Connector 的 AWS 权限
建议更改
PDF
当BlueXP在AWS中启动Connector实例时、它会向此实例附加一个策略、此策略可为Connector提供管理该AWS帐户中资源和进程的权限。Connector使用这些权限对多个AWS服务进行API调用、包括EC2、S3、CloudFormation、IAM、 密钥管理服务(KMS)等。
IAM策略
下面提供的IAM策略为Connector提供了根据您的AWS区域管理公有 云环境中的资源和流程所需的权限。
请注意以下事项:
-
如果您直接从BlueXP在标准AWS区域中创建Connector、则BlueXP会自动将策略应用到Connector。
-
如果您从AWS Marketplace部署Connector、在Linux主机上手动安装Connector或要向BlueXP添加其他AWS凭据、则需要自行设置策略。
-
无论哪种情况、您都需要确保在后续版本中添加新权限时策略是最新的。如果需要新的权限、这些权限将在发行说明中列出。
-
如果需要、您可以使用IAM来限制IAM策略
ConditionElement。 "AWS文档:条件元素" -
要查看使用这些策略的分步说明、请参见以下页面:
选择您所在的区域以查看所需的策略:
标准区域
对于标准区域、权限会分布在两个策略中。由于AWS中受管策略的字符大小上限、因此需要使用两个策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:CreatePlacementGroup",
"ec2:DescribeReservedInstancesOfferings",
"ec2:AssignPrivateIpAddresses",
"ec2:CreateRoute",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:UnassignPrivateIpAddresses",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteRoute",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups",
"ec2:DescribeVolumesModifications",
"ec2:ModifyVolume",
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DeleteStack",
"iam:PassRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:ListInstanceProfiles",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteInstanceProfile",
"iam:GetRolePolicy",
"iam:GetRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRole",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicy",
"s3:GetBucketAcl",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"kms:List*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:CreateGrant",
"fsx:Describe*",
"fsx:List*",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "cvoServicePolicy"
},
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSecurityGroup",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"kms:List*",
"kms:Describe*",
"ec2:DescribeVpcEndpoints",
"kms:ListAliases",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryExecution",
"glue:GetDatabase",
"glue:GetTable",
"glue:CreateTable",
"glue:CreateDatabase",
"glue:GetPartitions",
"glue:BatchCreatePartition",
"glue:BatchDeletePartition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "backupPolicy"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketAcl",
"s3:PutBucketPublicAccessBlock",
"s3:GetObject",
"s3:PutEncryptionConfiguration",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteBucket",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:PutObjectVersionTagging",
"s3:PutObjectRetention",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketVersioning",
"s3:BypassGovernanceRetention",
"s3:PutBucketPolicy",
"s3:PutBucketOwnershipControls"
],
"Resource": [
"arn:aws:s3:::netapp-backup-*"
],
"Effect": "Allow",
"Sid": "backupS3Policy"
},
{
"Action": [
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::fabric-pool*"
],
"Effect": "Allow",
"Sid": "fabricPoolS3Policy"
},
{
"Action": [
"ec2:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "fabricPoolPolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/netapp-adc-manager": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "tagServicePolicy"
}
]
}GovCloud (美国)地区
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"ec2:ModifyVolumeAttribute",
"sts:DecodeAuthorizationMessage",
"ec2:DescribeImages",
"ec2:DescribeRouteTables",
"ec2:DescribeInstances",
