RDS 实例的可用存储空间 space 小于阈值(例如 2GB)时收到通知电子邮件。
出于上述原因,我从监控 FreeStorageSpace 指标的 AWS 控制台创建了一个警报。
现在我想将这个警报片段放在我现有的 Cloudformation 模板中,以便 link 这个警报到我现有的 RDS 实例。我是否需要为 RDS 创建任何类型的 IAM 角色?
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: RDS Low Storage Alarm
AlarmDescription: This alarm is triggered when RDS storage is lower than or equal to 5GB
ActionsEnabled: true
OKActions: []
AlarmActions:
- arn:aws:sns:ap-northeast-1:1234567890:stg1-init-AlertTopic-1WPRQT95IHBJZ
InsufficientDataActions: []
MetricName: FreeStorageSpace
Namespace: AWS/RDS
Statistic: Average
Dimensions:
- Name: DBInstanceIdentifier
Value: xxx1blsxxxxel
Period: 60
EvaluationPeriods: 1
DatapointsToAlarm: 1
Threshold: 5368709120
ComparisonOperator: LessThanOrEqualToThreshold
TreatMissingData: missing
我找到了几篇文章,例如 this,其中解释了上述警报的创建。但是我没有找到关于 IAM 东西的信息。
更新: 我在主 cfn 模板中创建的 SNS 警报主题默认具有以下访问策略。在这种情况下,仅创建上述警报就足够了吗?
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:ap-northeast-1:333333333333:stg1-init-AlertTopic-1WPRQT95IHBJZ",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "333333333333"
}
}
}
]
}
Do I need to create any kind of IAM role for the RDS?
不适用于 RDS。但是SQS主题必须有一个special policy for that。一个例子是(取决于您的设置,也许默认策略也足够了):
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-2:111122223333:alarm:*"
}
}
}
]
}