托管和自定义策略
策略和权限
无论您是通过创建 IAM 用户还是通过跨账户 IAM 角色提供访问权限,您都需要提供 Site24x7 权限。这些权限将决定可以访问哪些特定 AWS 资源。
Site24x7 需要对您的 AWS 服务和资源具有只读权限,您可以分配默认只读策略、分配我们的自定义策略或创建您自己的策略。
默认只读访问策略(推荐)
为确保不存在性能盲点,并利用 Site24x7 的全部监控功能,我们强烈建议您将默认的 ReadOnly 策略文档分配给创建的 IAM 用户/角色。此策略提供对所有流行 AWS 服务的完全只读访问权限。
- 目前,托管策略“ReadOnlyAccess”中不存在监控 Kinesis Video 流使用情况所需的只读权限。要进行监控,您可以将托管策略“AmazonKinesisVideoStreamsReadOnlyAccess”与“ReadOnlyAccess”策略一起应用,或者在可视化编辑器中从头构建一个新策略。
- 托管策略“ReadOnlyAccess”中不存在监控 Route 53 Resolver 所需的只读权限。要进行监控,请在可视化编辑器中从头开始构建新策略或创建具有必要权限的角色。
这些预定义策略由 AWS 团队自己维护和更新,因此当我们为任何新的 AWS 服务引入监控支持时,您无需更新策略文档中的权限。
使用 Site24x7 的自定义策略 (JSON)
创建您自己的自定义 IAM 策略(可视化编辑器)
如果您的组织不允许您分配默认 ReadOnly 策略,或者您希望更精确地控制您提供的权限,您可以使用 IAM 控制台中的点击式可视化编辑器创建自己的策略。下面提到了支持的的 AWS 服务以及每项服务所需的单独操作。
AWS 服务 | 读取级别操作 | 部分写入级别操作 |
---|---|---|
CloudWatch |
"cloudwatch:GetMetricData", |
|
DynamoDB |
"dynamodb:DescribeTable", |
|
EC2 |
"ec2:DescribeAddresses", |
"ec2:RebootInstances", |
Elastic Beanstalk (EBS) |
"elasticbeanstalk:DescribeEnvironmentResources", |
"elasticbeanstalk:RestartAppServer" |
ELB |
"elasticloadbalancing:DescribeLoadBalancers", |
|
Gateway Load Balancer |
"elasticloadbalancing:DescribeLoadBalancers", |
|
RDS |
"rds:ListTagsForResource", |
"rds:StartDBInstance", |
S3 |
"s3:GetObjectAcl", |
|
SNS |
"sns:ListSubscriptions", |
sns:Publish |
Lambda |
"lambda:ListFunctions", |
"lambda:InvokeFunction" |
Lambda logs | logs:Describe* logs:Get* |
|
ElastiCache |
"elasticache:DescribeCacheClusters", |
elasticache:RebootCacheCluster |
Simple Queue Service (SQS) |
"sqs:ListQueues", |
sqs:SendMessage |
Amazon CloudFront |
"cloudfront:GetDistribution", |
|
Amazon Kinesis Data Streams |
"kinesis:DescribeStreamSummary", |
kinesis:PutRecord" |
Amazon Kinesis Video Streams |
"kinesisvideo:ListStreams", |
|
Amazon Kinesis Firehose |
"firehose:ListDeliveryStreams", |
|
Amazon Kinesis Data Analytics |
"kinesisanalytics:ListApplications", |
kinesisanalytics:StopApplication kinesisanalytics:StartApplication |
Route 53 |
Route 53 Health Check: |
|
Elastic Beanstalk |
"elasticbeanstalk:DescribeEnvironmentResources", |
"elasticbeanstalk:RestartAppServer" |
Direct Connect |
"directconnect:DescribeConnections", |
|
VPC-Virtual Private Network (VPN) connection |
"ec2:DescribeVpnConnections", |
|
API Gateway | "apigateway:GET" | apigateway:POST |
Amazon Elastic Container Service (ECS) |
"ecs:ListServices", |
|
Amazon Redshift |
"redshift:DescribeClusters", |
redshift:RebootCluster |
Elastic File System (EFS) |
"elasticfilesystem:DescribeFileSystems", |
|
Simple Email Service (SES) |
"ses:DescribeConfigurationSet", |
ses:SendEmail |
Step Functions |
"states:ListStateMachines", |
"states:StartExecution" |
Web Application Firewall (WAF) |
"waf-regional:ListWebACLs", |
|
