AWS IAM 用户权限
要还原到 Amazon EC2,建议 IAM 用户(您打算使用该用户的凭据连接到 AWS)具有管理权限 — 访问所有 AWS 操作和资源的权限。
如果您不想提供 AWS 的完全访问权限,则可以向 IAM 用户授予还原所需的最小权限集。为此,请以 JSON 格式创建以下策略,并将其附加到 IAM 用户:
{ “ Version”:“ 2012-10-17”, “声明”:[{ “ Action”:[ "ec2:DescribeInstances", "ec2:RunInstances", "ec2:TerminateInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeImages", "ec2:ImportImage", "ec2:DeregisterImage", "ec2:DescribeVolumes", "ec2:CreateVolume", "ec2:ModifyVolume", "ec2:ImportVolume", "ec2:DeleteVolume", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:CreateSnapshot", "ec2:DescribeSnapshots", "ec2:DeleteSnapshot", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:CreateKeyPair", "ec2:DeleteKeyPair", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeConversionTasks", "ec2:DescribeImportImageTasks", "ec2:DescribeVolumesModifications", "ec2:CancelImportTask", "ec2:CancelConversionTask", "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeDhcpOptions", "ec2:DescribeVpcAttribute", “ iam:GetRole”, “ iam:CreateRole”, “ iam:PutRolePolicy”, “ iam:DeleteRolePolicy”, "s3:CreateBucket", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:DeleteBucket", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketLocation", "s3:PutLifeCycleConfiguration", "s3:GetObject", "s3:RestoreObject", "s3:AbortMultiPartUpload", "s3:ListBucketMultiPartUploads", "s3:ListMultipartUploadParts" ], “ Effect”:“ Allow”, “ Resource”:“*” }] } |
或者,您可以将创建的策略附加到 IAM 用户所分配到的 IAM 组或角色。
有关如何创建策略并将其附加到 IAM 用户的信息,请参见《AWS IAM 用户指南》中的创建 IAM 策略与添加和删除 IAM 身份权限部分。