本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 針對 使用以身分為基礎的政策 (IAM 政策) AWS Snowball 邊緣
本主題提供以身分為基礎的政策範例,示範帳戶管理員如何將許可政策連接至 IAM 身分 (即使用者、群組和角色)。這些政策藉此授予許可,以對 中的 AWS Snowball 邊緣 資源執行操作 AWS 雲端。
**重要**
建議您先檢閱可供您管理 AWS Snowball 邊緣 資源存取之基本槪念與選項的說明介紹主題。如需詳細資訊,請參閱[中管理 資源存取許可的概觀 AWS 雲端](authentication-and-access-control.md#access-control-overview)。
本主題中的各節涵蓋下列內容:
+ [使用 AWS Snowball 邊緣 主控台所需的許可](#additional-console-required-permissions)
+ [AWS的 受管 (預先定義) 政策 AWS Snowball 邊緣](authentication-and-access-control.md#access-policy-examples-aws-managed)
+ [客戶受管政策範例](access-policy-examples-for-sdk-cli.md)
以下顯示許可政策範例。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*",
"importexport:*"
],
"Resource": "*"
}
]
}
```
------
此政策具有兩個陳述式:
+ 第一個陳述式會使用 的 Amazon S3 Resource Name (ARN`s3:ListBucket`)`s3:GetBucketLocation`,授予所有 Amazon S3 儲存貯體上三個 Amazon S3 動作 (`s3:GetObject`、 和 ) 的許可`arn:aws:s3:::*`。 **ARN 會指定萬用字元 (\*),讓使用者可以選擇任何或所有 Amazon S3 儲存貯體來匯出資料。
+ 第二個陳述式會授予所有 AWS Snowball 邊緣 動作的許可。因為這些動作不支援資源層級許可,所以政策會指定萬用字元 (\*),而且 `Resource` 值也會指定萬用字元。
此政策不指定 `Principal` 元素,因為您不會在以身分為基礎的政策中,指定取得許可的主體。當您將政策連接至使用者時,這名使用者是隱含委託人。當您將許可政策連接至 IAM 角色,該角色的信任政策中所識別的委託人即取得許可。
如需顯示所有 AWS Snowball 邊緣 任務管理 API 動作及其適用的資源的資料表,請參閱 [AWS Snowball 邊緣 API 許可:動作、資源和條件參考](access-policy-examples-for-sdk-cli.md#snowball-api-permissions-ref)。
## 使用 AWS Snowball 邊緣 主控台所需的許可
許可參考表列出 AWS Snowball 邊緣 任務管理 API 操作,並顯示每個操作所需的許可。如需任務管理 API 操作的詳細資訊,請參閱 [AWS Snowball 邊緣 API 許可:動作、資源和條件參考](access-policy-examples-for-sdk-cli.md#snowball-api-permissions-ref)。
若要使用 AWS Snow 系列管理主控台,您需要授予其他動作的許可,如下列許可政策所示:
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": "arn:aws:lambda:*::function:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:Encrypt",
"kms:RetireGrant",
"kms:ListKeys",
"kms:DescribeKey",
"kms:ListAliases"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/snowball*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "importexport.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:ModifyImageAttribute"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Subscribe"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:getServiceRoleForAccount"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": "arn:aws:lambda:::function:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "arn:aws:lambda:::*"
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/snowball*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "importexport.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:ModifyImageAttribute"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Subscribe"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:getServiceRoleForAccount"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
}
]
}
```
------
AWS Snowball 邊緣 主控台需要這些額外的許可,原因如下:
+ `ec2:` – 這些允許使用者描述與 Amazon EC2-compatible執行個體,並修改其屬性以進行本機運算。如需詳細資訊,請參閱[在 Snowball Edge 上使用與 Amazon EC2-compatible運算執行個體](using-ec2.md)。
+ `kms:` – 這些允許使用者建立或選擇將加密資料的 KMS 金鑰。如需詳細資訊,請參閱[AWS Key Management Service 在 中 AWS Snowball 邊緣](data-protection.md#kms)。
+ `iam:` – 這些允許使用者建立或選擇 AWS Snowball 邊緣 將擔任的 IAM 角色 ARN,以存取與任務建立和處理相關聯的 AWS 資源。
+ `sns:` – 這些允許使用者為其建立的任務建立或選擇 Amazon SNS 通知。如需詳細資訊,請參閱[Snowball Edge 的通知](notifications.md)。