本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
用于资源管理的服务关联角色权限
Security Lake 使用名为的服务关联角色AWSServiceRoleForSecurityLakeResourceManagement来执行持续监控和性能改进,从而减少延迟和成本。该服务相关角色信任 resource-management.securitylake.amazonaws.com 服务担任该角色。启用AWSServiceRoleForSecurityLakeResourceManagement后还将授予其访问 Lake Formation 的权限,并自动在所有区域向 Lake Formation 注册您的 Security Lake 托管的 S3 存储桶,以提高安全性。
该角色的权限策略是一个名为的 AWS 托管策略SecurityLakeResourceManagementServiceRolePolicy,允许访问管理由 Security Lake 创建的资源,包括管理数据湖中的元数据。有关 Amazon Secur AWS ity Lake AWS 托管策略的更多信息,请参阅亚马逊安全湖托管策略。
此服务相关角色允许 Security MSM Lake 监控安全湖部署到您的账户的资源(S3 存储桶、 AWS Glue 表、Amazon SQS Queue、Metastore Manager () Lambda 函数和 EventBridge 规则)的运行状况。Security Lake 可使用此服务相关角色执行的一些操作示例包括:
Apache Iceberg 清单文件压缩,可提高查询性能并降低 Lambda 处理时间和成本。MSM
监控 Amazon 的状态SQS以检测摄取问题。
优化跨区域数据复制以排除元数据文件。
注意
如果您不安装AWSServiceRoleForSecurityLakeResourceManagement服务相关角色,Security Lake 将继续运行,但强烈建议您接受此服务相关角色,以便 Security Lake 可以监控和优化您账户中的资源。
权限详细信息
该角色使用以下权限策略进行配置:
-
events— 允许委托人管理日志源和日志订阅者所需的 EventBridge 规则。 -
lambda— 允许委托人管理用于在 AWS 源数据传输和跨区域复制之后更新 AWS Glue 表分区的 lambda。 -
glue— 允许委托人对 AWS Glue 数据目录表执行特定的写入操作。这还允许 AWS Glue 抓取工具识别数据中的分区,并允许 Security Lake 管理你的 Apache Iceberg 表的 Apache Iceberg 元数据。 -
s3— 允许委托人对包含日志数据和 Glue 表元数据的 Security Lake 存储桶执行特定的读写操作。 -
logs— 允许委托人读取权限将 Lambda 函数 CloudWatch 的输出记录到日志中。 -
sqs— 允许委托人对在数据湖中添加或更新对象时接收事件通知的 Amazon SQS 队列执行特定的读写操作。 -
lakeformation— 允许校长读取 Lake Formation 设置以监控配置错误。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadEventBridgeRules", "Effect": "Allow", "Action": [ "events:ListRules" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeEventRules", "Effect": "Allow", "Action": [ "events:PutRule" ], "Resource": "arn:aws:events:*:*:rule/AmazonSecurityLake-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeLambdaConfigurations", "Effect": "Allow", "Action": [ "lambda:GetEventSourceMapping", "lambda:GetFunction", "lambda:PutFunctionConcurrency", "lambda:GetProvisionedConcurrencyConfig", "lambda:GetFunctionConcurrency", "lambda:GetRuntimeManagementConfig", "lambda:PutProvisionedConcurrencyConfig", "lambda:PublishVersion", "lambda:DeleteFunctionConcurrency", "lambda:DeleteEventSourceMapping", "lambda:GetAlias", "lambda:GetPolicy", "lambda:GetFunctionConfiguration", "lambda:UpdateFunctionConfiguration" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowListLambdaEventSourceMappings", "Effect": "Allow", "Action": [ "lambda:ListEventSourceMappings" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowUpdateLambdaEventSourceMapping", "Effect": "Allow", "Action": [ "lambda:UpdateEventSourceMapping" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "lambda:FunctionArn": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" } } }, { "Sid": "AllowUpdateLambdaConfigs", "Effect": "Allow", "Action": [ "lambda:UpdateFunctionConfiguration" ], "Resource": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeGlueResources", "Effect": "Allow", "Action": [ "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetTable", "glue:GetTables", "glue:UpdateTable", "glue:GetDatabase" ], "Resource": [ "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:catalog" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowDataLakeConfigurationManagement", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObjectAttributes", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:GetEncryptionConfiguration", "s3:GetReplicationConfiguration" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataCompactionAndManagement", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:DeleteObject", "s3:RestoreObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ReadSecurityLakeLambdaLogs", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:StartQuery", "logs:GetLogEvents", "logs:GetQueryResults", "logs:GetLogRecord" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLakeMetastoreManager-*-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "ManageSecurityLakeSQSQueue", "Effect": "Allow", "Action": [ "sqs:StartMessageMoveTask", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ChangeMessageVisibility", "sqs:ListMessageMoveTasks", "sqs:ReceiveMessage", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:SetQueueAttributes" ], "Resource": [ "arn:aws:sqs:*:*:SecurityLake_*", "arn:aws:sqs:*:*:AmazonSecurityLakeManager-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowDataLakeManagement", "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings", "lakeformation:ListPermissions" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
您必须配置权限以允许 IAM 实体(如用户、组或角色)创建、编辑或删除服务相关角色。有关更多信息,请参阅《IAM用户指南》中的服务相关角色权限。
创建 Security Lake 服务相关角色
您可以使用 Security Lake 控制台或 Security Lake 创建AWSServiceRoleForSecurityLakeResourceManagement服务相关角色。 AWS CLI
要创建服务相关角色,您必须向您的IAM用户或IAM角色授予以下权限。该IAM角色必须是所有启用安全湖的区域中的 Lake Formation 管理员。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowLakeFormationActionsViaSecurityLakeConsole", "Effect": "Allow", "Action": [ "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:ListResources", "lakeformation:RegisterResource", "lakeformation:RevokePermissions" ], "Resource": "*" }, { "Sid": "AllowIamActionsViaSecurityLakeConsole", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:GetPolicyVersion", "iam:GetRole", "iam:PutRolePolicy" ], "Resource": [ "arn:*:iam::*:role/aws-service-role/resource-management.securitylake.amazonaws.com/AWSServiceRoleForSecurityLakeResourceManagement", "arn:*:iam::*:role/*AWSServiceRoleForLakeFormationDataAccess", "arn:*:iam::aws:policy/service-role/AWSGlueServiceRole", "arn:*:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager", "arn:*:iam::aws:policy/aws-service-role/SecurityLakeResourceManagementServiceRolePolicy" ], "Condition": { "StringLikeIfExists": { "iam:AWSServiceName": [ "securitylake.amazonaws.com", "resource-management.securitylake.amazonaws.com", "lakeformation.amazonaws.com" ] } } }, { "Sid": "AllowGlueActionsViaConsole", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetTables" ], "Resource": [ "arn:*:glue:*:*:catalog", "arn:*:glue:*:*:database/amazon_security_lake_glue_db*", "arn:*:glue:*:*:table/amazon_security_lake_glue_db*/*" ] } ] }
启用该AWSServiceRoleForSecurityLakeResourceManagement角色后,如果您使用 AWS KMS 客户托管密钥 (CMK) 进行加密,则必须允许服务相关角色将加密对象写入存在 AWS
CMK区域的 S3 存储桶。在 AWS KMS 控制台中,将以下策略添加到CMK存在 AWS 区域的KMS密钥中。有关如何更改KMS密钥策略的详细信息,请参阅《 AWS Key Management Service 开发人员指南》AWS KMS中的密钥策略。
{ "Sid": "Allow SLR", "Effect": "Allow", "Principal": { "AWS": "arn:[partition]:iam::[accountid]:role/aws-service-role/resource-management.securitylake.amazonaws.com/AWSServiceRoleForSecurityLakeResourceManagement" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::[regional-datalake-s3-bucket-name]" }, "StringLike": { "kms:ViaService": "s3.[region].amazonaws.com" } } },
创建 Security Lake 服务相关角色
Security Lake 不允许您编辑 AWSServiceRoleForSecurityLakeResourceManagement 服务相关角色。在创建服务相关角色后,您无法更改角色的名称,因为可能有多个实体会引用该角色。但是,您可以使用 IAM 编辑角色的说明。有关更多信息,请参阅《IAM用户指南》中的编辑服务相关角色。
删除 Security Lake 服务相关角色
您无法从 Security Lake 中删除服务相关角色。相反,您可以从IAM控制台中删除服务相关角色API、或 AWS CLI。有关更多信息,请参阅《IAM用户指南》中的删除服务相关角色。
您必须先确认服务相关角色没有活动会话并删除 AWSServiceRoleForSecurityLakeResourceManagement 使用的任何资源,然后才能删除服务相关角色。
注意
在您尝试删除资源时,如果 Security Lake 正在使用 AWSServiceRoleForSecurityLakeResourceManagement 角色,删除可能会失败。如果发生这种情况,请等待几分钟,然后再次尝试操作。
如果您在删除 AWSServiceRoleForSecurityLakeResourceManagement 服务相关角色后需要再次创建该角色,可以通过为账户启用 Security Lake 来再次创建角色。当您再次启用 Security Lake 时,Security Lake 会再次自动为您创建服务相关角色。
支持 AWS 区域 Security Lake 服务关联角色
Security Lake 支持在所有可用 Security Lake AWS 区域 的地方使用AWSServiceRoleForSecurityLakeResourceManagement服务相关角色。有关提供 Security Lake 的区域的列表,请参阅 安全湖区域和终端节点。
