NetApp Console 代理的 AWS 权限
建议更改
PDF
当NetApp Console在 AWS 中启动控制台代理时,它会将一个策略附加到该代理,该策略为代理提供管理该 AWS 账户内的资源和流程的权限。代理使用权限对多个 AWS 服务进行 API 调用,包括 EC2、S3、CloudFormation、IAM、密钥管理服务 (KMS) 等。
IAM 策略
下面提供的 IAM 策略提供了控制台代理根据您的 AWS 区域管理公共云环境内的资源和流程所需的权限。
请注意以下事项:
-
如果直接从控制台在标准 AWS 区域中创建控制台代理,控制台会自动将策略应用于该代理。
-
如果您从 AWS Marketplace 部署代理、在 Linux 主机上手动安装代理或者想要向控制台添加其他 AWS 凭证,则需要自行设置策略。
-
无论哪种情况,您都需要确保策略是最新的,因为在后续版本中添加了新的权限。如果需要新的权限,它们将在发行说明中列出。
-
如果需要,您可以使用 IAM 限制 IAM 策略 `Condition`元素。 "AWS 文档:条件元素"
-
要查看使用这些策略的分步说明,请参阅以下页面:
选择您所在的地区以查看所需的政策:
标准区域
对于标准区域,权限分布在两个策略中。由于 AWS 中托管策略的最大字符大小限制,因此需要两个策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:CreatePlacementGroup",
"ec2:DescribeReservedInstancesOfferings",
"ec2:AssignPrivateIpAddresses",
"ec2:CreateRoute",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:UnassignPrivateIpAddresses",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteRoute",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups",
"ec2:DescribeVolumesModifications",
"ec2:ModifyVolume",
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStacks",
"cloudformation:ValidateTemplate",
"cloudformation:DeleteStack",
"iam:PassRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:ListInstanceProfiles",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteInstanceProfile",
"iam:GetRolePolicy",
"iam:GetRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRole",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicy",
"s3:GetBucketAcl",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"kms:ReEncrypt*",
"kms:CreateGrant",
"fsx:Describe*",
"fsx:List*",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "cvoServicePolicy"
},
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSecurityGroup",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"ec2:DescribeVpcEndpoints",
"kms:ListAliases",
"glue:GetDatabase",
"glue:GetTable",
"glue:GetPartitions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "backupPolicy"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketAcl",
"s3:PutBucketPublicAccessBlock",
"s3:GetObject",
"s3:PutEncryptionConfiguration",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteBucket",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:PutObjectVersionTagging",
"s3:PutObjectRetention",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketVersioning",
"s3:BypassGovernanceRetention",
"s3:PutBucketPolicy",
"s3:PutBucketOwnershipControls"
],
"Resource": [
"arn:aws:s3:::netapp-backup-*"
],
"Effect": "Allow",
"Sid": "backupS3Policy"
},
{
"Action": [
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::fabric-pool*"
],
"Effect": "Allow",
"Sid": "fabricPoolS3Policy"
},
{
"Action": [
