本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用資源名稱和標籤更精細的存取控制
您可以使用以 Amazon Resource Name (ARNs) 為基礎的資源名稱和資源標籤來管理 AWS DMS 資源的存取。做法是在 IAM 政策中,定義允許的動作或包含條件陳述式。
## 使用資源名稱以控制存取
您可以建立 IAM 使用者帳戶,並指派以 AWS DMS 資源的 ARN 為基礎的政策。
下列政策拒絕使用 ARN *arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV* 存取 AWS DMS 複寫執行個體:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "arn:aws:dms:us-east-1:{{111122223333}}:rep:DOH67ZTOXGLIXMIHKITV"
}
]
}
```
------
例如,當政策開始生效時,下列命令會失敗。
```
$ aws dms delete-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV
$ aws dms modify-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV"
A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:DOH67ZTOXGLIXMIHKITV
```
您也可以指定 IAM 政策,限制對 AWS DMS 端點和複寫任務的存取。
下列政策會使用 AWS DMS 端點的 ARN 限制對端點的存取。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "arn:aws:dms:us-east-1:{{111122223333}}:endpoint:D6E37YBXTNHOA6XRQSZCUGX"
}
]
}
```
------
例如,當使用端點 ARN 的政策開始生效時,下列命令會失敗。
```
$ aws dms delete-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX"
A client error (AccessDeniedException) occurred when calling the DeleteEndpoint operation:
User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteEndpoint
on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX
$ aws dms modify-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX"
A client error (AccessDeniedException) occurred when calling the ModifyEndpoint operation:
User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:ModifyEndpoint
on resource: arn:aws:dms:us-east-1:152683116:endpoint:D6E37YBXTNHOA6XRQSZCUGX
```
下列政策會使用 AWS DMS 任務的 ARN 限制對任務的存取。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "arn:aws:dms:us-east-1:{{111122223333}}:task:UO3YR4N47DXH3ATT4YMWOIT"
}
]
}
```
------
例如,當使用任務 ARN 的政策開始生效時,下列命令會失敗。
```
$ aws dms delete-replication-task
--replication-task-arn "arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask operation:
User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform: dms:DeleteReplicationTask
on resource: arn:aws:dms:us-east-1:152683116:task:UO3YR4N47DXH3ATT4YMWOIT
```
## 使用標籤控制存取
AWS DMS 定義一組常見的鍵/值對,可用於客戶定義的政策,無需任何額外的標記要求。如需標記 AWS DMS 資源的詳細資訊,請參閱 [AWS Database Migration Service 中的標記資源](CHAP_Tagging.md)。
以下列出可用於 的標準標籤 AWS DMS:
+ aws:CurrentTime – 代表請求日期和時間,可根據時態性條件限制存取。
+ aws:EpochTime – 此標籤類似於上述 aws:CurrentTime 標籤,差別在於目前時間是以 Unix Epoch 起經過的秒數來表示。
+ aws:MultiFactorAuthPresent – 這是布林值標籤,指出是否已透過多重因素認證簽署請求。
+ aws:MultiFactorAuthAge – 可讓您存取多重因素認證字符的存留期 (以秒為單位)。
+ aws:principaltype – 可讓您存取目前請求的主體類型 (使用者、帳戶、聯合身分使用者等)。
+ aws:SourceIp – 代表發出請求的使用者來源 IP 地址。
+ aws:UserAgent – 提供請求資源的用戶端應用程式相關資訊。
+ aws:userid – 可讓您存取發出請求的使用者 ID。
+ aws:username – 可讓您存取發出請求的使用者名稱。
+ dms:InstanceClass – 可讓您存取複寫執行個體主機的運算大小。
+ dms:StorageSize – 可讓您存取儲存磁碟區大小 (以 GB 為單位)。
您也可以定義自己的標籤。客戶定義的標籤是保留在 AWS 標記服務中的簡單鍵值對。您可以將這些標籤新增至 AWS DMS 資源 (包括複寫執行個體、端點和任務)。這些標籤是透過使用政策中的 IAM「條件」陳述式進行比對,並使用特定條件標籤來參考。標籤索引鍵前面會加上 "dms"、資源類型和 "tag" 前綴。以下顯示標籤格式。
```
dms:{resource type}-tag/{tag key}={tag value}
```
例如,假設您想要定義一個政策,只允許包含標籤 "stage=production" 的複寫執行個體才能成功進行 API 呼叫。下列條件陳述式會符合具有指定標籤的資源。
```
"Condition":
{
"streq":
{
"dms:rep-tag/stage":"production"
}
}
```
您會將下列標籤新增至符合此政策條件的複寫執行個體。
```
stage production
```
除了已指派給 AWS DMS 資源的標籤之外,也可以撰寫政策來限制可套用至指定資源的標籤索引鍵和值。在此情況下,標籤字首會是 "req"。
例如,下列政策陳述式會限制標籤,讓使用者可以將指定的資源指派給特定的允許值清單。
```
"Condition":
{
"streq":
{
"dms:rep-tag/stage": [ "production", "development", "testing" ]
}
}
```
下列政策範例會根據 AWS DMS 資源標籤限制對 資源的存取。
下列政策會限制對複寫執行個體的存取,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"dms:rep-tag/Env": [
"Desktop"
]
}
}
}
]
}
```
------
下列命令會根據限制存取的 IAM 政策判定成功或失敗,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
```
$ aws dms list-tags-for-resource
--resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
--endpoint-url http://localhost:8000
{
"TagList": [
{
