Aws基础:修订间差异
跳转到导航
跳转到搜索
| 第23行: | 第23行: | ||
=vpc= | =vpc= | ||
=role= | |||
<pre> | |||
如果角色已经存在,只需两步就能把现有角色改成“RDS 可用”: | |||
改信任关系(Trust relationship) | |||
IAM → Roles → 选中你的角色 → Trust relationships 标签 → Edit trust policy | |||
把内容替换成下面这段(只保留一条 Statement,Principal 写死 rds.amazonaws.com): | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Effect": "Allow", | |||
"Principal": { | |||
"Service": "rds.amazonaws.com" | |||
}, | |||
"Action": "sts:AssumeRole" | |||
} | |||
] | |||
} | |||
→ Update policy | |||
(这一步就让 RDS 有权限代入该角色) | |||
2. 挂 S3 写权限(如果还没挂) | |||
还是在同一个角色页面 → Permissions 标签 → Add permissions → Create inline policy → JSON 模式: | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Effect": "Allow", | |||
"Action": [ | |||
"s3:PutObject", | |||
"s3:PutObjectAcl", | |||
"s3:GetObject", | |||
"s3:ListBucket" | |||
], | |||
"Resource": [ | |||
"arn:aws:s3:::mslog", | |||
"arn:aws:s3:::mslog/*" | |||
] | |||
} | |||
] | |||
} | |||
→ Review → 名字随便起(如 mslog-rds-s3)→ Create policy | |||
完事 | |||
角色 ARN 不变,直接拿它填到 SQLSERVER_AUDIT 选项的 IAM_ROLE_ARN 即可,无需重新建角色。 | |||
</pre> | |||
=rule= | =rule= | ||
2025年10月15日 (三) 16:17的版本
pre
默认得加pubkey ec2 都叫启动
AWS cli Setup and aws console access
Elastic IP 和 Public IP 的区别
创建EC2实例的时候,我们可以勾选“自动分配Public IP”(原话是英文的哦~),也可以不勾选,然后手动关联Elastic IP(EIP),那么着二者有什么区别呢? 从亚马逊在线技术支持那里了解到: (1)EIP是属于某个特定的账号,可以关联到账号的任意实例上,也可卸载下来重新关联到其他实例上,而且实例被删除之后,EIP依然单独存在。(分配EIP时注意VPC和EC2的EIP的区别,不同类型的EIP时能关联到自己类型的实例上,即VPC中的EIP只能用于VPC中的实例,Classic EC2只能关联非VPC的EIP) (2)而普通的Public IP是属于具体的某台实例,不能卸载重新关联到别的实例,实例创建时,如果勾选自动分配Public IP,则会随实例一起被创建,实例删除时,跟着被删除,无法被重复利用和保留; (3)还有一个非常重要的特性:Public IP在实例关机后再开机,可能会改变,重启不影响(这跟Classic EC2实例的Public DNS一样,可能会改变)。而EIP怎么都不会变。 (4)如果实例创建之初,有PublicIP,然后再关联了ElasticIP的话,二者都会变成ElasticIP的样子(被覆盖),当EIP被解除关联之后,PublicIP才会被显露,但此时会重新分配PublicIP,所以PublicIP会变。 所以,如果在EC2实例的生命周期内,有停机再开机的可能,还是使用EIP比较保险 ———————————————— 版权声明:本文为CSDN博主「fedora18」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。 原文链接:https://blog.csdn.net/fedora18/article/details/44219493
vpc
role
如果角色已经存在,只需两步就能把现有角色改成“RDS 可用”:
改信任关系(Trust relationship)
IAM → Roles → 选中你的角色 → Trust relationships 标签 → Edit trust policy
把内容替换成下面这段(只保留一条 Statement,Principal 写死 rds.amazonaws.com):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
→ Update policy
(这一步就让 RDS 有权限代入该角色)
2. 挂 S3 写权限(如果还没挂)
还是在同一个角色页面 → Permissions 标签 → Add permissions → Create inline policy → JSON 模式:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mslog",
"arn:aws:s3:::mslog/*"
]
}
]
}
→ Review → 名字随便起(如 mslog-rds-s3)→ Create policy
完事
角色 ARN 不变,直接拿它填到 SQLSERVER_AUDIT 选项的 IAM_ROLE_ARN 即可,无需重新建角色。
rule
#复制 AWS Config Rule(同账号同Region)
import boto3
import json
def copy_config_rule(source_rule_name, target_rule_name, description_suffix=" (copy)"):