"ec2:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "fabricPoolPolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/netapp-adc-manager": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "tagServicePolicy"
}
]
}GovCloud(美国)区域
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"ec2:ModifyVolumeAttribute",
"sts:DecodeAuthorizationMessage",
"ec2:DescribeImages",
"ec2:DescribeRouteTables",
"ec2:DescribeInstances",
"iam:PassRole",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:StopInstances",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStacks",
"cloudformation:ValidateTemplate",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"kms:ReEncrypt*",
"kms:CreateGrant",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::fabric-pool*"
]
},
{
"Sid": "backupPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::netapp-backup-*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-us-gov:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:volume/*"
]
}
]
}秘密区域
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStacks",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso-b:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso-b:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso-b:ec2:*:*:volume/*"
]
}
]
}绝密地区
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStacks",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso:ec2:*:*:volume/*"
]
}
]
}如何使用 AWS 权限
以下部分介绍了如何使用每个NetApp Console管理或数据服务的权限。如果您的公司政策规定仅在需要时提供权限,则此信息会很有帮助。
适用于ONTAP 的Amazon FSx
控制台代理发出以下 API 请求来管理Amazon FSx for ONTAP文件系统:
-
ec2:描述实例
-
ec2:描述实例状态
-
ec2:描述实例属性
-
ec2:描述路由表
-
ec2:描述图像
-
ec2:创建标签
-
ec2:描述卷
-
ec2:描述安全组
-
ec2:描述网络接口
-
ec2:描述子网
-
ec2:描述Vpcs
-
ec2:描述DHCP选项
-
ec2:描述快照
-
ec2:描述密钥对
-
ec2:描述区域
-
ec2:描述标签
-
ec2:描述IamInstanceProfileAssociations
-
ec2:描述预留实例产品
-
ec2:描述Vpc端点
-
ec2:描述Vpcs
-
ec2:描述卷修改
-
ec2:描述放置组
-
kms:创建授权
-
kms:列出别名
-
fsx:描述*
-
fsx:列表*
Amazon S3 存储桶发现
控制台代理发出以下 API 请求来发现 Amazon S3 存储桶:
s3:获取加密配置
NetApp Backup and Recovery
该代理发出以下 API 请求来管理 Amazon S3 中的备份:
-
s3:获取存储桶位置
-
s3:列出所有我的存储桶
-
s3:列表桶
-
s3:创建桶
-
s3:获取生命周期配置
-
s3:PutLifecycle配置
-
s3:PutBucket标记
-
s3:列出存储桶版本
-
s3:获取存储桶Acl
-
s3:PutBucket公共访问块
-
s3:获取对象
-
ec2:描述Vpc端点
-
kms:列出别名
-
s3:PutEncryption配置
当您使用搜索和还原方法还原卷和文件时,代理会发出以下 API 请求:
-
s3:创建桶
-
s3:删除对象
-
s3:删除对象版本
-
s3:获取存储桶Acl
-
s3:列表桶
-
s3:列出存储桶版本
-
s3:列出桶多部分上传
-
s3:Put对象
-
s3:PutBucketAcl
-
s3:PutLifecycle配置
-
s3:PutBucket公共访问块
-
s3:中止分段上传
-
s3:列出多部分上传部分
当您使用 DataLock 和NetApp Ransomware Resilience进行卷备份时,代理会发出以下 API 请求:
-
s3:获取对象版本标记
-
s3:获取存储桶对象锁配置
-
s3:获取对象版本Acl
-
s3:PutObjectTagging
-
s3:删除对象
-
s3:删除对象标记
-
s3:获取对象保留
-
s3:删除对象版本标记
-
s3:Put对象
-
s3:获取对象
-
s3:PutBucketObjectLock配置
-
s3:获取生命周期配置
-
s3:按标签列出存储桶
-
s3:获取存储桶标记
-
s3:删除对象版本
-
s3:列出存储桶版本
-
s3:列表桶
-
s3:PutBucket标记
-
s3:获取对象标记
-
s3:PutBucket版本控制
-
s3:PutObjectVersionTagging
-
s3:获取存储桶版本
-
s3:获取存储桶Acl
-
s3:绕过治理保留
-
s3:PutObjectRetention
-
s3:获取存储桶位置
