用户访问RD的增强监控的IAM POILCY
我正在尝试创建一个IAM用户,该用户将拥有最少特权,以便能够查看特定RDS数据库的增强监视。我创建了一个角色(增强的监视),并将托管策略附加了:“ AmazonrdsenHancedMonitoringrole”。该角色使用Passrole许可将RDS数据库传递给RDS数据库。我正在附加到此IAM用户的策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"rds:*",
"cloudwatch:GetMetricData",
"iam:ListRoles",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DeleteAnomalyDetector",
"cloudwatch:ListMetrics",
"cloudwatch:DescribeAnomalyDetectors",
"cloudwatch:ListMetricStreams",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:ListDashboards",
"ec2:*",
"cloudwatch:PutAnomalyDetector",
"cloudwatch:GetMetricWidgetImage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"cloudwatch:*"
],
"Resource": [
"arn:aws:cloudwatch:*:accountnumber:insight-rule/*",
"arn:aws:iam::accountnumber:role/Enhanced-Monitoring",
"arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
]
}
]
}
如您所见,我几乎给了该用户的所有许可,但是我仍然在IAM用户RDS仪表板上获得“未授权”错误,以进行增强监视,尽管CloudWatch日志正常显示。
I am trying to create an IAM user that will have least privileges to be able to view enhanced monitoring for a particular RDS database. I have created a ROLE (Enhanced Monitoring) and attached a managed policy to it:'AmazonRDSEnhancedMonitoringRole'. This role is passed to RDS database using the passrole permission. The policy that I am attaching to this IAM user is as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"rds:*",
"cloudwatch:GetMetricData",
"iam:ListRoles",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DeleteAnomalyDetector",
"cloudwatch:ListMetrics",
"cloudwatch:DescribeAnomalyDetectors",
"cloudwatch:ListMetricStreams",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:ListDashboards",
"ec2:*",
"cloudwatch:PutAnomalyDetector",
"cloudwatch:GetMetricWidgetImage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"cloudwatch:*"
],
"Resource": [
"arn:aws:cloudwatch:*:accountnumber:insight-rule/*",
"arn:aws:iam::accountnumber:role/Enhanced-Monitoring",
"arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
]
}
]
}
As you can see,I have given almost every permission to this user, but still I am getting 'Not Authorized' error on the IAM user RDS dashboard for enhanced monitoring, although cloudwatch logs are displaying normally.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我设法通过修改策略来解决错误。由于增强的监视使用了CloudWatch日志,因此我添加了一个只读的CloudWatch日志策略(CloudWatchLogsReadonLyAccess)。提到了此政策在这里/a>在AWS文档中。我还添加了RDS控制台建议的CloudWatch:GetMetricData权限。现在的总体策略现在也更加紧凑:
设置现在正常工作。
I managed to solve the error by modifying the policy. Since Enhanced Monitoring utilizes CloudWatch logs, I added a read-only cloudwatch logs policy(CloudWatchLogsReadOnlyAccess). This policy is mentioned here in AWS documentation. I also added a cloudwatch:GetMetricData permission as suggested on the RDS console. The overall policy is also more compact now:
The setup is working fine now.