Skip to main content
Setup and administration
简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

Connector 的 AWS 权限

贡献者

当BlueXP在AWS中启动Connector实例时、它会向此实例附加一个策略、此策略可为Connector提供管理该AWS帐户中资源和进程的权限。Connector使用这些权限对多个AWS服务进行API调用、包括EC2、S3、CloudFormation、IAM、 密钥管理服务(KMS)等。

IAM策略

下面提供的IAM策略为Connector提供了根据您的AWS区域管理公有 云环境中的资源和流程所需的权限。

请注意以下事项:

选择您所在的区域以查看所需的策略:

标准区域

对于标准区域、权限会分布在两个策略中。由于AWS中受管策略的字符大小上限、因此需要使用两个策略。

第一个策略为以下服务提供权限:

  • Amazon S3 存储分段发现

  • 备份和恢复

  • 分类

  • Cloud Volumes ONTAP

  • 适用于 ONTAP 的 FSX

  • 分层

第二个策略为以下服务提供权限:

  • 边缘缓存

  • Kubernetes

  • 修复

策略1
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:RunInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeRouteTables",
                "ec2:DescribeImages",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:ModifyVolumeAttribute",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:CreateSnapshot",
                "ec2:DescribeSnapshots",
                "ec2:GetConsoleOutput",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRegions",
                "ec2:DescribeTags",
                "ec2:AssociateIamInstanceProfile",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:CreatePlacementGroup",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:AssignPrivateIpAddresses",
                "ec2:CreateRoute",
                "ec2:DescribeVpcs",
                "ec2:ReplaceRoute",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteSnapshot",
                "ec2:DeleteTags",
                "ec2:DeleteRoute",
                "ec2:DeletePlacementGroup",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeVolumesModifications",
                "ec2:ModifyVolume",
                "cloudformation:CreateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "cloudformation:DeleteStack",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:ListInstanceProfiles",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteInstanceProfile",
                "iam:GetRolePolicy",
                "iam:GetRole",
                "sts:DecodeAuthorizationMessage",
                "sts:AssumeRole",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucketVersions",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicy",
                "s3:GetBucketAcl",
                "s3:PutObjectTagging",
                "s3:GetObjectTagging",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutObject",
                "s3:ListAllMyBuckets",
                "s3:GetObject",
                "s3:GetEncryptionConfiguration",
                "kms:List*",
                "kms:ReEncrypt*",
                "kms:Describe*",
                "kms:CreateGrant",
                "fsx:Describe*",
                "fsx:List*",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "cvoServicePolicy"
        },
        {
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeImages",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "kms:List*",
                "kms:Describe*",
                "ec2:DescribeVpcEndpoints",
                "kms:ListAliases",
                "athena:StartQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryExecution",
                "glue:GetDatabase",
                "glue:GetTable",
                "glue:CreateTable",
                "glue:CreateDatabase",
                "glue:GetPartitions",
                "glue:BatchCreatePartition",
                "glue:BatchDeletePartition"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "backupPolicy"
        },
        {
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions",
                "s3:GetBucketAcl",
                "s3:PutBucketPublicAccessBlock",
                "s3:GetObject",
                "s3:PutEncryptionConfiguration",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:ListBucketMultipartUploads",
                "s3:PutObject",
                "s3:PutBucketAcl",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:DeleteBucket",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectRetention",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:PutObjectVersionTagging",
                "s3:PutObjectRetention",
                "s3:DeleteObjectTagging",
                "s3:DeleteObjectVersionTagging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketVersioning",
                "s3:PutBucketObjectLockConfiguration",
                "s3:PutBucketVersioning",
                "s3:BypassGovernanceRetention",
                "s3:PutBucketPolicy",
                "s3:PutBucketOwnershipControls"
            ],
            "Resource": [
                "arn:aws:s3:::netapp-backup-*"
            ],
            "Effect": "Allow",
            "Sid": "backupS3Policy"
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:DeleteBucket"
            ],
            "Resource": [
                "arn:aws:s3:::fabric-pool*"
            ],
            "Effect": "Allow",
            "Sid": "fabricPoolS3Policy"
        },
        {
            "Action": [
                "ec2:DescribeRegions"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "fabricPoolPolicy"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/netapp-adc-manager": "*"
                }
            },
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/WorkingEnvironment": "*"
                }
            },
            "Action": [
                "ec2:StartInstances",
                "ec2:TerminateInstances",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:StopInstances",
                "ec2:DeleteVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/WorkingEnvironment": "*"
                }
            },
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Effect": "Allow"
        }
    ]
}
策略2
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:DescribeRegions",
                "eks:ListClusters",
                "eks:DescribeCluster",
                "iam:GetInstanceProfile"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "K8sServicePolicy"
        },
        {