"iam:PassRole",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:StopInstances",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"kms:List*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:CreateGrant",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::fabric-pool*"
]
},
{
"Sid": "backupPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::netapp-backup-*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-us-gov:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:volume/*"
]
}
]
}秘密区域
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"kms:List*",
"kms:Describe*",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso-b:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso-b:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso-b:ec2:*:*:volume/*"
]
}
]
}顶级机密区域
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"kms:List*",
"kms:Describe*",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso:ec2:*:*:volume/*"
]
}
]
}如何使用AWS权限
以下各节介绍了如何对每个BlueXP服务使用权限。如果您的公司策略规定仅在需要时提供权限、则此信息会很有用。
适用于 ONTAP 的 Amazon FSX
连接器发出以下API请求来管理Amazon FSx for ONTAP文件系统:
-
EC2:Describe实例
-
EC2:Describe实例状态
-
EC2:Describe实例属性
-
EC2:Describe RouteTables
-
EC2:Describe
-
EC2:CreateTags
-
EC2:Describe卷
-
EC2:Describe安全性组
-
EC2:Describe网络接口
-
EC2:Describe子网
-
EC2:Describe
-
EC2:Describe DhcpOptions
-
EC2:Describe Snapshot
-
EC2:Describe KeyPairs
-
EC2:Describe注册
-
EC2:Describe标记
-
EC2:Describe IamInstanceProfileAssociations
-
EC2:Describe保留实例服务
-
EC2:Describe VpcEndpoints
-
EC2:Describe
-
EC2:Describe卷修改
-
EC2:Describe PlacementGroup
-
公里:列表*
-
公里:描述*
-
公里:CreateGrant
-
Kms:ListAliases
-
FSX:描述*
-
FSX:List*
Amazon S3 存储分段发现
Connector会发出以下API请求来发现Amazon S3存储分段:
S3 : GetEncryptionConfiguration
备份和恢复
Connector会发出以下API请求来管理Amazon S3中的备份:
-
S3 : GetBucketLocation
-
S3 : ListAllMy桶
-
S3 : ListBucket
-
S3 : CreateBucket
-
S3 : GetLifeycleConfiguration
-
S3 : PutLifeycleConfiguration
-
S3 : PutBucketTagging
-
S3 : ListBucketVersions
-
S3 : GetBucketAcl
-
S3:PutBucketPublicAccessBlock
-
公里:列表*
-
公里:描述*
-
S3 : GetObject
-
EC2:Describe VpcEndpoints
-
Kms:ListAliases
-
S3 : PutEncryptionConfiguration
在使用搜索和还原方法还原卷和文件时、Connector会发出以下API请求:
-
S3 : CreateBucket
-
S3 : DeleteObject
-
S3 : DeleteObjectVersion
-
S3 : GetBucketAcl
-
S3 : ListBucket
-
S3 : ListBucketVersions
-
S3 : ListBucketMultipartUploads
-
S3 : PutObject
-
S3:PutBucketAcl
-
S3 : PutLifeycleConfiguration
-
S3:PutBucketPublicAccessBlock
-
S3 : AbortMultipartUpload
-
S3 : ListMultipartUploadPart
-
Athena:StartQueryExecution
-
Athena:GetQueryResults
-
Athena:GetQueryExecution
-
Athena:StopQueryExecution
-
胶水:CreateDatabase
-
胶水:CreateTable
-
粘附:BatechDelete分区
在对卷备份使用DataLock和勒索软件保护时、Connector会发出以下API请求:
-
S3 : GetObjectVersionTagging
-
S3 : GetBucketObjectLockConfiguration
-
S3:GetObjectVersionAcl
-
S3 : PutObjectTagging
-
S3 : DeleteObject
-
S3 : DeleteObjectTagging
-
S3 : GetObjectRetention
-
S3 : DeleteObjectVersionTagging
-
S3 : PutObject
-
S3 : GetObject
-
S3 : PutBucketObjectLockConfiguration
-
S3 : GetLifeycleConfiguration
-
S3:ListBucketByTags
-
S3 : GetBucketTagging
-
S3 : DeleteObjectVersion
-
S3 : ListBucketVersions
-
S3 : ListBucket
-
S3 : PutBucketTagging
-
S3 : GetObjectTagging
-
S3 : PutBucketVersioning
-
S3 : PutObjectVersionTagging
-
S3 : GetBucketVersioning
-
S3 : GetBucketAcl
-
S3:BypassGovernanceRetention
-
S3 : PutObjectRetention
-
S3 : GetBucketLocation
-
S3 : GetObjectVersion
如果您对Cloud Volumes ONTAP 备份使用的AWS帐户与源卷使用的AWS帐户不同、则Connector会发出以下API请求:
-
S3 : PutBucketPolicy
-
S3:PutBucketOwnershipControls.
