AmazonDocDBFullAccess AmazonDocDBReadOnlyAccess AmazonDocDBConsoleFullAccess AmazonDocDBElasticReadOnlyAccess AmazonDocDBElasticFullAccess AmazonDocDB-ElasticServiceRolePolicy AWS 托管策略的 Amazon DocumentDB 更新

AWSAmazon DocumentDB 的托管策略

要向用户、组和角色添加权限，与自己编写策略相比，使用 AWS 托管式策略更简单。创建仅为团队提供所需权限的 IAM 客户管理型策略需要时间和专业知识。要快速入门，您可以使用我们的 AWS 托管式策略。这些策略涵盖常见使用案例，可在您的 AWS 账户中使用。有关 AWS 托管策略的更多信息，请参阅AWS Identity and Access Management 用户指南中的AWS 托管策略。

AWS 服务负责维护和更新 AWS 托管式策略。您无法更改 AWS 托管式策略中的权限。服务偶尔会向 AWS 托管式策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份（用户、组和角色）。当启动新特征或新操作可用时，服务最有可能会更新 AWS 托管式策略。服务不会从 AWS 托管式策略中删除权限，因此策略更新不会破坏您的现有权限。

此外，AWS 还支持跨多种服务的工作职能的托管式策略。例如，ViewOnlyAccess AWS 托管式策略提供对许多 AWS 服务和资源的只读访问。当服务启动新特征时，AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明，请参阅 AWSIAM 用户指南中的用于工作职能的AWS托管策略。

以下 AWS 托管策略（可附加到您账户中的用户）专用于 Amazon DocumentDB：

AmazonDocDBFullAccess — 对于根 AWS 账户，授予对所有 Amazon DocumentDB 资源的完全访问权。
AmazonDocDBReadOnlyAccess — 对于根 AWS 账户，授予对所有 Amazon DocumentDB 资源的只读访问权。
AmazonDocDBConsoleFullAccess— 授予使用 AWS 管理控制台管理 Amazon DocumentDB 和 Amazon DocumentDB 弹性集群资源的完全访问权限。
AmazonDocDBElasticReadOnlyAccess — 对于根 AWS 账户，授予对所有 Amazon DocumentDB 弹性集群资源的只读访问权。
AmazonDocDBElasticFullAccess — 对于根 AWS 账户，授予对所有 Amazon DocumentDB 弹性集群资源的完全访问权。

AmazonDocDBFullAccess

此策略授予了允许主体完全访问 Amazon DocumentDB 所有 Amazon DocumentDB 操作的管理权限。此策略中的权限如下分组：

Amazon DocumentDB 权限允许所有Amazon DocumentDB 操作。
需要此策略中的一些 Amazon EC2 权限来验证 API 请求中的已传递资源。这旨在确保 Amazon DocumentDB 能够配合集群成功使用资源。此策略中的其余 Amazon EC2 权限允许 Amazon DocumentDB 创建 AWS 资源，需要这些资源使您可能连接到您的集群。
在 API 调用期间，Amazon DocumentDB 权限用于验证请求中的已传递资源。Amazon DocumentDB 需要这些资源才能配合 Amazon DocumentDB 集群一起使用传递的密钥。
Amazon DocumentDB 需要 CloudWatch Logs，才能确保日志传输目的地可到达及这些目的地对代理日志使用有效。

JSON


{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "rds:AddRoleToDBCluster",
                "rds:AddSourceIdentifierToSubscription",
                "rds:AddTagsToResource",
                "rds:ApplyPendingMaintenanceAction",
                "rds:CopyDBClusterParameterGroup",
                "rds:CopyDBClusterSnapshot",
                "rds:CopyDBParameterGroup",
                "rds:CreateDBCluster",
                "rds:CreateDBClusterParameterGroup",
                "rds:CreateDBClusterSnapshot",
                "rds:CreateDBInstance",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:CreateEventSubscription",
                "rds:DeleteDBCluster",
                "rds:DeleteDBClusterParameterGroup",
                "rds:DeleteDBClusterSnapshot",
                "rds:DeleteDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:DeleteEventSubscription",
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultClusterParameters",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEventCategories",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeEvents",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeValidDBInstanceModifications",
                "rds:DownloadDBLogFilePortion",
                "rds:FailoverDBCluster",
                "rds:ListTagsForResource",
                "rds:ModifyDBCluster",
                "rds:ModifyDBClusterParameterGroup",
                "rds:ModifyDBClusterSnapshotAttribute",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:ModifyEventSubscription",
                "rds:PromoteReadReplicaDBCluster",
                "rds:RebootDBInstance",
                "rds:RemoveRoleFromDBCluster",
                "rds:RemoveSourceIdentifierFromSubscription",
                "rds:RemoveTagsFromResource",
                "rds:ResetDBClusterParameterGroup",
                "rds:ResetDBParameterGroup",
                "rds:RestoreDBClusterFromSnapshot",
                "rds:RestoreDBClusterToPointInTime"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListRetirableGrants",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "rds.amazonaws.com"
                }
            }
        }
    ]
}

