云平台配置
 

AWS IAM

只读devops-reader devops-reader

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "dynamodb:BatchGetItem",
        "dynamodb:ListTables",
        "logs:Describe*",
        "s3:Get*",
        "cloudfront:Get*",
        "dynamodb:Scan",
        "cloudwatch:List*",
        "logs:TestMetricFilter",
        "dynamodb:Query",
        "logs:Get*",
        "s3:List*",
        "cloudwatch:Describe*",
        "elasticache:Describe*",
        "ec2:GetConsoleOutput",
        "tag:Get*",
        "ec2:Describe*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "elasticache:List*",
        "dynamodb:DescribeTable",
        "dynamodb:GetItem",
        "elasticloadbalancing:Describe*",
        "cloudwatch:Get*",
        "cloudfront:List*"
      ],
      "Resource": "*"
    }
  ]
}

运维

AllAccess

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Deny",
      "Action": [
        "s3:DeleteBucketWebsite",
        "s3:PutLifecycleConfiguration",
        "sqs:DeleteQueue",
        "s3:PutBucketPolicy",
        "sqs:CreateQueue",
        "s3:DeleteBucketPolicy",
        "s3:DeleteBucket"
      ],
      "Resource": [
        "arn:aws:s3:::*",
        "arn:aws:sqs:*:*:*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Deny",
      "Action": [
        "ses:DeleteReceiptFilter",
        "rds:DeleteGlobalCluster",
        "dynamodb:RestoreTableToPointInTime",
        "dynamodb:UpdateGlobalTable",
        "dynamodb:DeleteTable",
        "dynamodb:UpdateTableReplicaAutoScaling",
        "ses:DeleteVerifiedEmailAddress",
        "ses:DeleteIdentityPolicy",
        "sqs:RemovePermission",
        "codecommit:UpdateRepositoryDescription",
        "elasticache:CreateCacheCluster",
        "rds:DeleteDBInstance",
        "dynamodb:BatchWriteItem",
        "ses:DeleteReceiptRuleSet",
        "rds:DeleteDBSnapshot",
        "rds:DeleteDBProxy",
        "elasticache:DeleteCacheCluster",
        "rds:DeleteDBInstanceAutomatedBackup",
        "rds:RemoveFromGlobalCluster",
        "rds:StopActivityStream",
        "dynamodb:CreateTable",
        "dynamodb:UpdateGlobalTableSettings",
        "rds:DeleteDBSubnetGroup",
        "sqs:AddPermission",
        "codecommit:UpdateRepositoryName",
        "rds:DeleteDBSecurityGroup",
        "sqs:DeleteQueue",
        "cloudfront:DeleteStreamingDistribution",
        "rds:DeleteDBParameterGroup",
        "rds:RemoveTagsFromResource",
        "dynamodb:UpdateTable",
        "cloudfront:DeleteCloudFrontOriginAccessIdentity",
        "dynamodb:PurchaseReservedCapacityOfferings",
        "ses:DeleteReceiptRule",
        "dynamodb:CreateTableReplica",
        "dynamodb:UpdateContributorInsights",
        "dynamodb:CreateBackup",
        "codecommit:CreateRepository",
        "codecommit:ListRepositories",
        "dynamodb:UpdateContinuousBackups",
        "rds:DeleteOptionGroup",
        "rds:DeleteEventSubscription",
        "rds:DeleteDBClusterEndpoint",
        "rds:RevokeDBSecurityGroupIngress",
        "dynamodb:CreateGlobalTable",
        "rds:DeleteDBCluster",
        "ec2:TerminateInstances",
        "dynamodb:DeleteTableReplica",
        "codecommit:BatchGetRepositories",
        "codecommit:DeleteRepository",
        "rds:DeleteDBClusterSnapshot",
        "dynamodb:RestoreTableFromBackup",
        "ses:DeleteIdentity",
        "rds:DeleteDBClusterParameterGroup",
        "cloudfront:DeleteDistribution",
        "dynamodb:DeleteBackup"
      ],
      "Resource": [
        "*",
        "arn:aws:dynamodb:*:*:*"
      ]
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Deny",
      "Action": "codecommit:*",
      "Resource": "arn:aws:codecommit:us-east-1:458090896494:xcore-repo"
    }
  ]
}