分类
Connector发出以下API请求以部署BlueXP分类实例:
-
EC2:Describe实例
-
EC2:Describe实例状态
-
EC2:RunInstances
-
EC2:终端状态
-
EC2:CreateTags
-
EC2:CreateVolume
-
EC2:Attach卷
-
EC2:CreateSecurityGroup
-
EC2:DeleteSecurityGroup
-
EC2:Describe安全性组
-
EC2:CreateNetworkInterface
-
EC2:Describe网络接口
-
EC2:DeleteNetworkInterface
-
EC2:Describe子网
-
EC2:Describe
-
EC2:CreateSnapshot
-
EC2:Describe注册
-
CloudFormation:CreateStack
-
CloudFormation:DeleteStack
-
CloudFormation:Describe堆栈
-
CloudFormation:Describe StackEvents
-
IAM:AddRoleToInstanceProfile
-
EC2:AssociateIamInstanceProfile
-
EC2:Describe IamInstanceProfileAssociations
使用BlueXP分类时、Connector会发出以下API请求来扫描S3分段:
-
IAM:AddRoleToInstanceProfile
-
EC2:AssociateIamInstanceProfile
-
EC2:Describe IamInstanceProfileAssociations
-
S3 : GetBucketTagging
-
S3 : GetBucketLocation
-
S3 : ListAllMy桶
-
S3 : ListBucket
-
S3:GetBucketPolicyStatus
-
S3 : GetBucketPolicy
-
S3 : GetBucketAcl
-
S3 : GetObject
-
IAM:GetRole
-
S3 : DeleteObject
-
S3 : DeleteObjectVersion
-
S3 : PutObject
-
STS:AssumeRole
Cloud Volumes ONTAP
Connector会发出以下API请求、以便在AWS中部署和管理Cloud Volumes ONTAP。
| 目的 | Action | 用于部署? | 用于日常操作? | 用于删除? |
|---|---|---|---|---|
创建和管理Cloud Volumes ONTAP 实例的IAM角色和实例配置文件 |
IAM:ListInstanceProfile |
是的。 |
是的。 |
否 |
IAM:CreateRole |
是的。 |
否 |
否 |
|
IAM:DeleteRole |
否 |
是的。 |
是的。 |
|
IAM:PutRolePolicy |
是的。 |
否 |
否 |
|
IAM:CreateInstanceProfile |
是的。 |
否 |
否 |
|
IAM:DeleteRolePolicy |
否 |
是的。 |
是的。 |
|
IAM:AddRoleToInstanceProfile |
是的。 |
否 |
否 |
|
IAM:RemoveRoleFromInstanceProfile |
否 |
是的。 |
是的。 |
|
IAM:DeleteInstanceProfile |
否 |
是的。 |
是的。 |
|
IAM:PassRole |
是的。 |
否 |
否 |
|
EC2:AssociateIamInstanceProfile |
是的。 |
是的。 |
否 |
|
EC2:Describe IamInstanceProfileAssociations |
是的。 |
是的。 |
否 |
|
EC2:DisassociateIamInstanceProfile |
否 |
是的。 |
否 |
|
对授权状态消息进行解码 |
STS:DecodeAuthorizationMessage |
是的。 |
是的。 |
否 |
描述可供帐户使用的指定映像(AMI) |
EC2:Describe |
是的。 |
是的。 |
否 |
描述VPC中的路由表(仅HA对需要) |
EC2:Describe RouteTables |
是的。 |
否 |
否 |
停止、启动和监控实例 |
EC2:StartInstances |
是的。 |
是的。 |
否 |
