Connector的AWS權限
建議變更
PDF
當BlueXP在AWS中啟動Connector執行個體時、它會將原則附加到執行個體、讓Connector有權限管理該AWS帳戶內的資源和程序。連接器使用權限來撥打API呼叫數個AWS服務、包括EC2、S3、CloudForecation、IAM、 金鑰管理服務(KMS)等。
IAM 原則
以下提供的IAM原則提供Connector所需的權限、可讓您根據AWS區域來管理公有雲環境中的資源和程序。
請注意下列事項:
-
如果您直接從BlueXP在標準AWS區域中建立連接器、則BlueXP會自動將原則套用至連接器。
-
如果您是從AWS Marketplace部署Connector、在Linux主機上手動安裝Connector、或是想要新增額外的AWS認證到BlueXP、則必須自行設定原則。
-
無論是哪種情況、您都必須確保原則是在後續版本中新增權限時的最新狀態。如果需要新的權限、這些權限會列在版本資訊中。
-
如有需要、您可以使用IAM來限制IAM原則
Condition元素。 "AWS文件:條件元素" -
若要檢視使用這些原則的逐步指示、請參閱下列頁面:
選取您所在的地區以檢視所需的原則:
標準區域
對於標準區域、權限分佈在兩個原則之間。由於AWS中受管理原則的字元大小上限、因此需要兩個原則。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:CreatePlacementGroup",
"ec2:DescribeReservedInstancesOfferings",
"ec2:AssignPrivateIpAddresses",
"ec2:CreateRoute",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:UnassignPrivateIpAddresses",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteRoute",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups",
"ec2:DescribeVolumesModifications",
"ec2:ModifyVolume",
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"cloudformation:DeleteStack",
"iam:PassRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:ListInstanceProfiles",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteInstanceProfile",
"iam:GetRolePolicy",
"iam:GetRole",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRole",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicy",
"s3:GetBucketAcl",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"kms:List*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:CreateGrant",
"fsx:Describe*",
"fsx:List*",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "cvoServicePolicy"
},
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSecurityGroup",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"kms:List*",
"kms:Describe*",
"ec2:DescribeVpcEndpoints",
"kms:ListAliases",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryExecution",
"glue:GetDatabase",
"glue:GetTable",
"glue:CreateTable",
"glue:CreateDatabase",
"glue:GetPartitions",
"glue:BatchCreatePartition",
"glue:BatchDeletePartition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "backupPolicy"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketAcl",
"s3:PutBucketPublicAccessBlock",
"s3:GetObject",
"s3:PutEncryptionConfiguration",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteBucket",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:PutObjectVersionTagging",
"s3:PutObjectRetention",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketVersioning",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketVersioning",
