向 aws lambda 授予创建和删除警报所需的权限

问题描述 投票:0回答:1

我如何为cloudformation模板中的aws lambda提供必要的权限以允许其管理警报(创建/删除)它们,我正在努力理解策略及其工作原理


Role:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        {
          'Version': '2012-10-17',
          'Statement':
            [
              {
                'Effect': 'Allow',
                'Principal': { 'Service': ['lambda.amazonaws.com'] },
                'Action': ['sts:AssumeRole'],
              },
            ],
        }
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
        - 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess'
        - 'arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
Lambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      PackageType: Zip
      Handler: index.handler
      Runtime: nodejs12.x
      MemorySize: 512
      Timeout: 30
      Role:
        Fn::GetAtt:
          - Role
          - Arn
      Code:
        ZipFile: |
          const AWS = require('aws-sdk')
          AWS.config.update({region: 'us-east-2'});

          const cw = new AWS.CloudWatch({apiVersion: '2010-08-01'});
          //
amazon-web-services aws-lambda amazon-cloudwatch roles alarm
1个回答
2
投票

您可以分配 

CloudWatchFullAccess
策略 (
arn:aws:iam::aws:policy/CloudWatchFullAccess
),但这可能会提供过多的访问权限。

如果您同意编写自己的政策,您可以授予:

  • cloudwatch:PutMetricAlarm
  • cloduwatch:DeleteAlarms

有关详细信息,请参阅:Amazon CloudWatch 的操作、资源和条件键 - 服务授权参考

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.