EC2:StopInstances |
是的。 |
是的。 |
否 |
|
EC2:Describe实例 |
是的。 |
是的。 |
否 |
|
EC2:Describe实例状态 |
是的。 |
是的。 |
否 |
|
EC2:RunInstances |
是的。 |
否 |
否 |
|
EC2:终端状态 |
否 |
否 |
是的。 |
|
EC2:ModifyInstance属性 |
否 |
是的。 |
否 |
|
验证是否已为支持的实例类型启用增强型网络连接 |
EC2:Describe实例属性 |
否 |
是的。 |
否 |
使用"WorkingEnvironment"和"WorkingEnvironmentId"标记标记资源、用于维护和成本分配 |
EC2:CreateTags |
是的。 |
是的。 |
否 |
管理Cloud Volumes ONTAP 用作后端存储的EBS卷 |
EC2:CreateVolume |
是的。 |
是的。 |
否 |
EC2:Describe卷 |
是的。 |
是的。 |
是的。 |
|
EC2:ModifyVolumeAttribute |
否 |
是的。 |
是的。 |
|
EC2:Attach卷 |
是的。 |
是的。 |
否 |
|
EC2:DeleteVolume |
否 |
是的。 |
是的。 |
|
EC2:分离卷 |
否 |
是的。 |
是的。 |
|
创建和管理Cloud Volumes ONTAP 的安全组 |
EC2:CreateSecurityGroup |
是的。 |
否 |
否 |
EC2:DeleteSecurityGroup |
否 |
是的。 |
是的。 |
|
EC2:Describe安全性组 |
是的。 |
是的。 |
是的。 |
|
EC2:RevokeSecurityGroupEgress |
是的。 |
否 |
否 |
|
EC2:AuthorizeSecurityGroupEgress |
是的。 |
否 |
否 |
|
EC2:AuthorizeSecurityGroupIngress |
是的。 |
否 |
否 |
|
EC2:RevokeSecurityGroupIngress |
是的。 |
是的。 |
否 |
|
在目标子网中为Cloud Volumes ONTAP 创建和管理网络接口 |
EC2:CreateNetworkInterface |
是的。 |
否 |
否 |
EC2:Describe网络接口 |
是的。 |
是的。 |
否 |
|
EC2:DeleteNetworkInterface |
否 |
是的。 |
是的。 |
|
EC2:ModifyNetworkInterfaceAttribute |
否 |
是的。 |
否 |
|
获取目标子网和安全组的列表 |
EC2:Describe子网 |
是的。 |
是的。 |
否 |
EC2:Describe |
是的。 |
是的。 |
否 |
|
获取DNS服务器和Cloud Volumes ONTAP 实例的默认域名 |
EC2:Describe DhcpOptions |
是的。 |
否 |
否 |
为Cloud Volumes ONTAP 的EBS卷创建快照 |
EC2:CreateSnapshot |
是的。 |
是的。 |
否 |
EC2:DeleteSnapshot |
否 |
是的。 |
是的。 |
|
EC2:Describe Snapshot |
否 |
是的。 |
否 |
|
捕获附加到AutoSupport 消息的Cloud Volumes ONTAP 控制台 |
EC2:GetConsoleOutput |
是的。 |
是的。 |
否 |
获取可用密钥对的列表 |
EC2:Describe KeyPairs |
是的。 |
否 |
否 |
获取可用AWS区域的列表 |
EC2:Describe注册 |
是的。 |
是的。 |
否 |
管理与Cloud Volumes ONTAP 实例关联的资源的标记 |
EC2:DeleteTags |
否 |
是的。 |
是的。 |
EC2:Describe标记 |
否 |
是的。 |
否 |
|
为AWS CloudFormation模板创建和管理堆栈 |
CloudFormation:CreateStack |
是的。 |
否 |
否 |
CloudFormation:DeleteStack |
是的。 |
否 |
否 |
|
CloudFormation:Describe堆栈 |
是的。 |
是的。 |
否 |
|
CloudFormation:Describe StackEvents |
是的。 |
否 |
否 |
|
CloudFormation:验证模板 |