"s3:BypassGovernanceRetention",
"s3:PutBucketPolicy",
"s3:PutBucketOwnershipControls"
],
"Resource": [
"arn:aws:s3:::netapp-backup-*"
],
"Effect": "Allow",
"Sid": "backupS3Policy"
},
{
"Action": [
"s3:CreateBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::fabric-pool*"
],
"Effect": "Allow",
"Sid": "fabricPoolS3Policy"
},
{
"Action": [
"ec2:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "fabricPoolPolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/netapp-adc-manager": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Action": [
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow"
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "tagServicePolicy"
}
]
}GovCloud(美國)地區
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"ec2:ModifyVolumeAttribute",
"sts:DecodeAuthorizationMessage",
"ec2:DescribeImages",
"ec2:DescribeRouteTables",
"ec2:DescribeInstances",
"iam:PassRole",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:StopInstances",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"kms:List*",
"kms:ReEncrypt*",
"kms:Describe*",
"kms:CreateGrant",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::fabric-pool*"
]
},
{
"Sid": "backupPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws-us-gov:s3:::netapp-backup-*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-us-gov:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:volume/*"
]
}
]
}秘密區域
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"kms:List*",
"kms:Describe*",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso-b:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso-b:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso-b:ec2:*:*:volume/*"
]
}
]
}最高機密區域
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:ModifyVolumeAttribute",
"ec2:DeleteVolume",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSnapshots",
"ec2:GetConsoleOutput",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DeleteTags",
"ec2:DescribeTags",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ValidateTemplate",
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"kms:List*",
"kms:Describe*",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeInstanceAttribute",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"iam:ListinstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "fabricPoolPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-iso:s3:::fabric-pool*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/WorkingEnvironment": "*"
