AWS IAM 用户权限

在本页面

    要还原到 Amazon EC2,建议 IAM 用户(您打算使用该用户的凭据连接到 AWS)具有管理权限 — 访问所有 AWS 操作和资源的权限。

    如果您不想提供 AWS 的完全访问权限,则可以向 IAM 用户授予还原所需的最小权限集。为此,请以 JSON 格式创建以下策略,并将其附加到 IAM 用户:

    {

     “ Version”:“ 2012-10-17”,

     “声明”:[{

      “ Action”:[

       "ec2:DescribeInstances",

       "ec2:RunInstances",

       "ec2:TerminateInstances",

       "ec2:StartInstances",

       "ec2:StopInstances",

       "ec2:ModifyInstanceAttribute",

       "ec2:DescribeImages",

       "ec2:ImportImage",

       "ec2:DeregisterImage",

       "ec2:DescribeVolumes",

       "ec2:CreateVolume",

       "ec2:ModifyVolume",

       "ec2:ImportVolume",

       "ec2:DeleteVolume",

       "ec2:AttachVolume",

       "ec2:DetachVolume",

       "ec2:CreateSnapshot",

       "ec2:DescribeSnapshots",

       "ec2:DeleteSnapshot",

       "ec2:DescribeSubnets",

       "ec2:DescribeNetworkInterfaces",

       "ec2:DescribeSecurityGroups",

       "ec2:DescribeKeyPairs",

       "ec2:CreateKeyPair",

       "ec2:DeleteKeyPair",

       "ec2:DescribeAvailabilityZones",

       "ec2:DescribeVpcs",

       "ec2:DescribeConversionTasks",

       "ec2:DescribeImportImageTasks",

       "ec2:DescribeVolumesModifications",

       "ec2:CancelImportTask",

       "ec2:CancelConversionTask",

       "ec2:CreateTags",

       "ec2:DescribeAccountAttributes",

       "ec2:DescribeDhcpOptions",

       "ec2:DescribeVpcAttribute",

       “ iam:GetRole”,

       “ iam:CreateRole”,

       “ iam:PutRolePolicy”,

       “ iam:DeleteRolePolicy”,

       "s3:CreateBucket",

       "s3:ListBucket",

       "s3:ListAllMyBuckets",

       "s3:DeleteBucket",

       "s3:PutObject",

       "s3:DeleteObject",

       "s3:GetBucketLocation",

       "s3:PutLifeCycleConfiguration",

       "s3:GetObject",

       "s3:RestoreObject",

       "s3:AbortMultiPartUpload",

       "s3:ListBucketMultiPartUploads",

       "s3:ListMultipartUploadParts"

      ],

      “ Effect”:“ Allow”,

      “ Resource”:“*”

     }]

    }

    或者,您可以将创建的策略附加到 IAM 用户所分配到的 IAM 组或角色。

    有关如何创建策略并将其附加到 IAM 用户的信息,请参见《AWS IAM 用户指南》中的创建 IAM 策略添加和删除 IAM 身份权限部分。