本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# Amazon DocumentDB API 許可：動作、資源和條件參考
<a name="UsingWithRDS.IAM.ResourcePermissions"></a>

當您設定[針對 Amazon DocumentDB 使用身分型政策 (IAM 政策）](UsingWithRDS.IAM.AccessControl.IdentityBased.md)和寫入可連接到 IAM 身分 （身分型政策） 的許可政策時，請使用下列各節做為參考。

以下列出每個 Amazon DocumentDB API 操作。清單中包含的對應動作是您可以授予執行動作的許可、您可以授予許可 AWS 的資源，以及您可以包含用於精細存取控制的條件索引鍵。您可以在政策的 `Action` 欄位中指定動作、在政策的 `Resource` 欄位中指定資源值，以及在政策的 `Condition` 欄位中指定條件。如需條件的相關資訊，請參閱[在政策中指定條件](UsingWithRDS.IAM.AccessControl.Overview.md#SpecifyingIAMPolicyConditions-RDS)。

您可以在 Amazon DocumentDB 政策中使用 AWS整體條件金鑰來表達條件。如需 AWS全系列金鑰的完整清單，請參閱《*IAM 使用者指南*》中的[可用金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys)。

您可以使用 IAM 政策模擬器測試 IAM 政策。它會自動提供每個 AWS 動作所需的資源和參數清單，包括 Amazon DocumentDB 動作。IAM 政策模擬器會決定您指定的每個動作所需的許可。如需 IAM 政策模擬器的相關資訊，請參閱《[IAM 使用者指南》中的使用 IAM 政策模擬器測試 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html)。 **

**注意**  
若要指定動作，請使用後接 API 操作名稱的 `rds:` 字首 (例如，`rds:CreateDBInstance`)。

以下列出 Amazon RDS API 操作及其相關動作、資源和條件索引鍵。

**Topics**
+ [支援資源層級許可的 Amazon DocumentDB 動作](#UsingWithRDS.IAM.ResourceLevelPermissions)
+ [不支援資源層級許可的 Amazon DocumentDB 動作](#UsingWithRDS.IAM.UnsupportedResourceLevelPermissions)

## 支援資源層級許可的 Amazon DocumentDB 動作
<a name="UsingWithRDS.IAM.ResourceLevelPermissions"></a>

資源層級許可可讓您指定允許使用者執行動作的資源。Amazon DocumentDB 部分支援資源層級許可。這表示對於某些 Amazon DocumentDB 動作，您可以根據必須滿足的條件，或允許使用者使用的特定資源，控制何時允許使用者使用這些動作。例如，您可以授予使用者只修改特定執行個體的許可。

以下列出 Amazon DocumentDB API 操作及其相關動作、資源和條件索引鍵。

**注意**  
對於某些管理功能，Amazon DocumentDB 使用與 Amazon RDS 共用的操作技術。如需更多 Amazon DocumentDB 動作和許可，請參閱*《服務授權參考*》中的 [Amazon RDS 的動作、資源和條件索引鍵](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html)。

<a name="actions-related-to-objects-table"></a>

- **  [AddTagsToResource](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_AddTagsToResource.html)  `rds:AddTagsToResource`**
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **條件金鑰:** `rds:db-tag`
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **條件金鑰:** `rds:subgrp-tag`

- **  [ApplyPendingMaintenanceAction](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ApplyPendingMaintenanceAction.html)  `rds:ApplyPendingMaintenanceAction`**
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **條件金鑰:** `rds:db-tag`

- **  [CopyDBClusterSnapshot](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CopyDBClusterSnapshot.html) `rds:CopyDBClusterSnapshot`**
  - **Resources:** 叢集快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}`
  - **條件金鑰:** `rds:cluster-snapshot-tag`

- **  [CreateDBCluster](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBCluster.html) `rds:CreateDBCluster`**
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **條件金鑰:** `rds:cluster-tag`
  - **Resources:** 叢集參數群組<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}` / **條件金鑰:** `rds:cluster-pg-tag`
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **條件金鑰:** `rds:subgrp-tag`

- **  [CreateDBClusterParameterGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBClusterParameterGroup.html) `rds:CreateDBClusterParameterGroup`**
  - **Resources:** 叢集參數群組<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **條件金鑰:** `rds:cluster-pg-tag`

- **  [CreateDBClusterSnapshot](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBClusterSnapshot.html) `rds:CreateDBClusterSnapshot`**
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **條件金鑰:** `rds:cluster-tag`
  - **Resources:** 叢集快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}` / **條件金鑰:** `rds:cluster-snapshot-tag`

- **  [CreateDBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBInstance.html) `rds:CreateDBInstance` **
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **條件金鑰:** `rds:DatabaseClass`<br />`rds:db-tag`
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **條件金鑰:** `rds:cluster-tag`

- **  [CreateDBSubnetGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_CreateDBSubnetGroup.html) `rds:CreateDBSubnetGroup`**
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}`
  - **條件金鑰:** `rds:subgrp-tag`

- **  [DeleteDBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DeleteDBInstance.html)  `rds:DeleteDBInstance` **
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **條件金鑰:** `rds:db-tag`

- **  [DeleteDBSubnetGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DeleteDBSubnetGroup.html) `rds:DeleteDBSubnetGroup`**
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}`
  - **條件金鑰:** `rds:subgrp-tag`

