本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
授予績效詳情的精細存取權
精細存取控制提供額外的方法來控制對績效詳情的存取。此存取控制可以允許或拒絕存取 GetResourceMetrics
、 DescribeDimensionKeys
和 GetDimensionKeyDetails
Performance Insights 動作的個別維度。若要使用精細存取,請使用條件索引鍵在 IAM 政策中指定維度。存取的評估遵循 IAM 政策評估邏輯。如需詳細資訊,請參閱 IAM User Guide 中的 Policy evaluation logic。如果 IAM 政策陳述式未指定任何維度,則陳述式會控制對指定動作之所有維度的存取。如需可用維度的清單,請參閱 DimensionGroup。
若要了解您的登入資料有權存取的維度,請使用 中的 AuthorizedActions
參數ListAvailableResourceDimensions
並指定 動作。的允許值AuthorizedActions
如下所示:
-
GetResourceMetrics
-
DescribeDimensionKeys
-
GetDimensionKeyDetails
例如,如果您GetResourceMetrics
指定 AuthorizedActions
參數, 會ListAvailableResourceDimensions
傳回GetResourceMetrics
動作獲授權存取的維度清單。如果您在 AuthorizedActions
參數中指定多個動作,則 會ListAvailableResourceDimensions
傳回有權存取這些動作的維度交集。
下列範例提供 GetResourceMetrics
和 DescribeDimensionKeys
動作指定維度的存取權。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDiscoverDimensions", "Effect": "Allow", "Action": [ "pi:ListAvailableResourceDimensions" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "SingleAllow", "Effect": "Allow", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAllValues:StringEquals": { // only these dimensions are allowed. Dimensions not included in // a policy with "Allow" effect will be denied "pi:Dimensions": [ "db.sql_tokenized.id", "db.sql_tokenized.statement" ] } } } ] }
以下是所請求維度的回應:
// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, // { "Identifier": "db.sql_tokenized.db_id" }, // not included because not allows in the IAM Policy { "Identifier": "db.sql_tokenized.statement" } ] } ] } ] }
下列範例會指定維度的一個允許和兩個拒絕存取。
以下是所請求維度的回應:
// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["GetResourceMetrics"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // removed from response because denied by the IAM Policy // { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] }
// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // allowed for DescribeDimensionKeys because our IAM Policy // denies it only for GetResourceMetrics { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] }