Key Management Service (KMS) |
"kms:DescribeCustomKeyStores", |
|
CloudSearch |
"cloudsearch:DescribeDomains", |
|
Elasticsearch |
"es:DescribeElasticsearchDomain", |
|
Elastic MapReduce |
"elasticmapreduce:ListSecurityConfigurations", |
elasticmapreduce:addJobFlowSteps |
WorkSpaces |
"workspaces:DescribeTags", |
workspaces:StartWorkspaces workspaces:RebootWorkspaces workspaces:RebuildWorkspaces workspaces:StopWorkspaces |
Certificate Manager (ACM) |
"acm:ListCertificates", |
|
Lightsail Instance |
"lightsail:GetInstances", |
lightsail:StartInstance lightsail:StopInstance lightsail:RebootInstance |
Lightsail Database |
"lightsail:GetRelationalDatabases", |
lightsail:StartRelationalDatabase lightsail:StopRelationalDatabase lightsail:RebootRelationalDatabase |
Lightsail Load Balancer |
"lightsail:GetLoadBalancers", |
lightsail:StartRelationalDatabase lightsail:StopRelationalDatabase lightsail:RebootRelationalDatabase |
Elastic Kubernetes Service (EKS) |
"eks:DescribeCluster", |
|
Storage Gateway |
"storagegateway:DescribeGatewayInformation", |
|
Amazon MQ |
"mq:DescribeBroker", |
mq:RebootBroker |
Transit Gateway |
"ec2:DescribeTransitGatewayAttachments", |
ec2:SearchTransitGatewayRoutes ec2:SearchTransitGatewayMulticastGroups |
Data Migration Service (DMS) |
"dms:DescribeAccountAttributes", |
dms:StartReplicationTask dms:StopReplicationTask |
Amazon FSx |
"fsx:ListTagsForResource", |
fsx:CreateDataRepositoryTask fsx:CreateBackup |
GuardDuty |
"guardduty:ListDetectors", |
|
Lambda@Edge |
"lambda:GetAccountSettings", |
lambda:InvokeFunction |
DocumentDB |
"rds:DescribeDBClusters", |
|
Amazon Secure File Transfer Protocol (SFTP) |
"transfer:DescribeUser", |
|
AWS Systems Manager |
"ssm:ListCommands", |
|
Service Quotas |
"servicequotas:GetRequestedServiceQuotaChange", |
"servicequotas:RequestServiceQuotaIncrease" |
按照下面提到的步骤使用可视化编辑器创建新策略
- 登录 AWS IAM 控制台,选择 Policies 并单击 Create new policy
- 选择可视化编辑器选项卡
- 在选择服务字段中,在搜索框中键入 CloudWatch,然后从列表中选择 CloudWatch。
- 在访问级别组部分中,选择阅读并通过展开部分选择以下提到的操作
- 现在对其他支持的的服务继续相同的过程。完成后点击查看策略。
只读操作的自定义策略
您还可以使用我们的自定义策略文档来提供对您的 AWS 资源的访问权限。在 JSON 编辑器中粘贴下面提到的策略 JSON,查看它,提供适当的名称和描述,然后单击创建策略。
完成后,将策略附加到 Site24x7 IAM 用户或角色。
{ { "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "dynamodb:Describe*", "dynamodb:List*", "ec2:Describe*", "sqs:Get*", "sqs:List*", "autoscaling:Describe*", "elasticloadbalancing:Describe*", "cloudfront:Get*", "cloudfront:List*", "s3:Get*", "s3:List*", "rds:Describe*", "rds:List*", "kinesisanalytics:Describe*", "kinesisanalytics:Get*", "kinesisanalytics:List*", "kinesis:Describe*", "kinesis:Get*", "kinesis:List*", "kinesisvideo:Get*", "kinesisvideo:List*", "kinesisvideo:Describe*", "firehose:Describe*", "firehose:List*", "elasticache:Describe*", "elasticache:List*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "directconnect:Describe*", "apigateway:GET", "ecs:DescribeServices", "ecs:DescribeContainerInstances", "ecs:DescribeClusters", "redshift:Describe*", "elasticfilesystem:Describe*", "ses:Get*", "ses:List*", "ses:Describe*", "lambda:List*", "lambda:Get*", "logs:Describe*", "logs:Get*", "route53domains:Get*", "route53domains:List*", "route53:Get*", "route53:List*", "route53resolver:Get*", "route53resolver:List*", "states:List*", "states:Describe*", "states:GetExecutionHistory", "sns:Get*", "sns:List*", "kms:Describe*", "kms:Get*", "kms:List*", "waf:Get*", "waf:List*", "waf-regional:List*", "waf-regional:Get*", "cloudsearch:Describe*", "cloudsearch:List*", "es:Describe*", "es:List*", "es:Get*", "workspaces:Describe*", "ds:Describe*", "elasticmapreduce:List*", "elasticmapreduce:Describe*", "acm:GetCertificate", "acm:Describe*", "acm:List*", "lightsail:Get*", "eks:Describe*", "eks:List*", "mq:Describe*", "mq:List*", "ec2:Get*", "ec2:SearchTransitGatewayRoutes", "ec2:SearchTransitGatewayMulticastGroups", "storagegateway:List*", "storagegateway:Describe*", "guardduty:GetFindings", "guardduty:ListDetectors", "guardduty:ListFindings", "dms:Describe*", "dms:List*", "dms:TestConnection", "fsx:Describe*", "fsx:ListTagsForResource", "inspector:List*", "inspector:Describe*", "transfer:Describe*", "transfer:List*", "ssm:ListCommands", "ssm:DescribeInstanceInformation", "ssm:ListCommandInvocations" ], "Effect": "Allow", "Resource": "*" } ] }
本策略最后更新于 2022 年 1 月 19 日。
自动化的自定义策略
使用下面提到的 JSON 创建一个新的自定义 IAM 策略,以帮助 Site24x7 执行操作以响应告警事件。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ec2:RebootInstances", "sns:Publish", "ec2:StartInstances", "kinesisanalytics:StopApplication", "kinesisanalytics:StartApplication", "kinesis:PutRecord", "rds:RebootDBInstance", "elasticache:RebootCacheCluster", "lambda:InvokeFunction", "redshift:RebootCluster", "ses:SendEmail", "apigateway:POST", "elasticbeanstalk:RestartAppServer", "sqs:SendMessage", "rds:StopDBInstance", "ec2:StopInstances", "rds:StartDBInstance", "states:StartExecution", "elasticmapreduce:addJobFlowSteps", "workspaces:StartWorkspaces", "workspaces:RebootWorkspaces", "workspaces:RebuildWorkspaces", "workspaces:StopWorkspaces", "lightsail:StartRelationalDatabase", "lightsail:StopRelationalDatabase", "lightsail:RebootRelationalDatabase", "lightsail:StartInstance", "lightsail:StopInstance", "lightsail:RebootInstance", "mq:RebootBroker", "dms:StartReplicationTask", "dms:StopReplicationTask", "fsx:CreateDataRepositoryTask", "fsx:CreateBackup" ], "Resource":"*" } ] }
上述策略 JSON 包含停止/启动/重启EC2和RDS 实例、重启 ElastiCache 集群、调用 Lambda 函数 、启动/停止分析应用程序以及将消息发布到SNS 主题或SQS 队列所需的部分写入级别权限。如果您不希望 Site24x7 执行某些操作,您可以手动编辑或从 JSON 中删除权限。