- **  [DescribeDBClusterParameterGroups](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterParameterGroups.html) `rds:DescribeDBClusterParameterGroups`**
  - **Resources:** 叢集參數群組<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **條件金鑰:** `rds:cluster-pg-tag`

- **  [DescribeDBClusterParameters](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterParameters.html) `rds:DescribeDBClusterParameters`**
  - **Resources:** 叢集參數群組<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **條件金鑰:** `rds:cluster-pg-tag`

- **  [DescribeDBClusters](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusters.html) `rds:DescribeDBClusters`**
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}`
  - **條件金鑰:** `rds:cluster-tag`

- **  [DescribeDBClusterSnapshotAttributes](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBClusterSnapshotAttributes.html) `rds:DescribeDBClusterSnapshotAttributes`**
  - **Resources:** 叢集快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}`
  - **條件金鑰:** `rds:cluster-snapshot-tag`

- **  [DescribeDBSubnetGroups](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribeDBSubnetGroups.html) `rds:DescribeDBSubnetGroups`**
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}`
  - **條件金鑰:** `rds:subgrp-tag`

- **  [DescribePendingMaintenanceActions](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_DescribePendingMaintenanceActions.html) `rds:DescribePendingMaintenanceActions`**
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **條件金鑰:** `rds:DatabaseClass`<br />`rds:db-tag`

- **  [FailoverDBCluster](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_FailoverDBCluster.html) `rds:FailoverDBCluster`**
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}`
  - **條件金鑰:** `rds:cluster-tag`

- **  [ListTagsForResource](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ListTagsForResource.html) `rds:ListTagsForResource`**
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **條件金鑰:** `rds:db-tag`
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **條件金鑰:** `rds:subgrp-tag`

- **  [ModifyDBCluster](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBCluster.html)  `rds:ModifyDBCluster`**
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-name}}` / **條件金鑰:** `rds:cluster-tag`
  - **Resources:** 叢集參數群組<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}` / **條件金鑰:** `rds:cluster-pg-tag`

- **  [ModifyDBClusterParameterGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBClusterParameterGroup.html) `rds:ModifyDBClusterParameterGroup`**
  - **Resources:** 叢集參數群組<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **條件金鑰:** `rds:cluster-pg-tag`

- **  [ModifyDBClusterSnapshotAttribute](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBClusterSnapshotAttribute.html) `rds:ModifyDBClusterSnapshotAttribute`**
  - **Resources:** 叢集快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}`
  - **條件金鑰:** `rds:cluster-snapshot-tag`

- **  [ModifyDBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ModifyDBInstance.html) `rds:ModifyDBInstance`**
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **條件金鑰:** `rds:DatabaseClass`<br />`rds:db-tag`

- **  [RebootDBInstance](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RebootDBInstance.html) `rds:RebootDBInstance`**
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}`
  - **條件金鑰:** `rds:db-tag`

- **  [RemoveTagsFromResource](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RemoveTagsFromResource.html) `rds:RemoveTagsFromResource`**
  - **Resources:** 執行個體<br />`arn:aws:rds:{{region}}:{{account-id}}:db:{{db-instance-name}}` / **條件金鑰:** `rds:db-tag`
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **條件金鑰:** `rds:subgrp-tag`

- **  [ResetDBClusterParameterGroup](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_ResetDBClusterParameterGroup.html) `rds:ResetDBClusterParameterGroup`**
  - **Resources:** 叢集參數群組<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-pg:{{cluster-parameter-group-name}}`
  - **條件金鑰:** `rds:cluster-pg-tag`

- **  [RestoreDBClusterFromSnapshot](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RestoreDBClusterFromSnapshot.html) `rds:RestoreDBClusterFromSnapshot`**
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}` / **條件金鑰:** `rds:cluster-tag`
  - **Resources:** 叢集快照<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster-snapshot:{{cluster-snapshot-name}}` / **條件金鑰:** `rds:cluster-snapshot-tag`

- **  [RestoreDBClusterToPointInTime](https://docs.aws.amazon.com/documentdb/latest/developerguide/API_RestoreDBClusterToPointInTime.html) `rds:RestoreDBClusterToPointInTime`**
  - **Resources:** 叢集<br />`arn:aws:rds:{{region}}:{{account-id}}:cluster:{{db-cluster-instance-name}}` / **條件金鑰:** `rds:cluster-tag`
  - **Resources:** 子網路群組<br />`arn:aws:rds:{{region}}:{{account-id}}:subgrp:{{subnet-group-name}}` / **條件金鑰:** `rds:subgrp-tag`



## 不支援資源層級許可的 Amazon DocumentDB 動作
<a name="UsingWithRDS.IAM.UnsupportedResourceLevelPermissions"></a>

您可以使用 IAM 政策中的所有 Amazon DocumentDB 動作，授予或拒絕使用者使用該動作的許可。不過，並非所有 Amazon DocumentDB 動作都支援資源層級許可，這可讓您指定可執行動作的資源。下列 Amazon DocumentDB API 動作目前不支援資源層級許可。因此，若要在 IAM 政策中使用這些動作，您必須為陳述式中的 `Resource` 元素使用`*`萬用字元，授予使用者使用動作所有資源的許可。
+ `rds:DescribeDBClusterSnapshots`
+ `rds:DescribeDBInstances`