AmazonDocDBReadOnlyAccess

此策略授予了允许用户查看 Amazon DocumentDB 中信息的只读权限。附加有这种策略的主体不能进行任何更新或删除现有资源，也不能创建新的 Amazon DocumentDB 资源。例如，拥有这些权限的主体可以查看与其账户关联的集群列表和配置，但不能更改任何集群的配置或设置。此策略中的权限如下分组：

Amazon DocumentDB 权限允许您列出 Amazon DocumentDB 资源，描述它们并获取有关它们的信息。
Amazon EC2 权限用于描述与某集群关联的 Amazon VPC、子网、安全组和 ENI。
Amazon DocumentDB 权限用于描述与该集群关联的密钥。

JSON


{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEventCategories",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeEvents",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DownloadDBLogFilePortion",
                "rds:ListTagsForResource"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kms:ListKeys",
                "kms:ListRetirableGrants",
                "kms:ListAliases",
                "kms:ListKeyPolicies"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*",
                "arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*"
            ]
        }
    ]
}

AmazonDocDBConsoleFullAccess

授予针对以下情况使用 AWS 管理控制台管理 Amazon DocumentDB 资源的完全访问权：

允许所有 Amazon DocumentDB 和 Amazon DocumentDB 集群操作的 Amazon DocumentDB 权限。
需要此策略中的一些 Amazon EC2 权限来验证 API 请求中的已传递资源。这是为了确保 Amazon DocumentDB 能够成功使用资源来准备和维护集群。此策略中的其余 Amazon EC2 权限允许 Amazon DocumentDB 创建 AWS 资源，需要这些资源使您可能连接到您的集群如 VPCEndpoint。
AWS KMS在 API 调用到 AWS KMS 期间，权限用于验证请求中的已传递资源。Amazon DocumentDB 需要它们才能配合 Amazon DocumentDB 弹性集群使用已传递的密钥加密和解密静态数据。
Amazon DocumentDB 需要 CloudWatch Logs，才能确保日志传输目的地可到达及这些目的地对审计与剖析日志使用有效。
需要 Secrets Manager 权限来验证给定机密并使用它为 Amazon DocumentDB 弹性集群设置管理员用户。
Amazon DocumentDB 集群管理操作需要 Amazon RDS 权限。对于某些管理功能，Amazon DocumentDB 使用与 Amazon RDS 共享的操作技术。
SNS 允许主体访问 Amazon Simple Notiﬁcation Service (Amazon SNS) 订阅和主题及发布 Amazon DocumentDB 消息。
创建为发布指标和日志所需的服务关联角色需要 IAM 权限。

