Ped*_*tes 0 amazon-web-services aws-cloudformation amazon-iam aws-iam
我正在尝试创建一个防止CloudFormation删除表的AWS角色。例如,我创建了如下表:
UsersDynamoDBTable:
Type: AWS::DynamoDB::Table
Description: Users DynamoDB Table
Properties:
AttributeDefinitions:
- AttributeName: hashKey
AttributeType: S
- AttributeName: rangeKey
AttributeType: S
KeySchema:
- AttributeName: hashKey
KeyType: HASH
- AttributeName: rangeKey
KeyType: RANGE
BillingMode: PAY_PER_REQUEST
GlobalSecondaryIndexes:
- IndexName: index-rangeKey
KeySchema:
- AttributeName: rangeKey
KeyType: HASH
- AttributeName: hashKey
KeyType: RANGE
Projection:
ProjectionType: ALL
现在,假设开发人员意外删除了这些行并更新了堆栈。这样,表及其所有数据将被删除。因此,我想创建一个防止CloudFormation删除DynamoDB表的角色。我的第一个尝试是在下面创建“角色”,但是没有用。
PreventCloudFormationDeleteTableIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: PreventTableDeletePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action:
- dynamodb:DeleteTable
Resource:
- !Join
- '/'
- - !Join [':', ['arn:aws:dynamodb', !Sub '${AWS::Region}', '*', 'table']]
- !Join ['', [!Sub '${StackName}', '*']]
我是否缺少某些角色配置?
谢谢。
您可以使用DeletionPolicyof RETAIN来防止在删除堆栈或从模板删除表时删除表。此外,新版本UpdateReplacePolicy还将阻止CloudFormation由于主键更改而在需要删除表时删除表。
| 归档时间: |
|
| 查看次数: |
254 次 |
| 最近记录: |