"Value": "Desktop",
"Key": "Env"
}
]
}
$ aws dms delete-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
$ aws dms modify-replication-instance
--replication-instance-arn "arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN"
A client error (AccessDeniedException) occurred when calling the ModifyReplicationInstance
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:ModifyReplicationInstance on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
$ aws dms add-tags-to-resource
--resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
--tags Key=CostCenter,Value=1234
A client error (AccessDeniedException) occurred when calling the AddTagsToResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
$ aws dms remove-tags-from-resource
--resource-name arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
--tag-keys Env
A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:rep:46DHOU7JOJYOJXWDOZNFEN
```
下列政策會限制對標籤值為 "Desktop" 且標籤金鑰為 "Env" 的 AWS DMS 端點的存取。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"dms:endpoint-tag/Env": [
"Desktop"
]
}
}
}
]
}
```
------
下列命令會根據限制存取的 IAM 政策判定成功或失敗,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
```
$ aws dms list-tags-for-resource
--resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
{
"TagList": [
{
"Value": "Desktop",
"Key": "Env"
}
]
}
$ aws dms delete-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I"
A client error (AccessDeniedException) occurred when calling the DeleteEndpoint
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
$ aws dms modify-endpoint
--endpoint-arn "arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I"
A client error (AccessDeniedException) occurred when calling the ModifyEndpoint
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:ModifyEndpoint on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
$ aws dms add-tags-to-resource
--resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
--tags Key=CostCenter,Value=1234
A client error (AccessDeniedException) occurred when calling the AddTagsToResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
$ aws dms remove-tags-from-resource
--resource-name arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
--tag-keys Env
A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:endpoint:J2YCZPNGOLFY52344IZWA6I
```
下列政策會限制對複寫任務的存取,其中標籤值為 "Desktop",而標籤索引鍵為 "Env"。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dms:*"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"dms:task-tag/Env": [
"Desktop"
]
}
}
}
]
}
```
------
下列命令會根據限制存取的 IAM 政策判定成功或失敗,其中標籤值為 "Desktop",而標籤索引鍵為 "Env":
```
$ aws dms list-tags-for-resource
--resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
{
"TagList": [
{
"Value": "Desktop",
"Key": "Env"
}
]
}
$ aws dms delete-replication-task
--replication-task-arn "arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3"
A client error (AccessDeniedException) occurred when calling the DeleteReplicationTask
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:DeleteReplicationTask on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
$ aws dms add-tags-to-resource
--resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
--tags Key=CostCenter,Value=1234
A client error (AccessDeniedException) occurred when calling the AddTagsToResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:AddTagsToResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
$ aws dms remove-tags-from-resource
--resource-name arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
--tag-keys Env
A client error (AccessDeniedException) occurred when calling the RemoveTagsFromResource
operation: User: arn:aws:iam::152683116:user/dmstestusr is not authorized to perform:
dms:RemoveTagsFromResource on resource: arn:aws:dms:us-east-1:152683116:task:RB7N24J2XBUPS3RFABZTG3
```