AWS SAM 連接器參考 - AWS Serverless Application Model
支援的連接器資源類型連接器建立的 IAM 政策

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

AWS SAM 連接器參考

本節包含 AWS Serverless Application Model (AWS SAM) 連接器資源類型的參考資訊。如需連接器的簡介,請參閱 使用 AWS SAM 連接器管理資源許可

連接器支援的來源和目的地資源類型

AWS::Serverless::Connector 資源類型支援來源和目的地資源之間的選取連線數。在 AWS SAM 範本中設定連接器時,請使用下表來參考支援的連線,以及需要為每個來源和目的地資源類型定義的屬性。如需在範本中設定連接器的詳細資訊,請參閱AWS::Serverless::Connector

對於來源和目的地資源,當在相同範本中定義時,請使用 Id 屬性。或者,Qualifier可以新增 來縮小已定義資源的範圍。當資源不在相同的範本內時,請使用支援的屬性組合。

若要請求新的連線,請在 serverless-application-model AWS GitHub GitHub儲存庫提交新的問題

來源類型 目的地類型 許可 來源屬性 目的地屬性

AWS::ApiGateway::RestApi

AWS::Lambda::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::ApiGateway::RestApi

AWS::Serverless::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::ApiGatewayV2::Api

AWS::Lambda::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::ApiGatewayV2::Api

AWS::Serverless::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::AppSync::DataSource

AWS::DynamoDB::Table

Read

IdRoleNameType

IdArnType

AWS::AppSync::DataSource

AWS::DynamoDB::Table

Write

IdRoleNameType

IdArnType

AWS::AppSync::DataSource

AWS::Events::EventBus

Write

IdRoleNameType

IdArnType

AWS::AppSync::DataSource

AWS::Lambda::Function

Write

IdRoleNameType

IdArnType

AWS::AppSync::DataSource

AWS::Serverless::Function

Write

IdRoleNameType

IdArnType

AWS::AppSync::DataSource

AWS::Serverless::SimpleTable

Read

IdRoleNameType

IdArnType

AWS::AppSync::DataSource

AWS::Serverless::SimpleTable

Write

IdRoleNameType

IdArnType

AWS::AppSync::GraphQLApi

AWS::Lambda::Function

Write

IdResourceIdType

IdArnType

AWS::AppSync::GraphQLApi

AWS::Serverless::Function

Write

IdResourceIdType

IdArnType

AWS::DynamoDB::Table

AWS::Lambda::Function

Read

IdArnType

IdRoleNameType

AWS::DynamoDB::Table

AWS::Serverless::Function

Read

IdArnType

IdRoleNameType

AWS::Events::Rule

AWS::Events::EventBus

Write

IdRoleNameType

IdArnType

AWS::Events::Rule

AWS::Lambda::Function

Write

IdArnType

IdArnType

AWS::Events::Rule

AWS::Serverless::Function

Write

IdArnType

IdArnType

AWS::Events::Rule

AWS::Serverless::StateMachine

Write

IdRoleNameType

IdArnType

AWS::Events::Rule

AWS::SNS::Topic

Write

IdArnType

IdArnType

AWS::Events::Rule

AWS::SQS::Queue

Write

IdArnType

IdQueueUrlArnType

AWS::Events::Rule

AWS::StepFunctions::StateMachine

Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::DynamoDB::Table

Read, Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::Events::EventBus

Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::Lambda::Function

Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::Location::PlaceIndex

Read

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::S3::Bucket

Read, Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::Serverless::Function

Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::Serverless::SimpleTable

Read, Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::Serverless::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

AWS::Lambda::Function

AWS::SNS::Topic

Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::SQS::Queue

Read, Write

IdRoleNameType

IdArnType

AWS::Lambda::Function

AWS::StepFunctions::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

AWS::S3::Bucket

AWS::Lambda::Function

Write

IdArnType

IdArnType

AWS::S3::Bucket

AWS::Serverless::Function

Write

IdArnType

IdArnType

AWS::Serverless::Api

AWS::Lambda::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::Serverless::Api

AWS::Serverless::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::Serverless::Function

AWS::DynamoDB::Table

Read, Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::Events::EventBus

Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::Lambda::Function

Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::S3::Bucket

Read, Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::Serverless::Function

Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::Serverless::SimpleTable

Read, Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::Serverless::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

AWS::Serverless::Function

AWS::SNS::Topic

Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::SQS::Queue

Read, Write

IdRoleNameType

IdArnType

AWS::Serverless::Function

AWS::StepFunctions::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

AWS::Serverless::HttpApi

AWS::Lambda::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::Serverless::HttpApi

AWS::Serverless::Function

Write

IdResourceIdQualifierType

IdArnType

AWS::Serverless::SimpleTable

AWS::Lambda::Function

Read

IdArnType

IdRoleNameType

AWS::Serverless::SimpleTable

AWS::Serverless::Function

Read

IdArnType

IdRoleNameType

AWS::Serverless::StateMachine

AWS::DynamoDB::Table

Read, Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::Events::EventBus

Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::Lambda::Function

Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::S3::Bucket

Read, Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::Serverless::Function

Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::Serverless::SimpleTable

Read, Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::Serverless::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

