3

我想添加仅允许访问 IAM 用户到少数表的策略。

按照这个文件

我的政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:ListTables",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", //commented real name
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" //commented real name
            ]
        }
    ]
}

结果我收到“未自动处理”消息

在此处输入图像描述

但是当我将资源更改为“*”时 - 一切正常。

那么为什么我不能只对单独的表启用完全读取访问权限呢?

4

1 回答 1

1

该解决方案感谢Deepesh S.(来自亚马逊),如下所列

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceBasedActions",
            "Action": [
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                 "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", 
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" 
            ]
        },
        {
            "Sid": "NonResourceBasedActions",
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:ListPipelines",
                "dynamodb:ListTables",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}
于 2016-03-26T06:50:41.097 回答