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudwatch:GetMetricStatistics",
                "cloudformation:ListStacks"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "GFCservicePolicy"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/GFCInstance": "*"
                }
            },
            "Action": [
                "ec2:StartInstances",
                "ec2:TerminateInstances",
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "tag:getResources",
                "tag:getTagKeys",
                "tag:getTagValues",
                "tag:TagResources",
                "tag:UntagResources"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "tagServicePolicy"
        }
    ]
}
GovCloud (美国)地区
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListInstanceProfiles",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PutRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:DeleteRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "ec2:ModifyVolumeAttribute",
                "sts:DecodeAuthorizationMessage",
                "ec2:DescribeImages",
                "ec2:DescribeRouteTables",
                "ec2:DescribeInstances",
                "iam:PassRole",
                "ec2:DescribeInstanceStatus",
                "ec2:RunInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:DeleteVolume",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot",
                "ec2:DescribeSnapshots",
                "ec2:StopInstances",
                "ec2:GetConsoleOutput",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRegions",
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:CreateBucket",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "kms:List*",
                "kms:ReEncrypt*",
                "kms:Describe*",
                "kms:CreateGrant",
                "ec2:AssociateIamInstanceProfile",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:DescribeInstanceAttribute",
                "ec2:CreatePlacementGroup",
                "ec2:DeletePlacementGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "fabricPoolPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:PutBucketPublicAccessBlock"
            ],
            "Resource": [
                "arn:aws-us-gov:s3:::fabric-pool*"
            ]
        },
        {
            "Sid": "backupPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:PutBucketPublicAccessBlock"
            ],
            "Resource": [
                "arn:aws-us-gov:s3:::netapp-backup-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:TerminateInstances",
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/WorkingEnvironment": "*"
                }
            },
            "Resource": [
                "arn:aws-us-gov:ec2:*:*:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": [
                "arn:aws-us-gov:ec2:*:*:volume/*"
            ]
        }
    ]
}
秘密区域
{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:RunInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeRouteTables",
                "ec2:DescribeImages",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:ModifyVolumeAttribute",
                "ec2:DeleteVolume",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot",
                "ec2:DescribeSnapshots",
                "ec2:GetConsoleOutput",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRegions",
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PutRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:DeleteRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "kms:List*",
                "kms:Describe*",
                "ec2:AssociateIamInstanceProfile",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:DescribeInstanceAttribute",
                "ec2:CreatePlacementGroup",
                "ec2:DeletePlacementGroup",
                "iam:ListinstanceProfiles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "fabricPoolPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions"
            ],
            "Resource": [
                "arn:aws-iso-b:s3:::fabric-pool*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/WorkingEnvironment": "*"
                }
            },
            "Resource": [
                "arn:aws-iso-b:ec2:*:*:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": [
                "arn:aws-iso-b:ec2:*:*:volume/*"
            ]
        }
    ]
}
顶级机密区域
{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:RunInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeRouteTables",
                "ec2:DescribeImages",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:ModifyVolumeAttribute",
                "ec2:DeleteVolume",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot",
                "ec2:DescribeSnapshots",
                "ec2:GetConsoleOutput",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRegions",
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ValidateTemplate",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:PutRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:DeleteRolePolicy",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "kms:List*",
                "kms:Describe*",
                "ec2:AssociateIamInstanceProfile",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:DescribeInstanceAttribute",
                "ec2:CreatePlacementGroup",
                "ec2:DeletePlacementGroup",
                "iam:ListinstanceProfiles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "fabricPoolPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions"
            ],
            "Resource": [
                "arn:aws-iso:s3:::fabric-pool*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/WorkingEnvironment": "*"
                }
            },
            "Resource": [
                "arn:aws-iso:ec2:*:*:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:DetachVolume"
            ],
            "Resource": [
                "arn:aws-iso:ec2:*:*:volume/*"
            ]
        }
    ]
}