AWS::Serverless::StateMachine

AWS::SNS::Topic

Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::SQS::Queue

Write

IdRoleNameType

IdArnType

AWS::Serverless::StateMachine

AWS::StepFunctions::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

AWS::SNS::Topic

AWS::Lambda::Function

Write

IdArnType

IdArnType

AWS::SNS::Topic

AWS::Serverless::Function

Write

IdArnType

IdArnType

AWS::SNS::Topic

AWS::SQS::Queue

Write

IdArnType

IdQueueUrlArnType

AWS::SQS::Queue

AWS::Lambda::Function

Read, Write

IdArnType

IdRoleNameType

AWS::SQS::Queue

AWS::Serverless::Function

Read, Write

IdArnType

IdRoleNameType

AWS::StepFunctions::StateMachine

AWS::DynamoDB::Table

Read, Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::Events::EventBus

Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::Lambda::Function

Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::S3::Bucket

Read, Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::Serverless::Function

Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::Serverless::SimpleTable

Read, Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::Serverless::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

AWS::StepFunctions::StateMachine

AWS::SNS::Topic

Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::SQS::Queue

Write

IdRoleNameType

IdArnType

AWS::StepFunctions::StateMachine

AWS::StepFunctions::StateMachine

Read, Write

IdRoleNameType

IdNameArnType

連接器建立的 IAM 政策

本節記錄使用連接器 AWS SAM 時由 建立的 AWS Identity and Access Management (IAM) 政策。

AWS::DynamoDB::TableAWS::Lambda::Function

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:DescribeStream",
        "dynamodb:GetRecords",
        "dynamodb:GetShardIterator",
        "dynamodb:ListStreams"
      ],
      "Resource": [
        "%{Source.Arn}/stream/*"
      ]
    }
  ]
}
AWS::Events::RuleAWS::SNS::Topic

政策類型

AWS::SNS::TopicPolicy 連接至 AWS::SNS::Topic

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Resource": "%{Destination.Arn}",
      "Action": "sns:Publish",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "%{Source.Arn}"
        }
      }
    }
  ]
}
AWS::Events::RuleAWS::Events::EventBus

政策類型

連接至AWS::Events::Rule角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::Events::RuleAWS::StepFunctions::StateMachine

政策類型

連接至AWS::Events::Rule角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:StartExecution"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::Events::RuleAWS::Lambda::Function

政策類型

AWS::Lambda::Permission 連接至 AWS::Lambda::Function

存取類別

Write

{
  "Action": "lambda:InvokeFunction",
  "Principal": "events.amazonaws.com",
  "SourceArn": "%{Source.Arn}"
}
AWS::Events::RuleAWS::SQS::Queue

政策類型

AWS::SQS::QueuePolicy 連接至 AWS::SQS::Queue

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Resource": "%{Destination.Arn}",
      "Action": "sqs:SendMessage",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "%{Source.Arn}"
        }
      }
    }
  ]
}
AWS::Lambda::FunctionAWS::Lambda::Function

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::Lambda::FunctionAWS::S3::Bucket

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTorrent",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionTorrent",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutObject",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:RestoreObject"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}
AWS::Lambda::FunctionAWS::DynamoDB::Table

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:BatchGetItem",
        "dynamodb:ConditionCheckItem",
        "dynamodb:PartiQLSelect"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:BatchWriteItem",
        "dynamodb:PartiQLDelete",
        "dynamodb:PartiQLInsert",
        "dynamodb:PartiQLUpdate"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}
AWS::Lambda::FunctionAWS::SQS::Queue

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:DeleteMessage",
        "sqs:SendMessage",
        "sqs:ChangeMessageVisibility",
        "sqs:PurgeQueue"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::Lambda::FunctionAWS::SNS::Topic

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::Lambda::FunctionAWS::StepFunctions::StateMachine

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:StartExecution",
        "states:StartSyncExecution"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "states:StopExecution"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    }
  ]
}

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeStateMachine",
        "states:ListExecutions"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution",
        "states:DescribeStateMachineForExecution",
        "states:GetExecutionHistory"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    }
  ]
}
AWS::Lambda::FunctionAWS::Events::EventBus

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::Lambda::FunctionAWS::Location::PlaceIndex

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "geo:DescribePlaceIndex",
        "geo:GetPlace",
        "geo:SearchPlaceIndexForPosition",
        "geo:SearchPlaceIndexForSuggestions",
        "geo:SearchPlaceIndexForText"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::ApiGatewayV2::ApiAWS::Lambda::Function

政策類型

AWS::Lambda::Permission 連接至 AWS::Lambda::Function

存取類別

Write

{
  "Action": "lambda:InvokeFunction",
  "Principal": "apigateway.amazonaws.com",
  "SourceArn": "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:%{Source.ResourceId}/%{Source.Qualifier}"
}
AWS::ApiGateway::RestApiAWS::Lambda::Function