DenyAnyDeleteTerminate

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Deny",
      "Action": [
        "s3:DeleteBucketWebsite",
        "s3:PutLifecycleConfiguration",
        "sqs:DeleteQueue",
        "s3:PutBucketPolicy",
        "sqs:CreateQueue",
        "s3:DeleteBucketPolicy",
        "s3:DeleteBucket"
      ],
      "Resource": [
        "arn:aws:s3:::*",
        "arn:aws:sqs:*:*:*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Deny",
      "Action": [
        "ses:DeleteReceiptFilter",
        "rds:DeleteGlobalCluster",
        "dynamodb:RestoreTableToPointInTime",
        "dynamodb:UpdateGlobalTable",
        "dynamodb:DeleteTable",
        "dynamodb:UpdateTableReplicaAutoScaling",
        "ses:DeleteVerifiedEmailAddress",
        "ses:DeleteIdentityPolicy",
        "sqs:RemovePermission",
        "codecommit:UpdateRepositoryDescription",
        "elasticache:CreateCacheCluster",
        "rds:DeleteDBInstance",
        "dynamodb:BatchWriteItem",
        "ses:DeleteReceiptRuleSet",
        "rds:DeleteDBSnapshot",
        "rds:DeleteDBProxy",
        "elasticache:DeleteCacheCluster",
        "rds:DeleteDBInstanceAutomatedBackup",
        "rds:RemoveFromGlobalCluster",
        "rds:StopActivityStream",
        "dynamodb:CreateTable",
        "dynamodb:UpdateGlobalTableSettings",
        "rds:DeleteDBSubnetGroup",
        "sqs:AddPermission",
        "codecommit:UpdateRepositoryName",
        "rds:DeleteDBSecurityGroup",
        "sqs:DeleteQueue",
        "cloudfront:DeleteStreamingDistribution",
        "rds:DeleteDBParameterGroup",
        "rds:RemoveTagsFromResource",
        "dynamodb:UpdateTable",
        "cloudfront:DeleteCloudFrontOriginAccessIdentity",
        "dynamodb:PurchaseReservedCapacityOfferings",
        "ses:DeleteReceiptRule",
        "dynamodb:CreateTableReplica",
        "dynamodb:UpdateContributorInsights",
        "dynamodb:CreateBackup",
        "codecommit:CreateRepository",
        "codecommit:ListRepositories",
        "dynamodb:UpdateContinuousBackups",
        "rds:DeleteOptionGroup",
        "rds:DeleteEventSubscription",
        "rds:DeleteDBClusterEndpoint",
        "rds:RevokeDBSecurityGroupIngress",
        "dynamodb:CreateGlobalTable",
        "rds:DeleteDBCluster",
        "ec2:TerminateInstances",
        "dynamodb:DeleteTableReplica",
        "codecommit:BatchGetRepositories",
        "codecommit:DeleteRepository",
        "rds:DeleteDBClusterSnapshot",
        "dynamodb:RestoreTableFromBackup",
        "ses:DeleteIdentity",
        "rds:DeleteDBClusterParameterGroup",
        "cloudfront:DeleteDistribution",
        "dynamodb:DeleteBackup"
      ],
      "Resource": [
        "*",
        "arn:aws:dynamodb:*:*:*"
      ]
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Deny",
      "Action": "codecommit:*",
      "Resource": "arn:aws:codecommit:us-east-1:458090896494:xcore-repo"
    }
  ]
}

admin管理员 AdministratorAccess

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

**Billing**
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-portal:*Billing",
        "aws-portal:*Usage",
        "aws-portal:*PaymentMethods",
        "budgets:ViewBudget",
        "budgets:ModifyBudget",
        "ce:UpdatePreferences",
        "ce:CreateReport",
        "ce:UpdateReport",
        "ce:DeleteReport",
        "ce:CreateNotificationSubscription",
        "ce:UpdateNotificationSubscription",
        "ce:DeleteNotificationSubscription",
        "cur:DescribeReportDefinitions",
        "cur:PutReportDefinition",
        "cur:ModifyReportDefinition",
        "cur:DeleteReportDefinition",
        "purchase-orders:*PurchaseOrders"
      ],
      "Resource": "*"
    }
  ]
}

文章作者: 以谁为师
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源!
              
  目录