}
},
"Resource": [
"arn:aws-iso:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws-iso:ec2:*:*:volume/*"
]
}
]
}AWS權限的使用方式
下列各節說明如何將權限用於每項 BlueXP 服務。如果您的企業原則規定只有在需要時才提供權限、此資訊就很有幫助。
Amazon FSX for ONTAP Sf
Connector 會提出下列 API 要求,以管理 Amazon FSX for ONTAP 檔案系統:
-
EC2:資料說明
-
EC2:取消訂閱即時狀態
-
EC2:取消訂閱實例屬性
-
EC2:取消功能表
-
EC2:取消影像
-
EC2:建立標記
-
EC2:減量磁碟區
-
EC2:取消安全性群組
-
EC2:網路介面
-
EC2:無資料子網路
-
EC2:取消功能Vpcs
-
EC2:取消功能DhcpOptions
-
EC2:取消快照
-
EC2:評量會議
-
EC2:取消註冊
-
EC2:取消標示
-
EC2:解讀IamInstanceProfileAssociations
-
EC2:取消訂閱保留服務
-
EC2:取消資料VpcEndpoints
-
EC2:取消功能Vpcs
-
EC2:說明體積修改
-
EC2:取消目標位置群組
-
公里:清單*
-
公里:描述*
-
公里:建立授予
-
kms:清單別名
-
FSX:說明*
-
FSX:清單*
Amazon S3 儲存區探索
Connector提出下列API要求以探索Amazon S3儲存區:
S3:GetEncryptionConfiguration
備份與還原
Connector會提出下列API要求、以管理Amazon S3中的備份:
-
S3:GetBucketLocation
-
S3:ListAllMyb桶
-
S3:清單庫
-
S3:建立桶
-
S3:Get生命 週期組態
-
S3:Putt升降 器組態
-
S3:PuttBucketting
-
S3:listBucketVerions
-
S3:GetBucketAcl
-
S3:PuttBucketPublicAccessBlock
-
公里:清單*
-
公里:描述*
-
S3:GetObject
-
EC2:取消資料VpcEndpoints
-
kms:清單別名
-
S3:PuttEncryptionConfiguration
當您使用搜尋與還原方法還原磁碟區和檔案時、Connector會發出下列API要求:
-
S3:建立桶
-
S3:刪除物件
-
S3:刪除ObjectVersion
-
S3:GetBucketAcl
-
S3:清單庫
-
S3:listBucketVerions
-
S3:listBucketMultiPartUploads
-
S3:PuttObject
-
S3:PuttBucketAcl
-
S3:Putt升降 器組態
-
S3:PuttBucketPublicAccessBlock
-
S3:中止多重角色上傳
-
S3:列出多個零件上傳零件
-
Athena : StartQueryExecution
-
Athena:GetQueryResults
-
Athena:GetQueryExecution
-
Athena:停止查詢執行
-
黏著劑:建立資料庫
-
黏著劑:CreateTable
-
黏著劑:批字刪除分割區
當您使用DataLock和勒索軟體保護來進行Volume備份時、Connector會發出下列API要求:
-
S3:GetObjectVersion標記
-
S3:GetBucketObjectLockConfiguration
-
S3:GetObjectVerionAcl
-
S3:PuttObjectTagging
-
S3:刪除物件
-
S3:刪除ObjectTagging
-
S3:GetObjectRetention
-
S3:刪除ObjectVersion標記
-
S3:PuttObject
-
S3:GetObject
-
S3:PuttBucketObjectLockConfiguration
-
S3:Get生命 週期組態
-
S3:listBucketByTags
-
S3:GetBucketting
-
S3:刪除ObjectVersion
-
S3:listBucketVerions
-
S3:清單庫
-
S3:PuttBucketting
-
S3:GetObjectTagging
-
S3:PuttBucketVersion
-
S3:PuttObjectVersion標記
-
S3:GetBucketVersion
-
S3:GetBucketAcl
-
S3:BypassGovernanceRetention
-
S3:PuttObjectRetention
-
S3:GetBucketLocation
-
S3:GetObjectVersion
如果Cloud Volumes ONTAP 您使用不同的AWS帳戶來進行還原備份、而非用於來源磁碟區、Connector會發出下列API要求:
-
S3:PuttBucketPolicy
-
S3:PuttBucketOwnershipControl
分類
Connector 會提出下列 API 要求、以部署 BlueXP 分類執行個體:
-
EC2:資料說明
-
EC2:取消訂閱即時狀態
-
EC2:RunInstances
-
EC2:終端安裝
-
EC2:建立標記
-
EC2:建立磁碟區
-
EC2:AttachVolume
-
EC2:建立安全性群組
-
EC2:刪除安全性群組
-
EC2:取消安全性群組
-
EC2:建立網路介面
-
EC2:網路介面
-
EC2:刪除網路介面
-
EC2:無資料子網路
-