-
s3:获取对象版本
如果您对Cloud Volumes ONTAP备份使用的 AWS 账户与对源卷使用的账户不同,则代理会发出以下 API 请求:
-
s3:PutBucket策略
-
s3:PutBucket所有权控制
备份和恢复的旧版权限
如果您在索引版本 v2 发布之前启用了旧版索引功能,则只需要以下权限:
-
kms:列表*
-
kms:描述*
-
athena:开始查询执行
-
雅典娜:获取查询结果
-
雅典娜:获取查询执行
-
athena:停止查询执行
-
胶水:创建数据库
-
胶水:创建表
-
胶水:批量删除分区
NetApp Data Classification
代理发出以下 API 请求来部署NetApp Data Classification:
-
ec2:描述实例
-
ec2:描述实例状态
-
ec2:运行实例
-
ec2:终止实例
-
ec2:创建标签
-
ec2:创建卷
-
ec2:附加卷
-
ec2:创建安全组
-
ec2:删除安全组
-
ec2:描述安全组
-
ec2:创建网络接口
-
ec2:描述网络接口
-
ec2:删除网络接口
-
ec2:描述子网
-
ec2:描述Vpcs
-
ec2:创建快照
-
ec2:描述区域
-
cloudformation:创建堆栈
-
cloudformation:删除堆栈
-
cloudformation:描述Stacks
-
cloudformation:描述堆栈事件
-
cloudformation:ListStacks
-
iam:添加角色到实例配置文件
-
ec2:AssociateIamInstanceProfile
-
ec2:描述IamInstanceProfileAssociations
当您使用NetApp Data Classification时,代理会发出以下 API 请求来扫描 S3 存储桶:
-
iam:添加角色到实例配置文件
-
ec2:AssociateIamInstanceProfile
-
ec2:描述IamInstanceProfileAssociations
-
s3:获取存储桶标记
-
s3:获取存储桶位置
-
s3:列出所有我的存储桶
-
s3:列表桶
-
s3:获取存储桶策略状态
-
s3:获取存储桶策略
-
s3:获取存储桶Acl
-
s3:获取对象
-
iam:获取角色
-
s3:删除对象
-
s3:删除对象版本
-
s3:Put对象
-
sts:AssumeRole
Cloud Volumes ONTAP
该代理发出以下 API 请求以在 AWS 中部署和管理Cloud Volumes ONTAP 。
| 目的 | 操作 | 用于部署? | 用于日常运营? | 用于删除? |
|---|---|---|---|---|
为Cloud Volumes ONTAP实例创建和管理 IAM 角色和实例配置文件 |
iam:列出实例配置文件 |
是 |
是 |
否 |
iam:创建角色 |
是 |
否 |
否 |
|
iam:删除角色 |
否 |
是 |
是 |
|
iam:PutRolePolicy |
是 |
否 |
否 |
|
iam:创建实例配置文件 |
是 |
否 |
否 |
|
iam:删除角色策略 |
否 |
是 |
是 |
|
iam:添加角色到实例配置文件 |
是 |
否 |
否 |
|
iam:从实例配置文件中删除角色 |
否 |
是 |
是 |
|
iam:删除实例配置文件 |
否 |
是 |
是 |
|
iam:PassRole |
是 |
否 |
否 |
|
ec2:AssociateIamInstanceProfile |
是 |
是 |
否 |
|
ec2:描述IamInstanceProfileAssociations |
是 |
是 |
否 |
|
ec2:解除关联IamInstanceProfile |
否 |
是 |
否 |
|
解码授权状态消息 |
sts:解码授权消息 |
是 |
是 |
否 |
描述账户可用的指定镜像(AMI) |
ec2:描述图像 |
是 |
是 |
否 |
描述 VPC 中的路由表(仅 HA 对需要) |
ec2:描述路由表 |
是 |
否 |
否 |
停止、启动和监控实例 |
ec2:启动实例 |
是 |
是 |
否 |
ec2:停止实例 |
是 |
是 |
否 |
|
ec2:描述实例 |
是 |
是 |
否 |
|
ec2:描述实例状态 |
是 |
是 |
否 |
|
ec2:运行实例 |
是 |
否 |
否 |
|
ec2:终止实例 |
否 |
否 |
是 |
|
ec2:修改实例属性 |
否 |
是 |
否 |
|
验证是否为受支持的实例类型启用了增强联网 |
ec2:描述实例属性 |
否 |
是 |
否 |
使用“WorkingEnvironment”和“WorkingEnvironmentId”标签标记资源,用于维护和成本分配 |
ec2:创建标签 |
是 |
是 |
否 |
管理Cloud Volumes ONTAP用作后端存储的 EBS 卷 |
ec2:创建卷 |
是 |
是 |
否 |
ec2:描述卷 |
是 |
是 |
是 |
|
ec2:修改卷属性 |
否 |
是 |
是 |
|
ec2:附加卷 |
是 |
是 |
否 |
|
ec2:删除卷 |
否 |
是 |
是 |
|
ec2:分离卷 |
否 |
是 |
是 |
|
为Cloud Volumes ONTAP创建和管理安全组 |
ec2:创建安全组 |
是 |
否 |
否 |
ec2:删除安全组 |
否 |
是 |
是 |
|
ec2:描述安全组 |
是 |
是 |
是 |
|
ec2:撤销安全组出口 |
是 |
否 |
否 |
|
ec2:授权安全组出口 |
是 |
否 |
否 |
|
ec2:授权安全组入口 |
是 |
否 |
否 |
|
ec2:撤销安全组入口 |
是 |
是 |
否 |
|
在目标子网中创建和管理Cloud Volumes ONTAP的网络接口 |
ec2:创建网络接口 |
是 |
否 |
否 |
ec2:描述网络接口 |
是 |
是 |
否 |
|
ec2:删除网络接口 |
否 |
是 |
是 |
|
ec2:修改网络接口属性 |
否 |
是 |
否 |
|
获取目标子网和安全组列表 |
ec2:描述子网 |
是 |
是 |
否 |
ec2:描述Vpcs |
是 |
是 |
否 |
|
获取Cloud Volumes ONTAP实例的 DNS 服务器和默认域名 |
