本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用基于身份的策略(IAM 策略) AWS Snowball Edge
本主题提供了基于身份的策略的示例,这些示例演示了账户管理员如何向 IAM 身份(即,用户、组和角色)附加权限策略。因此,这些策略授予对中的 AWS Snowball Edge 资源执行操作的权限 AWS 云。
**重要**
我们建议您首先阅读以下介绍性主题,这些主题讲解了管理 AWS Snowball Edge 资源访问的基本概念和选项。有关更多信息,请参阅 [管理资源访问权限的概述,请参阅 AWS 云](authentication-and-access-control.md#access-control-overview)。
本主题的各个部分涵盖以下内容:
+ [使用 AWS Snowball Edge 控制台所需的权限](#additional-console-required-permissions)
+ [AWS-托管(预定义)策略 AWS Snowball Edge](authentication-and-access-control.md#access-policy-examples-aws-managed)
+ [客户托管策略示例](access-policy-examples-for-sdk-cli.md)
下面介绍权限策略示例。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*",
"importexport:*"
],
"Resource": "*"
}
]
}
```
------
该策略包含两条语句:
+ 第一个语句为使用 `arn:aws:s3:::*` 的 *Amazon 资源名称(ARN)*的所有 Amazon S3 存储桶授予执行三个 Amazon S3 操作(`s3:GetBucketLocation`、`s3:GetObject` 和 `s3:ListBucket`)的权限。ARN 使用了通配符(\$1),以便用户可以选择从任意或全部 Amazon S3 存储桶导出数据。
+ 第二条语句授予所有 AWS Snowball Edge 操作的权限。由于这些操作不支持资源级权限,该策略采用了通配符(\$1),且 `Resource` 值也采用了通配符。
该策略不指定 `Principal` 元素,因为在基于身份的策略中,您未指定获取权限的主体。附加了策略的用户是隐式主体。向 IAM 角色附加权限策略后,该角色的信任策略中标识的主体将获取权限。
有关显示所有 AWS Snowball Edge 任务管理 API 操作及其适用的资源的表格,请参阅[AWS Snowball Edge API 权限:操作、资源和条件参考](access-policy-examples-for-sdk-cli.md#snowball-api-permissions-ref)。
## 使用 AWS Snowball Edge 控制台所需的权限
权限参考表列出了 AWS Snowball Edge 任务管理 API 操作并显示了每个操作所需的权限。有关作业管理 API 操作的更多信息,请参阅 [AWS Snowball Edge API 权限:操作、资源和条件参考](access-policy-examples-for-sdk-cli.md#snowball-api-permissions-ref)。
要使用 AWS Snow 系列管理控制台,您需要授予其他操作的权限,如以下权限策略所示:
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": "arn:aws:lambda:*::function:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:Encrypt",
"kms:RetireGrant",
"kms:ListKeys",
"kms:DescribeKey",
"kms:ListAliases"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/snowball*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "importexport.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:ModifyImageAttribute"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Subscribe"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:getServiceRoleForAccount"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": "arn:aws:lambda:::function:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "arn:aws:lambda:::*"
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/snowball*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "importexport.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:ModifyImageAttribute"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Subscribe"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:getServiceRoleForAccount"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
}
]
}
```
------
出于以下原因, AWS Snowball Edge 控制台需要这些额外权限:
+ `ec2:`— 它们允许用户描述 EC2与 Amazon 兼容的实例,并出于本地计算目的修改其属性。有关更多信息,请参阅 [在 Snowball EC2 Edge 上使用与亚马逊兼容的计算实例](using-ec2.md)。
+ `kms:`:有了这些权限,用户可以创建或选择可加密数据的 KMS 密钥。有关更多信息,请参阅 [AWS Key Management Service in AWS Snowball Edge](data-protection.md#kms)。
+ `iam:`— 它们允许用户创建或选择一个 IAM 角色 ARN,该角色 AWS Snowball Edge 将假定访问与创建和处理工作相关的 AWS 资源。
+ `sns:`:有了这些权限,用户可以为其创建的作业创建或选择 Amazon SNS 通知。有关更多信息,请参阅 [Snowball Edge 的通知](notifications.md)。