client = boto3.client('config')
# 获取原规则定义
response = client.describe_config_rules(ConfigRuleNames=[source_rule_name])
rules = response.get("ConfigRules", [])
if not rules:
print(f"❌ 未找到规则: {source_rule_name}")
return
rule = rules[0]
# 删除不允许出现在 put-config-rule 的字段
for key in ["ConfigRuleId", "ConfigRuleArn", "CreatedBy"]:
rule.pop(key, None)
# 修改名称和描述
rule["ConfigRuleName"] = target_rule_name
if "Description" in rule:
rule["Description"] += description_suffix
else:
rule["Description"] = f"Copied from {source_rule_name}"
# 重新创建规则
try:
client.put_config_rule(ConfigRule=rule)
print(f"✅ 成功复制规则: {source_rule_name} → {target_rule_name}")
except Exception as e:
print(f"❌ 创建规则失败: {e}")
if __name__ == "__main__":
# 示例
SOURCE_RULE = "required-tags" # 要复制的原规则名
TARGET_RULE = "required-tags-copy" # 新规则名
copy_config_rule(SOURCE_RULE, TARGET_RULE)
AWSS3
#pre 配置好aws cli 相关配置和key ➜ ~ aws s3 ls 2025-06-30 21:56:24 evan886 ➜ ~ aws s3 ls s3://evan886 ➜ ~ echo "s3test" >tests3.txt ➜ ~ aws s3 cp tests3.txt s3://evan886 upload: ./tests3.txt to s3://evan886/tests3.txt 打开web界面确认一下 ➜ ~ aws s3 cp s3://evan886/tests3.txt ts3.txt download: s3://evan886/tests3.txt to ./ts3.txt ➜ ~ cat ts3.txt s3test ➜ ~ aws s3 rm s3://evan886/tests3.txt delete: s3://evan886/tests3.txt ➜ ~ aws s3 rm s3://evan886 --recursive ➜ ~ aws s3 ls s3://evan886 ➜ ~
boto3
aws Lambda
【粤语】Serverless _ AWS Lambda有趣的介绍
1.1 what is lambda
https://www.bilibili.com/video/BV1z4411E7gE/?spm_id_from=333.337.search-card.all.click&vd_source=e3e41ea2b1d70e0e3a6a0372ee88d714
AWS Lambda零基础入门 25分钟学会Python核心技能 🌟
➜ lambda py3 main.py
b'{"statusCode": 200, "body": "\\"File uploaded successfully!\\""}'
➜ lambda cat main.py
import json
import boto3
import base64
client = boto3.client('lambda')
with open('example.txt','rb') as file:
file_content = base64.b64encode(file.read()).decode('utf-8')
payload = {
'file_name': 'uploaded_example.txt',
'file_content': file_content
}
response = client.invoke(
#FunctionName='string-reversal',
FunctionName='s3lambda',
Payload=json.dumps(payload)
)
print(response['Payload'].read())
➜ lambda
#my lmabda name :s3lambda
import json
import boto3
import base64
s3_client = boto3.client('s3',region_name='us-west-1')
def lambda_handler(event, context):
file_name = event['file_name']
file_content = event['file_content']
if not file_name or not file_content:
return {
'statusCode': 400,
'body': json.dumps('missing File name and content are required!')
}
try:
file_content = base64.b64decode(file_content)
s3_client.put_object(Bucket='mylambdafancy', Key=file_name, Body=file_content)
return {
'statusCode': 200,
'body': json.dumps('File uploaded successfully!')
}
except Exception as e:
print(e)
return {
'statusCode': 500,
'body': json.dumps('Error uploading file!' + str(e))
}