Amazonrds 简明教程

Amazon RDS - DB Access Control

要访问 Amazon RDS DB 实例,用户需要特定的权限。这是使用 AWS IAM(身份和访问管理)配置的。在本教程中,我们将了解此配置的完成方式。

To access the Amazon RDS DB instance the user needs specific permissions. This is configured using AWS IAM (Identity and Access management). In this tutorial we will see how this configuration is done.

该配置包含两部分。

The configuration involves two parts.

  1. Authentication

  2. Access Control

Authentication

它涉及创建用户名、密码,并生成用户的访问密钥。借助访问密钥,可以通过编程方式访问 AWS RDS 服务。SDK 和 CLI 工具使用访问密钥通过请求进行加密登录。

It involves creating the username, password and generating the access keys for the user. With help of access key, it is possible to make programmatic access to the AWS RDS service. The SDK and CLI tools use the access keys to cryptographically sign in with the request.

我们还可以使用 IAM 角色对用户进行身份验证。但该角色并未附加到任何特定用户,相反,任何用户都可以暂时承担该角色并完成所需任务。任务结束后,可以撤销此角色,用户便失去身份验证能力。

We can aslo use an IAM Role to authenticate a user. But the role is not attached to any specific user, rather any user can assume the role temporarily and complete the required task. After the task is over the role can be revoked and the user loses the authentication ability.

Access Control

用户经过身份验证后,附加到该用户的策略将确定用户可以执行的任务类型。以下是允许创建 RDS 数据库实例的策略示例,其中 DB 引擎 MySQL 位于 t2.micro 实例上。

After a user is authenticated, a policy attached to that user determines the type of tasks the uer can carry on. Below is an example of policy which allows the creation of a RDS DB instance, on a t2.micro instance for the DB Engine MySQL.

{
    "Version": "2018-09-11",
    "Statement": [
        {
            "Sid": "AllowCreateDBInstanceOnly",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBInstance"
            ],
            "Resource": [
                "arn:aws:rds:*:123456789012:db:test*",
                "arn:aws:rds:*:123456789012:og:default*",
                "arn:aws:rds:*:123456789012:pg:default*",
                "arn:aws:rds:*:123456789012:subgrp:default"
            ],
            "Condition": {
                "StringEquals": {
                    "rds:DatabaseEngine": "mysql",
                    "rds:DatabaseClass": "db.t2.micro"
                }
            }
        }
    ]
}

Action on Any RDS Resource

在以下示例中,我们看到允许对任何 RDS 资源执行任何描述操作的策略。* 符号用于表示任何资源。

In the below example we see a policy that allows any describe action on any RDS resource. The * symbol is used to represent any resource.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"AllowRDSDescribe",
         "Effect":"Allow",
         "Action":"rds:Describe*",
         "Resource":"*"
      }
   ]
}

Disallow deleting a DB Instance

以下策略禁止用户删除特定的数据库实例。

The below policy disallows a user from deleting a specific DB instance.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"DenyDelete1",
         "Effect":"Deny",
         "Action":"rds:DeleteDBInstance",
         "Resource":"arn:aws:rds:us-west-2:123456789012:db:my-mysql-instance"
      }
   ]
}