如何使用AWS权限

以下各节介绍了如何对每个BlueXP服务使用权限。如果您的公司策略规定仅在需要时提供权限、则此信息会很有用。

适用于 ONTAP 的 Amazon FSX

连接器发出以下API请求来管理Amazon FSx for ONTAP :

  • EC2:Describe实例

  • EC2:Describe实例状态

  • EC2:Describe实例属性

  • EC2:Describe RouteTables

  • EC2:Describe

  • EC2:CreateTags

  • EC2:Describe卷

  • EC2:Describe安全性组

  • EC2:Describe网络接口

  • EC2:Describe子网

  • EC2:Describe

  • EC2:Describe DhcpOptions

  • EC2:Describe Snapshot

  • EC2:Describe KeyPairs

  • EC2:Describe注册

  • EC2:Describe标记

  • EC2:Describe IamInstanceProfileAssociations

  • EC2:Describe保留实例服务

  • EC2:Describe VpcEndpoints

  • EC2:Describe

  • EC2:Describe卷修改

  • EC2:Describe PlacementGroup

  • 公里:列表*

  • 公里:描述*

  • 公里:CreateGrant

  • Kms:ListAliases

  • FSX:描述*

  • FSX:List*

Amazon S3 存储分段发现

Connector会发出以下API请求来发现Amazon S3存储分段:

S3 : GetEncryptionConfiguration

备份和恢复

Connector会发出以下API请求来管理Amazon S3中的备份:

  • S3 : GetBucketLocation

  • S3 : ListAllMy桶

  • S3 : ListBucket

  • S3 : CreateBucket

  • S3 : GetLifeycleConfiguration

  • S3 : PutLifeycleConfiguration

  • S3 : PutBucketTagging

  • S3 : ListBucketVersions

  • S3 : GetBucketAcl

  • S3:PutBucketPublicAccessBlock

  • 公里:列表*

  • 公里:描述*

  • S3 : GetObject

  • EC2:Describe VpcEndpoints

  • Kms:ListAliases

  • S3 : PutEncryptionConfiguration

在使用搜索和还原方法还原卷和文件时、Connector会发出以下API请求:

  • S3 : CreateBucket

  • S3 : DeleteObject

  • S3 : DeleteObjectVersion

  • S3 : GetBucketAcl

  • S3 : ListBucket

  • S3 : ListBucketVersions

  • S3 : ListBucketMultipartUploads

  • S3 : PutObject

  • S3:PutBucketAcl

  • S3 : PutLifeycleConfiguration

  • S3:PutBucketPublicAccessBlock

  • S3 : AbortMultipartUpload

  • S3 : ListMultipartUploadPart

  • Athena:StartQueryExecution

  • Athena:GetQueryResults

  • Athena:GetQueryExecution

  • Athena:StopQueryExecution

  • 胶水:CreateDatabase

  • 胶水:CreateTable

  • 粘附:BatechDelete分区

在对卷备份使用DataLock和勒索软件保护时、Connector会发出以下API请求:

  • S3 : GetObjectVersionTagging

  • S3 : GetBucketObjectLockConfiguration

  • S3:GetObjectVersionAcl

  • S3 : PutObjectTagging

  • S3 : DeleteObject

  • S3 : DeleteObjectTagging

  • S3 : GetObjectRetention

  • S3 : DeleteObjectVersionTagging

  • S3 : PutObject

  • S3 : GetObject

  • S3 : PutBucketObjectLockConfiguration

  • S3 : GetLifeycleConfiguration

  • S3:ListBucketByTags

  • S3 : GetBucketTagging

  • S3 : DeleteObjectVersion

  • S3 : ListBucketVersions

  • S3 : ListBucket

  • S3 : PutBucketTagging

  • S3 : GetObjectTagging

  • S3 : PutBucketVersioning

  • S3 : PutObjectVersionTagging

  • S3 : GetBucketVersioning

  • S3 : GetBucketAcl

  • S3:BypassGovernanceRetention

  • S3 : PutObjectRetention

  • S3 : GetBucketLocation

  • S3 : GetObjectVersion

如果您对Cloud Volumes ONTAP 备份使用的AWS帐户与源卷使用的AWS帐户不同、则Connector会发出以下API请求:

  • S3 : PutBucketPolicy

  • S3:PutBucketOwnershipControls.

