授予績效詳情的精細存取權 - Amazon Relational Database Service

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

授予績效詳情的精細存取權

精細存取控制提供額外的方法來控制對績效詳情的存取。此存取控制可以允許或拒絕存取 GetResourceMetricsDescribeDimensionKeysGetDimensionKeyDetails Performance Insights 動作的個別維度。若要使用精細存取,請使用條件索引鍵在 IAM 政策中指定維度。存取的評估遵循 IAM 政策評估邏輯。如需詳細資訊,請參閱 IAM User Guide 中的 Policy evaluation logic。如果 IAM 政策陳述式未指定任何維度,則陳述式會控制對指定動作之所有維度的存取。如需可用維度的清單,請參閱 DimensionGroup

若要了解您的登入資料有權存取的維度,請使用 中的 AuthorizedActions 參數ListAvailableResourceDimensions並指定 動作。的允許值AuthorizedActions如下所示:

  • GetResourceMetrics

  • DescribeDimensionKeys

  • GetDimensionKeyDetails

例如,如果您GetResourceMetrics指定 AuthorizedActions 參數, 會ListAvailableResourceDimensions傳回GetResourceMetrics動作獲授權存取的維度清單。如果您在 AuthorizedActions 參數中指定多個動作,則 會ListAvailableResourceDimensions傳回有權存取這些動作的維度交集。

下列範例提供 GetResourceMetricsDescribeDimensionKeys動作指定維度的存取權。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDiscoverDimensions", "Effect": "Allow", "Action": [ "pi:ListAvailableResourceDimensions" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "SingleAllow", "Effect": "Allow", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAllValues:StringEquals": { // only these dimensions are allowed. Dimensions not included in // a policy with "Allow" effect will be denied "pi:Dimensions": [ "db.sql_tokenized.id", "db.sql_tokenized.statement" ] } } } ] }

以下是所請求維度的回應:

// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, // { "Identifier": "db.sql_tokenized.db_id" }, // not included because not allows in the IAM Policy { "Identifier": "db.sql_tokenized.statement" } ] } ] } ] }

下列範例會指定維度的一個允許和兩個拒絕存取。

JSON
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDiscoverDimensions", "Effect": "Allow", "Action": [ "pi:ListAvailableResourceDimensions" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "O01AllowAllWithoutSpecifyingDimensions", "Effect": "Allow", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ] }, { "Sid": "O01DenyAppDimensionForAll", "Effect": "Deny", "Action": [ "pi:GetResourceMetrics", "pi:DescribeDimensionKeys" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAnyValue:StringEquals": { "pi:Dimensions": [ "db.application.name" ] } } }, { "Sid": "O01DenySQLForGetResourceMetrics", "Effect": "Deny", "Action": [ "pi:GetResourceMetrics" ], "Resource": [ "arn:aws:pi:us-east-1:123456789012:metrics/rds/db-ABC1DEFGHIJKL2MNOPQRSTUV3W" ], "Condition": { "ForAnyValue:StringEquals": { "pi:Dimensions": [ "db.sql_tokenized.statement" ] } } } ] }

以下是所請求維度的回應:

// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["GetResourceMetrics"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // removed from response because denied by the IAM Policy // { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] }
// ListAvailableResourceDimensions API // Request { "ServiceType": "RDS", "Identifier": "db-ABC1DEFGHIJKL2MNOPQRSTUV3W", "Metrics": [ "db.load" ], "AuthorizedActions": ["DescribeDimensionKeys"] } // Response { "MetricDimensions": [ { "Metric": "db.load", "Groups": [ { "Group": "db.application", "Dimensions": [ // removed from response because denied by the IAM Policy // { "Identifier": "db.application.name" } ] }, { "Group": "db.sql_tokenized", "Dimensions": [ { "Identifier": "db.sql_tokenized.id" }, { "Identifier": "db.sql_tokenized.db_id" }, // allowed for DescribeDimensionKeys because our IAM Policy // denies it only for GetResourceMetrics { "Identifier": "db.sql_tokenized.statement" } ] }, ... ] } ] }