本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 授予 Performance Insights 的精細存取 精細存取控制可提供額外的方式,讓您控制對您 Performance Insights 的存取。此存取控制可以允許或拒絕存取 `GetResourceMetrics`、`DescribeDimensionKeys` 和 `GetDimensionKeyDetails` Performance Insights 動作的個別維度。若要使用精細存取,請使用條件索引鍵在 IAM 政策中指定維度。存取的評估遵循 IAM 政策評估邏輯。如需詳細資訊,請參閱 * IAM User Guide* 中的 [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html)。如果 IAM 政策陳述式未指定任何維度,則陳述式會控制對指定動作之所有維度的存取。如需可用維度的清單,請參閱 [https://docs.aws.amazon.com/performance-insights/latest/APIReference/API_DimensionGroup.html](https://docs.aws.amazon.com/performance-insights/latest/APIReference/API_DimensionGroup.html)。 若要了解您的憑證獲授權可存取的維度,請使用 `ListAvailableResourceDimensions` 中的 `AuthorizedActions` 參數並指定動作。`AuthorizedActions` 的允許值如下所示: + `GetResourceMetrics` + `DescribeDimensionKeys` + `GetDimensionKeyDetails` 例如,如果您將 `GetResourceMetrics` 指定為 `AuthorizedActions` 參數,則 `ListAvailableResourceDimensions` 會傳回 `GetResourceMetrics` 動作獲授權可存取的維度清單。如果您在 `AuthorizedActions` 參數中指定多個動作,則 `ListAvailableResourceDimensions` 會傳回這些動作獲授權可存取的維度交集。 **Example** 下列範例提供 `GetResourceMetrics` 和 `DescribeDimensionKeys` 動作指定維度的存取權。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowToDiscoverDimensions", "Effect": "Allow", "Action": [ "pi:ListAvailableResourceDimensions" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "SingleAllow", "Effect": "Allow", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAllValues:StringEquals": { "pi:Dimensions": [ "db.sql_tokenized.id", "db.sql_tokenized.statement" ] } } } ] } ``` 以下是所請求維度的回應: ``` // ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, // { "Identifier": "db.sql_tokenized.db_id" }, // not included because not allows in the IAM Policy { "Identifier": "db.sql_tokenized.statement" } ] } ] } ] } ``` 下列範例會指定維度的一個允許和兩個拒絕存取。 **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowToDiscoverDimensions", "Effect": "Allow", "Action": [ "pi:ListAvailableResourceDimensions" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "O01AllowAllWithoutSpecifyingDimensions", "Effect": "Allow", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "O01DenyAppDimensionForAll", "Effect": "Deny", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAnyValue:StringEquals": { "pi:Dimensions": [ "db.application.name" ] } } }, { "Sid": "O01DenySQLForGetResourceMetrics", "Effect": "Deny", "Action": [ "pi:GetResourceMetrics" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAnyValue:StringEquals": { "pi:Dimensions": [ "db.sql_tokenized.statement" ] } } } ] } ``` 以下是所請求維度的回應: ``` // ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["GetResourceMetrics"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // removed from response because denied by the IAM Policy // { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] } ``` ``` // ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // allowed for DescribeDimensionKeys because our IAM Policy // denies it only for GetResourceMetrics { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] } ```