分类

Connector发出以下API请求以部署BlueXP分类实例:

  • EC2:Describe实例

  • EC2:Describe实例状态

  • EC2:RunInstances

  • EC2:终端状态

  • EC2:CreateTags

  • EC2:CreateVolume

  • EC2:Attach卷

  • EC2:CreateSecurityGroup

  • EC2:DeleteSecurityGroup

  • EC2:Describe安全性组

  • EC2:CreateNetworkInterface

  • EC2:Describe网络接口

  • EC2:DeleteNetworkInterface

  • EC2:Describe子网

  • EC2:Describe

  • EC2:CreateSnapshot

  • EC2:Describe注册

  • CloudFormation:CreateStack

  • CloudFormation:DeleteStack

  • CloudFormation:Describe堆栈

  • CloudFormation:Describe StackEvents

  • IAM:AddRoleToInstanceProfile

  • EC2:AssociateIamInstanceProfile

  • EC2:Describe IamInstanceProfileAssociations

使用BlueXP分类时、Connector会发出以下API请求来扫描S3分段:

  • IAM:AddRoleToInstanceProfile

  • EC2:AssociateIamInstanceProfile

  • EC2:Describe IamInstanceProfileAssociations

  • S3 : GetBucketTagging

  • S3 : GetBucketLocation

  • S3 : ListAllMy桶

  • S3 : ListBucket

  • S3:GetBucketPolicyStatus

  • S3 : GetBucketPolicy

  • S3 : GetBucketAcl

  • S3 : GetObject

  • IAM:GetRole

  • S3 : DeleteObject

  • S3 : DeleteObjectVersion

  • S3 : PutObject

  • STS:AssumeRole

Cloud Volumes ONTAP

Connector会发出以下API请求、以便在AWS中部署和管理Cloud Volumes ONTAP。

目的 Action 用于部署? 用于日常操作? 用于删除?

创建和管理Cloud Volumes ONTAP 实例的IAM角色和实例配置文件

IAM:ListInstanceProfile

是的。

是的。

IAM:CreateRole

是的。

IAM:DeleteRole

是的。

是的。

IAM:PutRolePolicy

是的。

IAM:CreateInstanceProfile

是的。

IAM:DeleteRolePolicy

是的。

是的。

IAM:AddRoleToInstanceProfile

是的。

IAM:RemoveRoleFromInstanceProfile

是的。

是的。

IAM:DeleteInstanceProfile

是的。

是的。

IAM:PassRole

是的。

EC2:AssociateIamInstanceProfile

是的。

是的。

EC2:Describe IamInstanceProfileAssociations

是的。

是的。

EC2:DisassociateIamInstanceProfile

是的。

对授权状态消息进行解码

STS:DecodeAuthorizationMessage

是的。

是的。

描述可供帐户使用的指定映像(AMI)

EC2:Describe

是的。

是的。

描述VPC中的路由表(仅HA对需要)