政策類型

AWS::Lambda::Permission 連接至 AWS::Lambda::Function

存取類別

Write

{
  "Action": "lambda:InvokeFunction",
  "Principal": "apigateway.amazonaws.com",
  "SourceArn": "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:%{Source.ResourceId}/%{Source.Qualifier}"
}
AWS::SNS::TopicAWS::SQS::Queue

政策類型

AWS::SQS::QueuePolicy 連接至 AWS::SQS::Queue

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Resource": "%{Destination.Arn}",
      "Action": "sqs:SendMessage",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "%{Source.Arn}"
        }
      }
    }
  ]
}
AWS::SNS::TopicAWS::Lambda::Function

政策類型

AWS::Lambda::Permission 連接至 AWS::Lambda::Function

存取類別

Write

{
  "Action": "lambda:InvokeFunction",
  "Principal": "sns.amazonaws.com",
  "SourceArn": "%{Source.Arn}"
}
AWS::SQS::QueueAWS::Lambda::Function

政策類型

連接至AWS::Lambda::Function角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:DeleteMessage"
      ],
      "Resource": [
        "%{Source.Arn}"
      ]
    }
  ]
}

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:GetQueueAttributes"
      ],
      "Resource": [
        "%{Source.Arn}"
      ]
    }
  ]
}
AWS::S3::BucketAWS::Lambda::Function

政策類型

AWS::Lambda::Permission 連接至 AWS::Lambda::Function

存取類別

Write

{
  "Action": "lambda:InvokeFunction",
  "Principal": "s3.amazonaws.com",
  "SourceArn": "%{Source.Arn}",
  "SourceAccount": "${AWS::AccountId}"
}
AWS::StepFunctions::StateMachineAWS::Lambda::Function

政策類型

連接至AWS::StepFunctions::StateMachine角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::StepFunctions::StateMachineAWS::SNS::Topic

政策類型

連接至AWS::StepFunctions::StateMachine角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::StepFunctions::StateMachineAWS::SQS::Queue

政策類型

連接至AWS::StepFunctions::StateMachine角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:SendMessage"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::StepFunctions::StateMachineAWS::S3::Bucket

政策類型

連接至AWS::StepFunctions::StateMachine角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:GetObjectTorrent",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersionForReplication",
        "s3:GetObjectVersionTorrent",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutObject",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:RestoreObject"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/*"
      ]
    }
  ]
}
AWS::StepFunctions::StateMachineAWS::DynamoDB::Table

政策類型

連接至AWS::StepFunctions::StateMachine角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:BatchGetItem",
        "dynamodb:ConditionCheckItem",
        "dynamodb:PartiQLSelect"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:BatchWriteItem",
        "dynamodb:PartiQLDelete",
        "dynamodb:PartiQLInsert",
        "dynamodb:PartiQLUpdate"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}
AWS::StepFunctions::StateMachineAWS::StepFunctions::StateMachine

政策類型

連接至AWS::StepFunctions::StateMachine角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:DescribeRule"
      ],
      "Resource": [
        "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
      ]
    }
  ]
}

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:StartExecution"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "states:StopExecution"
      ],
      "Resource": [
        "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:%{Destination.Name}:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:PutTargets",
        "events:PutRule"
      ],
      "Resource": [
        "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
      ]
    }
  ]
}
AWS::StepFunctions::StateMachineAWS::Events::EventBus

政策類型

連接至AWS::StepFunctions::StateMachine角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::AppSync::DataSourceAWS::DynamoDB::Table

政策類型

連接至AWS::AppSync::DataSource角色的客戶受管政策

存取類別

Read

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:BatchGetItem",
        "dynamodb:ConditionCheckItem",
        "dynamodb:PartiQLSelect"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:BatchWriteItem",
        "dynamodb:PartiQLDelete",
        "dynamodb:PartiQLInsert",
        "dynamodb:PartiQLUpdate"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}/index/*"
      ]
    }
  ]
}
AWS::AppSync::DataSourceAWS::Lambda::Function

政策類型

連接至AWS::AppSync::DataSource角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "%{Destination.Arn}",
        "%{Destination.Arn}:*"
      ]
    }
  ]
}
AWS::AppSync::DataSourceAWS::Events::EventBus

政策類型

連接至AWS::AppSync::DataSource角色的客戶受管政策

存取類別

Write

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "events:PutEvents"
      ],
      "Resource": [
        "%{Destination.Arn}"
      ]
    }
  ]
}
AWS::AppSync::GraphQLApiAWS::Lambda::Function

政策類型

AWS::Lambda::Permission 連接至 AWS::Lambda::Function

存取類別

Write

{
  "Action": "lambda:InvokeFunction",
  "Principal": "appsync.amazonaws.com",
  "SourceArn": "arn:${AWS::Partition}:appsync:${AWS::Region}:${AWS::AccountId}:apis/%{Source.ResourceId}"
}