EC2:取消功能Vpcs
-
EC2:建立Snapshot
-
EC2:取消註冊
-
雲端:建立堆疊
-
雲端:刪除堆疊
-
雲端:無標準堆疊
-
雲端:取消功能堆疊事件
-
IAM:AddRoleToInstanceProfile
-
EC2:Associate IamInstanceProfile
-
EC2:解讀IamInstanceProfileAssociations
當您使用 BlueXP 分類時、 Connector 會發出下列 API 要求來掃描 S3 貯體:
-
IAM:AddRoleToInstanceProfile
-
EC2:Associate IamInstanceProfile
-
EC2:解讀IamInstanceProfileAssociations
-
S3:GetBucketting
-
S3:GetBucketLocation
-
S3:ListAllMyb桶
-
S3:清單庫
-
S3:GetBucketPolicyStatus
-
S3:GetBucketPolicy
-
S3:GetBucketAcl
-
S3:GetObject
-
IAM:GetRole
-
S3:刪除物件
-
S3:刪除ObjectVersion
-
S3:PuttObject
-
STS: Assume勞力
Cloud Volumes ONTAP
Connector會提出下列API要求、要求在Cloud Volumes ONTAP AWS中部署及管理功能。
| 目的 | 行動 | 用於部署? | 用於日常營運? | 用於刪除? |
|---|---|---|---|---|
建立及管理IAM角色及Cloud Volumes ONTAP 執行個體設定檔以利執行個體 |
IAM:清單執行設定檔 |
是的 |
是的 |
否 |
IAM:建立角色 |
是的 |
否 |
否 |
|
IAM:刪除角色 |
否 |
是的 |
是的 |
|
IAM:Putt角色 原則 |
是的 |
否 |
否 |
|
IAM:CreatanceProfile |
是的 |
否 |
否 |
|
IAM:刪除角色原則 |
否 |
是的 |
是的 |
|
IAM:AddRoleToInstanceProfile |
是的 |
否 |
否 |
|
IAM:RemoveRoleFromInstanceProfile |
否 |
是的 |
是的 |
|
IAM:刪除InstanceProfile |
否 |
是的 |
是的 |
|
IAM:密碼 |
是的 |
否 |
否 |
|
EC2:Associate IamInstanceProfile |
是的 |
是的 |
否 |
|
EC2:解讀IamInstanceProfileAssociations |
是的 |
是的 |
否 |
|
EC2:中斷IamInstanceProfile |
否 |
是的 |
否 |
|
解碼授權狀態訊息 |
STS:解碼授權訊息 |
是的 |
是的 |
否 |
說明帳戶可使用的指定映像(Amis) |
EC2:取消影像 |
是的 |
是的 |
否 |
描述VPC中的路由表(僅HA配對需要) |
EC2:取消功能表 |
是的 |
否 |
否 |
停止、啟動及監控執行個體 |
EC2:啟動安裝 |
是的 |
是的 |
否 |
EC2:停止執行 |
是的 |
是的 |
否 |
|
EC2:資料說明 |
是的 |
是的 |
否 |
|
EC2:取消訂閱即時狀態 |
是的 |
是的 |
否 |
|
EC2:RunInstances |
是的 |
否 |
否 |
|
EC2:終端安裝 |
否 |
否 |
是的 |
|
EC2:修改實例屬性 |
否 |
是的 |
否 |
|
確認已針對支援的執行個體類型啟用增強式網路功能 |
EC2:取消訂閱實例屬性 |
否 |
是的 |
否 |
使用「WorkingEnvironment」和「WorkingEnvironmentId」標記來標記資源、這些標記用於維護和成本分配 |
EC2:建立標記 |
是的 |
是的 |
否 |
管理Cloud Volumes ONTAP EBS磁碟區、這些磁碟區可作為後端儲存設備使用 |
EC2:建立磁碟區 |
是的 |
是的 |
否 |
EC2:減量磁碟區 |
是的 |
是的 |
是的 |
|
EC2:修改Volume屬性 |
否 |
是的 |
是的 |
|
EC2:AttachVolume |
是的 |
是的 |
否 |
|
EC2:刪除Volume |
否 |
是的 |
是的 |
|
EC2:分離Volume |
否 |
是的 |
是的 |
|
建立及管理安全性群組Cloud Volumes ONTAP 以利執行 |
EC2:建立安全性群組 |
是的 |
否 |
否 |
EC2:刪除安全性群組 |
否 |
是的 |
是的 |
|
EC2:取消安全性群組 |
是的 |
是的 |
是的 |
|
EC2:RevokeSecurity GroupEgress |
是的 |
否 |
否 |
|
EC2:授權安全性群組出口 |
是的 |
否 |
否 |
|
EC2:授權安全性群組入口 |
是的 |
否 |
否 |
|
EC2:RevokeSecurity GroupIngress |
是的 |
是的 |
否 |
|
在Cloud Volumes ONTAP 目標子網路中建立及管理用於實現效能不中斷的網路介面 |
EC2:建立網路介面 |
是的 |
否 |
否 |
EC2:網路介面 |
是的 |
是的 |
否 |
|
EC2:刪除網路介面 |
否 |
是的 |
是的 |
|
EC2:修改網路互連屬性 |
否 |
是的 |
否 |
|
取得目的地子網路和安全性群組清單 |
EC2:無資料子網路 |
是的 |
是的 |
否 |
EC2:取消功能Vpcs |
是的 |
是的 |
否 |
|
取得DNS伺服器和Cloud Volumes ONTAP 預設的網域名稱以供執行個體使用 |