EC2:Describe RouteTables

是的。

停止、启动和监控实例

EC2:StartInstances

是的。

是的。

EC2:StopInstances

是的。

是的。

EC2:Describe实例

是的。

是的。

EC2:Describe实例状态

是的。

是的。

EC2:RunInstances

是的。

EC2:终端状态

是的。

EC2:ModifyInstance属性

是的。

验证是否已为支持的实例类型启用增强型网络连接

EC2:Describe实例属性

是的。

使用"WorkingEnvironment"和"WorkingEnvironmentId"标记标记资源、用于维护和成本分配

EC2:CreateTags

是的。

是的。

管理Cloud Volumes ONTAP 用作后端存储的EBS卷

EC2:CreateVolume

是的。

是的。

EC2:Describe卷

是的。

是的。

是的。

EC2:ModifyVolumeAttribute

是的。

是的。

EC2:Attach卷

是的。

是的。

EC2:DeleteVolume

是的。

是的。

EC2:分离卷

是的。

是的。

创建和管理Cloud Volumes ONTAP 的安全组

EC2:CreateSecurityGroup

是的。

EC2:DeleteSecurityGroup

是的。

是的。

EC2:Describe安全性组

是的。

是的。

是的。

EC2:RevokeSecurityGroupEgress

是的。

EC2:AuthorizeSecurityGroupEgress

是的。

EC2:AuthorizeSecurityGroupIngress

是的。

EC2:RevokeSecurityGroupIngress

是的。

是的。

在目标子网中为Cloud Volumes ONTAP 创建和管理网络接口

EC2:CreateNetworkInterface

是的。

EC2:Describe网络接口

是的。

是的。

EC2:DeleteNetworkInterface

是的。

是的。

EC2:ModifyNetworkInterfaceAttribute

是的。

获取目标子网和安全组的列表

EC2:Describe子网

是的。

是的。

EC2:Describe

是的。

是的。

获取DNS服务器和Cloud Volumes ONTAP 实例的默认域名

EC2:Describe DhcpOptions

是的。

为Cloud Volumes ONTAP 的EBS卷创建快照

EC2:CreateSnapshot

是的。

是的。

EC2:DeleteSnapshot

是的。

是的。

EC2:Describe Snapshot

是的。

捕获附加到AutoSupport 消息的Cloud Volumes ONTAP 控制台

EC2:GetConsoleOutput

是的。

是的。

获取可用密钥对的列表

EC2:Describe KeyPairs

是的。

获取可用AWS区域的列表

EC2:Describe注册

是的。

是的。

管理与Cloud Volumes ONTAP 实例关联的资源的标记

EC2:DeleteTags

是的。

是的。

EC2:Describe标记

是的。

为AWS CloudFormation模板创建和管理堆栈

CloudFormation:CreateStack

是的。

CloudFormation:DeleteStack

是的。

CloudFormation:Describe堆栈

是的。

是的。

CloudFormation:Describe StackEvents

是的。

CloudFormation:验证模板

是的。

创建和管理Cloud Volumes ONTAP 系统用作数据分层容量层的S3存储分段

S3 : CreateBucket

是的。

是的。

S3 : DeleteBucket

是的。

是的。

S3 : GetLifeycleConfiguration

是的。

S3 : PutLifeycleConfiguration

是的。

S3 : PutBucketTagging

是的。

S3 : ListBucketVersions

是的。

S3:GetBucketPolicyStatus

是的。

S3:GetBucketPublicAccessBlock

是的。

S3 : GetBucketAcl

是的。

S3 : GetBucketPolicy

是的。

S3:PutBucketPublicAccessBlock

是的。

S3 : GetBucketTagging

是的。

S3 : GetBucketLocation

是的。

S3 : ListAllMy桶

S3 : ListBucket

是的。

使用AWS密钥管理服务(KMS)对Cloud Volumes ONTAP 启用数据加密

公里:列表*

是的。

是的。

kms:重新加密*

是的。

公里:描述*

是的。

是的。

公里:CreateGrant

是的。

是的。

Kms:GenerateDataKeyWithoutPlaintext

是的。

是的。

在一个AWS可用性区域中为两个HA节点和调解器创建和管理一个AWS分布式放置组

EC2:CreatePlacementGroup

是的。

EC2:DeletePlacementGroup

是的。

是的。

创建报告

FSX:描述*

是的。

FSX:List*

是的。

创建和管理支持Amazon EBS弹性卷功能的聚合

EC2:Describe卷修改

是的。

EC2:ModifyVolume

是的。

边缘缓存

Connector会发出以下API请求、以便在部署期间部署BlueXP边缘缓存实例:

  • CloudFormation:Describe堆栈

  • CloudWatch:GetMetricStatistics

  • CloudFormation:ListStack

Kubernetes

Connector会发出以下API请求来发现和管理Amazon EKS集群:

  • EC2:Describe注册

  • EKS:ListClusters

  • EKS:Describe集群

  • IAM:GetInstanceProfile

修复

使用BlueXP修复时、Connector会发出以下API请求来管理AWS资源上的标记:

  • EC2:CreateTags

  • EC2:DeleteTags

  • EC2:Describe标记

  • 标记:getResources

  • 标记:getTag密钥

  • 标记:getTagValues

  • 标记:标记资源

  • 标记:未标记资源

更改日志

添加和删除权限后、我们将在以下各节中记录这些权限。

2024年3月8日

连接器策略现在包括以下权限:

EC2:特性可用性区域

即将发布的版本需要此权限。发行说明发布后、我们将更新发行说明以提供更多详细信息。

2023年6月6日

现在、Cloud Volumes ONTAP需要以下权限:

Kms:GenerateDataKeyWithoutPlaintext

2023年2月14日

现在、BlueXP层需要以下权限:

EC2:Describe VpcEndpoints