ec2:描述DHCP选项 |
是 |
否 |
否 |
为Cloud Volumes ONTAP拍摄 EBS 卷快照 |
ec2:创建快照 |
是 |
是 |
否 |
ec2:删除快照 |
否 |
是 |
是 |
|
ec2:描述快照 |
否 |
是 |
否 |
|
捕获Cloud Volumes ONTAP控制台,该控制台附加到AutoSupport消息 |
ec2:获取控制台输出 |
是 |
是 |
否 |
获取可用密钥对列表 |
ec2:描述密钥对 |
是 |
否 |
否 |
获取可用 AWS 区域列表 |
ec2:描述区域 |
是 |
是 |
否 |
管理与Cloud Volumes ONTAP实例关联的资源的标签 |
ec2:删除标签 |
否 |
是 |
是 |
ec2:描述标签 |
否 |
是 |
否 |
|
创建和管理 AWS CloudFormation 模板的堆栈 |
cloudformation:创建堆栈 |
是 |
否 |
否 |
cloudformation:删除堆栈 |
是 |
否 |
否 |
|
cloudformation:描述Stacks |
是 |
是 |
否 |
|
cloudformation:描述堆栈事件 |
是 |
否 |
否 |
|
云信息:验证模板 |
是 |
否 |
否 |
|
创建和管理Cloud Volumes ONTAP系统用作数据分层容量层的 S3 存储桶 |
s3:创建桶 |
是 |
是 |
否 |
s3:删除桶 |
否 |
是 |
是 |
|
s3:获取生命周期配置 |
否 |
是 |
否 |
|
s3:PutLifecycle配置 |
否 |
是 |
否 |
|
s3:PutBucket标记 |
否 |
是 |
否 |
|
s3:列出存储桶版本 |
否 |
是 |
否 |
|
s3:获取存储桶策略状态 |
否 |
是 |
否 |
|
s3:获取存储桶公共访问块 |
否 |
是 |
否 |
|
s3:获取存储桶Acl |
否 |
是 |
否 |
|
s3:获取存储桶策略 |
否 |
是 |
否 |
|
s3:PutBucket公共访问块 |
否 |
是 |
否 |
|
s3:获取存储桶标记 |
否 |
是 |
否 |
|
s3:获取存储桶位置 |
否 |
是 |
否 |
|
s3:列出所有我的存储桶 |
否 |
否 |
否 |
|
s3:列表桶 |
否 |
是 |
否 |
|
使用 AWS 密钥管理服务 (KMS) 启用Cloud Volumes ONTAP的数据加密 |
kms:重新加密* |
是 |
否 |
否 |
kms:创建授权 |
是 |
是 |
否 |
|
kms:生成不带明文的数据密钥 |
是 |
是 |
否 |
|
在单个 AWS 可用区中为两个 HA 节点和中介器创建和管理 AWS 扩展置放群组 |
ec2:创建放置组 |
是 |
否 |
否 |
ec2:删除放置组 |
否 |
是 |
是 |
|
创建报告 |
fsx:描述* |
否 |
是 |
否 |
fsx:列表* |
否 |
是 |
否 |
|
创建和管理支持 Amazon EBS 弹性卷功能的聚合 |
ec2:描述卷修改 |
否 |
是 |
否 |
ec2:修改卷 |
否 |
是 |
否 |
|
检查可用区是否为 AWS 本地区域,并验证所有部署参数是否兼容 |
ec2:描述可用区域 |
是 |
否 |
是 |
更改日志
当添加和删除权限时,我们会在下面的部分中注明。
2026 年 2 月 24 日
数据分类现在需要以下权限:
cloudformation:ListStacks
2025年11月11日
除非您使用旧版索引,否则NetApp Backup and Recovery不再需要以下权限。这些权限已从本页面的策略中移除:
-
kms:列表*
-
kms:描述*
-
athena:开始查询执行
-
雅典娜:获取查询结果
-
雅典娜:获取查询执行
-
athena:停止查询执行
-
胶水:创建数据库
-
胶水:创建表
-
胶水:批量删除分区
2024年9月9日
由于NetApp Console不再支持NetApp边缘缓存以及 Kubernetes 集群的发现和管理,因此从标准区域的策略 #2 中删除了权限。
查看从策略中删除的权限
{
"Action": [
"ec2:DescribeRegions",
"eks:ListClusters",
"eks:DescribeCluster",
"iam:GetInstanceProfile"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "K8sServicePolicy"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudwatch:GetMetricStatistics",
"cloudformation:ListStacks"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "GFCservicePolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/GFCInstance": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
}2024年5月9日
Cloud Volumes ONTAP现在需要以下权限:
ec2:描述可用区域
2023年6月6日
Cloud Volumes ONTAP现在需要以下权限:
kms:生成不带明文的数据密钥
2023年2月14日
NetApp Cloud Tiering现在需要以下权限:
ec2:描述Vpc端点
|
自 2026 年 4 月 26 日起,NetApp Cloud Tiering 不再可供购买或续订许可证。 现有客户可以继续使用并获得 NetApp Cloud Tiering 支持,直至其订阅或许可合同到期。订阅到期后,客户将无法再访问 NetApp Cloud Tiering 功能或支持。 NetApp 建议客户与其 NetApp 代表合作,将其现有分层许可证转换为 ONTAP FabricPool 许可证,该许可证提供 ONTAP 中数据分层的功能。有关如何在 ONTAP 中使用 FabricPool 设置数据分层的更多信息,请参见 "在 ONTAP 集群上安装 FabricPool 许可证"。 |