是的。 |
否 |
否 |
|
创建和管理Cloud Volumes ONTAP 系统用作数据分层容量层的S3存储分段 |
S3 : CreateBucket |
是的。 |
是的。 |
否 |
S3 : DeleteBucket |
否 |
是的。 |
是的。 |
|
S3 : GetLifeycleConfiguration |
否 |
是的。 |
否 |
|
S3 : PutLifeycleConfiguration |
否 |
是的。 |
否 |
|
S3 : PutBucketTagging |
否 |
是的。 |
否 |
|
S3 : ListBucketVersions |
否 |
是的。 |
否 |
|
S3:GetBucketPolicyStatus |
否 |
是的。 |
否 |
|
S3:GetBucketPublicAccessBlock |
否 |
是的。 |
否 |
|
S3 : GetBucketAcl |
否 |
是的。 |
否 |
|
S3 : GetBucketPolicy |
否 |
是的。 |
否 |
|
S3:PutBucketPublicAccessBlock |
否 |
是的。 |
否 |
|
S3 : GetBucketTagging |
否 |
是的。 |
否 |
|
S3 : GetBucketLocation |
否 |
是的。 |
否 |
|
S3 : ListAllMy桶 |
否 |
否 |
否 |
|
S3 : ListBucket |
否 |
是的。 |
否 |
|
使用AWS密钥管理服务(KMS)对Cloud Volumes ONTAP 启用数据加密 |
公里:列表* |
是的。 |
是的。 |
否 |
kms:重新加密* |
是的。 |
否 |
否 |
|
公里:描述* |
是的。 |
是的。 |
否 |
|
公里:CreateGrant |
是的。 |
是的。 |
否 |
|
Kms:GenerateDataKeyWithoutPlaintext |
是的。 |
是的。 |
否 |
|
在一个AWS可用性区域中为两个HA节点和调解器创建和管理一个AWS分布式放置组 |
EC2:CreatePlacementGroup |
是的。 |
否 |
否 |
EC2:DeletePlacementGroup |
否 |
是的。 |
是的。 |
|
创建报告 |
FSX:描述* |
否 |
是的。 |
否 |
FSX:List* |
否 |
是的。 |
否 |
|
创建和管理支持Amazon EBS弹性卷功能的聚合 |
EC2:Describe卷修改 |
否 |
是的。 |
否 |
EC2:ModifyVolume |
否 |
是的。 |
否 |
|
检查可用性区域是否为AWS本地区域、并验证所有部署参数是否兼容 |
EC2:特性可用性区域 |
是的。 |
否 |
是的。 |
更改日志
添加和删除权限后、我们将在以下各节中记录这些权限。
2024年9月9日
已从标准区域的策略2中删除权限、因为BlueXP 不再支持BlueXP 边缘缓存以及Kubnetes集群的发现和管理。
查看已从策略中删除的权限
{
"Action": [
"ec2:DescribeRegions",
"eks:ListClusters",
"eks:DescribeCluster",
"iam:GetInstanceProfile"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "K8sServicePolicy"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudwatch:GetMetricStatistics",
"cloudformation:ListStacks"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "GFCservicePolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/GFCInstance": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},2024年5月9日
现在、Cloud Volumes ONTAP需要以下权限:
EC2:特性可用性区域
2023年6月6日
现在、Cloud Volumes ONTAP需要以下权限:
Kms:GenerateDataKeyWithoutPlaintext
2023年2月14日
现在、BlueXP层需要以下权限:
EC2:Describe VpcEndpoints