我想创建一个aws lambda代码,它提供了一个公共API,仅用于从aws rds db实例读取。当我想创建一个lambda函数时,它会询问我权限角色。因为我担心,我想给代码一个非常严格的权限,只允许读取db实例。
我找到了
this
网站上,它列出了一些受管理的策略。我可以在里面找到这个:
"AmazonRDSReadOnlyAccess": {
"Arn": "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess",
"AttachmentCount": 0,
"CreateDate": "2015-02-06T18:40:53+00:00",
"DefaultVersionId": "v1",
"Document": {
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:ListTagsForResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"IsAttachable": true,
"IsDefaultVersion": true,
"Path": "/",
"PolicyId": "ANPAJKTTTYV2IIHKLZ346",
"PolicyName": "AmazonRDSReadOnlyAccess",
"UpdateDate": "2015-02-06T18:40:53+00:00",
"VersionId": "v1"
},
当我想创建新的自定义角色时,我可以看到默认的策略文档。我可以看到它基本上包含{“Statement”、“Version”和“Resource”}:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
这非常适合AmazonRDSReadOnlyAccess的“Document”块,因此我认为需要将其复制粘贴到那里才能获得rds只读权限。因此,我需要将以下内容放入自定义角色的策略文档中:
{
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:ListTagsForResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
这就是我要做的事?我说得对吗?
是否允许lambda函数仅从某个RDS db实例读取?有没有更简单的方法?
因为我在“从模板创建新角色”中看到了策略模板,但我找不到与此目标相关的任何内容。