EC2:取消功能DhcpOptions |
是的 |
否 |
否 |
拍攝EBS Volume的快照Cloud Volumes ONTAP 以供其使用 |
EC2:建立Snapshot |
是的 |
是的 |
否 |
EC2:刪除Snapshot |
否 |
是的 |
是的 |
|
EC2:取消快照 |
否 |
是的 |
否 |
|
擷取Cloud Volumes ONTAP 附加於AutoSupport 資訊畫面的功能 |
EC2:GetConsole輸出 |
是的 |
是的 |
否 |
取得可用金鑰組的清單 |
EC2:評量會議 |
是的 |
否 |
否 |
取得可用AWS區域的清單 |
EC2:取消註冊 |
是的 |
是的 |
否 |
管理Cloud Volumes ONTAP 與實例相關的資源標記 |
EC2:刪除標記 |
否 |
是的 |
是的 |
EC2:取消標示 |
否 |
是的 |
否 |
|
建立及管理AWS CloudForation範本的堆疊 |
雲端:建立堆疊 |
是的 |
否 |
否 |
雲端:刪除堆疊 |
是的 |
否 |
否 |
|
雲端:無標準堆疊 |
是的 |
是的 |
否 |
|
雲端:取消功能堆疊事件 |
是的 |
否 |
否 |
|
cloudformation:驗證範本 |
是的 |
否 |
否 |
|
建立並管理Cloud Volumes ONTAP S3儲存區、讓整個系統做為資料分層的容量層 |
S3:建立桶 |
是的 |
是的 |
否 |
S3:刪除資源桶 |
否 |
是的 |
是的 |
|
S3:Get生命 週期組態 |
否 |
是的 |
否 |
|
S3:Putt升降 器組態 |
否 |
是的 |
否 |
|
S3:PuttBucketting |
否 |
是的 |
否 |
|
S3:listBucketVerions |
否 |
是的 |
否 |
|
S3:GetBucketPolicyStatus |
否 |
是的 |
否 |
|
S3:GetBucketPublicAccessBlock |
否 |
是的 |
否 |
|
S3:GetBucketAcl |
否 |
是的 |
否 |
|
S3:GetBucketPolicy |
否 |
是的 |
否 |
|
S3:PuttBucketPublicAccessBlock |
否 |
是的 |
否 |
|
S3:GetBucketting |
否 |
是的 |
否 |
|
S3:GetBucketLocation |
否 |
是的 |
否 |
|
S3:ListAllMyb桶 |
否 |
否 |
否 |
|
S3:清單庫 |
否 |
是的 |
否 |
|
使用Cloud Volumes ONTAP AWS金鑰管理服務(KMS)啟用資料加密功能 |
公里:清單* |
是的 |
是的 |
否 |
公里:ReEncrypt * |
是的 |
否 |
否 |
|
公里:描述* |
是的 |
是的 |
否 |
|
公里:建立授予 |
是的 |
是的 |
否 |
|
KMS : GenerateDataKeyWithoutPlaintext |
是的 |
是的 |
否 |
|
在單一AWS可用性區域中、為兩個HA節點建立並管理AWS分散放置群組、以及協調器 |
EC2:建立位置群組 |
是的 |
否 |
否 |
EC2:刪除位置群組 |
否 |
是的 |
是的 |
|
建立報告 |
FSX:說明* |
否 |
是的 |
否 |
FSX:清單* |
否 |
是的 |
否 |
|
建立及管理可支援Amazon EBS彈性Volume功能的集合體 |
EC2:說明體積修改 |
否 |
是的 |
否 |
EC2:修改Volume |
否 |
是的 |
否 |
|
檢查可用性區域是否為 AWS 本機區域、並驗證所有部署參數是否相容 |
EC2 :去除可用性區域 |
是的 |
否 |
是的 |
變更記錄
新增和移除權限時、我們會在下方各節中加以註記。
2024 年 9 月 9 日
由於 BlueXP 不再支援 BlueXP 邊緣快取、以及 Kubernetes 叢集的探索與管理、因此已從標準地區的原則 #2 移除權限。
檢視從原則移除的權限
{
"Action": [
"ec2:DescribeRegions",
"eks:ListClusters",
"eks:DescribeCluster",
"iam:GetInstanceProfile"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "K8sServicePolicy"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudwatch:GetMetricStatistics",
"cloudformation:ListStacks"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "GFCservicePolicy"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/GFCInstance": "*"
}
},
"Action": [
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Effect": "Allow"
},2024 年 5 月 9 日
Cloud Volumes ONTAP 現在需要下列權限:
EC2 :去除可用性區域
2023 年 6 月 6 日
Cloud Volumes ONTAP 現在需要下列權限:
KMS : GenerateDataKeyWithoutPlaintext
2023 年 2 月 14 日
BlueXP 分層現在需要下列權限:
EC2:取消資料VpcEndpoints