JSON


{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "DocdbSids",
            "Effect": "Allow",
            "Action": [
                "docdb-elastic:CreateCluster",
                "docdb-elastic:UpdateCluster",
                "docdb-elastic:GetCluster",
                "docdb-elastic:DeleteCluster",
                "docdb-elastic:ListClusters",
                "docdb-elastic:CreateClusterSnapshot",
                "docdb-elastic:GetClusterSnapshot",
                "docdb-elastic:DeleteClusterSnapshot",
                "docdb-elastic:ListClusterSnapshots",
                "docdb-elastic:RestoreClusterFromSnapshot",
                "docdb-elastic:TagResource",
                "docdb-elastic:UntagResource",
                "docdb-elastic:ListTagsForResource",
                "docdb-elastic:CopyClusterSnapshot",
                "docdb-elastic:StartCluster",
                "docdb-elastic:StopCluster",
                "docdb-elastic:GetPendingMaintenanceAction",
                "docdb-elastic:ListPendingMaintenanceActions",
                "docdb-elastic:ApplyPendingMaintenanceAction",
                "rds:AddRoleToDBCluster",
                "rds:AddSourceIdentifierToSubscription",
                "rds:AddTagsToResource",
                "rds:ApplyPendingMaintenanceAction",
                "rds:CopyDBClusterParameterGroup",
                "rds:CopyDBClusterSnapshot",
                "rds:CopyDBParameterGroup",
                "rds:CreateDBCluster",
                "rds:CreateDBClusterParameterGroup",
                "rds:CreateDBClusterSnapshot",
                "rds:CreateDBInstance",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:CreateEventSubscription",
                "rds:CreateGlobalCluster",
                "rds:DeleteDBCluster",
                "rds:DeleteDBClusterParameterGroup",
                "rds:DeleteDBClusterSnapshot",
                "rds:DeleteDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:DeleteEventSubscription",
                "rds:DeleteGlobalCluster",
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshotAttributes",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultClusterParameters",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEventCategories",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeEvents",
                "rds:DescribeGlobalClusters",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeValidDBInstanceModifications",
                "rds:DownloadDBLogFilePortion",
                "rds:FailoverDBCluster",
                "rds:ListTagsForResource",
                "rds:ModifyDBCluster",
                "rds:ModifyDBClusterParameterGroup",
                "rds:ModifyDBClusterSnapshotAttribute",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:ModifyEventSubscription",
                "rds:ModifyGlobalCluster",
                "rds:PromoteReadReplicaDBCluster",
                "rds:RebootDBInstance",
                "rds:RemoveFromGlobalCluster",
                "rds:RemoveRoleFromDBCluster",
                "rds:RemoveSourceIdentifierFromSubscription",
                "rds:RemoveTagsFromResource",
                "rds:ResetDBClusterParameterGroup",
                "rds:ResetDBParameterGroup",
                "rds:RestoreDBClusterFromSnapshot",
                "rds:RestoreDBClusterToPointInTime"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DependencySids",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "ec2:AllocateAddress",
                "ec2:AssignIpv6Addresses",
                "ec2:AssignPrivateIpAddresses",
                "ec2:AssociateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:CreateCustomerGateway",
                "ec2:CreateDefaultSubnet",
                "ec2:CreateDefaultVpc",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeInstances",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyVpcEndpoint",
                "kms:DescribeKey",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListRetirableGrants",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DocdbSLRSid",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "rds.amazonaws.com"
                }
            }
        },
        {
            "Sid": "DocdbElasticSLRSid",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "docdb-elastic.amazonaws.com"
                }
            }
        }
    ]
}

AmazonDocDBElasticReadOnlyAccess

此策略授予了允许用户查看 Amazon DocumentDB 中弹性集群信息的只读权限。附加有这种策略的主体不能进行任何更新或删除现有资源，也不能创建新的 Amazon DocumentDB 资源。例如，拥有这些权限的主体可以查看与其账户关联的集群列表和配置，但不能更改任何集群的配置或设置。此策略中的权限如下分组：

Amazon DocumentDB 弹性集群权限允许您列出 Amazon DocumentDB 弹性集群资源，描述它们并获取有关它们的信息。
CloudWatch 权限用于验证服务指标。

AmazonDocDBElasticFullAccess

此策略授予了允许主体完全访问针对 Amazon DocumentDB 弹性集群的所有 Amazon DocumentDB 操作的管理权限。

此策略使用条件范围内的 AWS 标签 (https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) 限定对资源的访问。如果您将要使用机密，则必须将它用标签密钥 DocDBElasticFullAccess 和标签值标记。如果您将要使用客户托管的密钥，则必须将它用标签密钥 DocDBElasticFullAccess 和标签值标记。

此策略中的权限如下分组：

Amazon DocumentDB 弹性集群权限允许所有 Amazon DocumentDB 操作。
需要此策略中的一些 Amazon EC2 权限来验证 API 请求中的已传递资源。这是为了确保 Amazon DocumentDB 能够成功使用资源来准备和维护集群。此策略中的其余 Amazon EC2 权限允许 Amazon DocumentDB 创建 AWS 资源，需要这些资源使您可能连接到您的集群如 VPC 端点。
Amazon DocumentDB 需要 AWS KMS 权限才能使用传递的密钥来加密和解密 Amazon DocumentDB 弹性集群中的静态数据。

注意
客户托管的密钥必须有一个带密钥 DocDBElasticFullAccess 和标签值的标签。
需要 SecretsManager 权限来验证给定机密并使用它为 Amazon DocumentDB 弹性集群设置管理员用户。

