Canary 的必要角色和許可 - Amazon CloudWatch

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Canary 的必要角色和許可

每個 Canary 必須與連接特定許可的 IAM 角色相關聯。當您使用 CloudWatch 主控台建立 Canary 時,您可以選擇讓 CloudWatch Synthetics 為 Canary 建立 IAM 角色。若您這樣做,則角色將具備所需要的許可。

如果您想要自己建立 IAM 角色,或者建立在使用 AWS CLI 或 API 建立 Canary 時可以使用的 IAM 角色,該角色必須包含本節中列出的許可。

Canary 的所有 IAM 角色必須包含以下信任政策陳述式。

JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

此外,Canary 的 IAM 角色需要以下陳述式之一。

不使用 AWS KMS 或需要 Amazon VPC 存取的基本 Canary

JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::path/to/your/s3/bucket/canary/results/folder" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/s3/bucket/that/contains/canary/results" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } } ] }

使用 AWS KMS 加密 Canary 成品,但不需要 Amazon VPC 存取的 Canary

JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::path/to/your/S3/bucket/canary/results/folder" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/KMS_key_id", "Condition": { "StringEquals": { "kms:ViaService": [ "s3.us-east-1.amazonaws.com" ] } } } ] }

不使用 AWS KMS 但需要 Amazon VPC 存取的 Canary

JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::path/to/your/S3/bucket/canary/results/folder" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface" ], "Resource": [ "*" ] } ] }

Canary 使用 AWS KMS 加密 Canary 成品,也需要 Amazon VPC 存取

如果您更新非 VPC Canary 以開始使用 VPC,則需要更新 Canary 的角色以包含以下政策中列出的網路介面許可。

JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::path/to/your/S3/bucket/canary/results/folder" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::name/of/the/S3/bucket/that/contains/canary/results" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cwsyn-canary_name-*" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "xray:PutTraceSegments" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "CloudWatchSynthetics" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/KMS_key_id", "Condition": { "StringEquals": { "kms:ViaService": [ "s3.us-east-1.amazonaws.com" ] } } } ] }