注意
用过的机密必须有一个带密钥 DocDBElasticFullAccess 和标签值的标签。
创建为发布指标和日志所需的服务关联角色需要 IAM 权限。

JSON


{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "DocdbElasticSid",
            "Effect": "Allow",
            "Action": [
                "docdb-elastic:CreateCluster",
                "docdb-elastic:UpdateCluster",
                "docdb-elastic:GetCluster",
                "docdb-elastic:DeleteCluster",
                "docdb-elastic:ListClusters",
                "docdb-elastic:CreateClusterSnapshot",
                "docdb-elastic:GetClusterSnapshot",
                "docdb-elastic:DeleteClusterSnapshot",
                "docdb-elastic:ListClusterSnapshots",
                "docdb-elastic:RestoreClusterFromSnapshot",
                "docdb-elastic:TagResource",
                "docdb-elastic:UntagResource",
                "docdb-elastic:ListTagsForResource",
                "docdb-elastic:CopyClusterSnapshot",
                "docdb-elastic:StartCluster",
                "docdb-elastic:StopCluster",
                "docdb-elastic:GetPendingMaintenanceAction",
                "docdb-elastic:ListPendingMaintenanceActions",
                "docdb-elastic:ApplyPendingMaintenanceAction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "EC2Sid",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVpcEndpoint",
                "ec2:DescribeVpcEndpoints",
                "ec2:DeleteVpcEndpoints",
                "ec2:ModifyVpcEndpoint",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeAvailabilityZones",
                "secretsmanager:ListSecrets"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:CalledViaFirst": "docdb-elastic.amazonaws.com"
                }
            }
        },
        {
            "Sid": "KMSSid",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "docdb-elastic.*.amazonaws.com"
                    ],
                    "aws:ResourceTag/DocDBElasticFullAccess": "*"
                }
            }
        },
        {
            "Sid": "KMSGrantSid",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/DocDBElasticFullAccess": "*",
                    "kms:ViaService": [
                        "docdb-elastic.*.amazonaws.com"
                    ]
                },
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        },
        {
            "Sid": "SecretManagerSid",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:GetResourcePolicy"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "secretsmanager:ResourceTag/DocDBElasticFullAccess": "*"
                },
                "StringEquals": {
                    "aws:CalledViaFirst": "docdb-elastic.amazonaws.com"
                }
            }
        },
        {
            "Sid": "CloudwatchSid",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "SLRSid",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/docdb-elastic.amazonaws.com/AWSServiceRoleForDocDB-Elastic",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "docdb-elastic.amazonaws.com"
                }
            }
        }
    ]
}

AmazonDocDB-ElasticServiceRolePolicy

您不能将 AmazonDocDBElasticServiceRolePolicy 附加到自己的 AWS Identity and Access Management 实体。这种策略附加到允许Amazon DocumentDB 代表您执行操作的服务关联角色。有关更多信息，请参阅弹性集群中的服务关联角色。

AWS 托管策略的 Amazon DocumentDB 更新

更改	描述	日期
AmazonDocDBElasticFullAccess, AmazonDocDBConsoleFullAccess - 更改	更新了策略，添加了待处理的维护操作。	2025 年 2 月 11 日
AmazonDocDBElasticFullAccess, AmazonDocDBConsoleFullAccess - 更改	更新了策略，添加了启动/停止集群以及复制集群快照操作。	2/21/2024
AmazonDocDBElasticReadOnlyAccess, AmazonDocDBElasticFullAccess - 更改	策略已更新以增加 `cloudwatch:GetMetricData` 操作。	6/21/2023
AmazonDocDBElasticReadOnlyAccess – 新策略	Amazon DocumentDB 弹性集群的新托管策略。	2023 年 6 月 8 日
AmazonDocDBElasticFullAccess – 新策略	Amazon DocumentDB 弹性集群的新托管策略。	2023 年 6 月 5 日
AmazonDocDB-ElasticServiceRolePolicy：新策略	Amazon DocumentDB 为 Amazon DocumentDB 弹性集群创建了一个新的 AWS ServiceRoleForDocDB-Elastic 服务关联角色。	11/30/2022
AmazonDocDBConsoleFullAccess - 更改	策略已更新，以增加 Amazon DocumentDB 全局权限和弹性集群权限。	11/30/2022
AmazonDocDBConsoleFullAccess、AmazonDocDBFullAccess、AmazonDocDBReadOnlyAccess - 新策略	服务启动。	1/19/2017

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

文档惯例

使用基于身份的策略（IAM 策略）

Amazon DocumentDB API 权限参考

AWSAmazon DocumentDB 的托管策略

AmazonDocDBFullAccess

AmazonDocDBReadOnlyAccess

AmazonDocDBConsoleFullAccess

AmazonDocDBElasticReadOnlyAccess

AmazonDocDBElasticFullAccess

注意

注意

AmazonDocDB-ElasticServiceRolePolicy

AWS 托管策略的 Amazon DocumentDB 更新