链接复制成功!
公网采集权限要求
通过公网采集各云平台资源所需的权限如下:
阿里云资源采集
采集阿里云各类资源所需的权限参见下表。
| 资源类型 | 云服务 | Action | 最小权限策略 |
|---|---|---|---|
| 主机 | ECS | ecs:DescribeInstances | Read |
| ecs:DescribeDisks | List | ||
| ecs:DescribeMetricData | List | ||
| 存储 | NAS | nas:DescribeFileSystems | Read |
| OSS | ListBuckets | oss:ListBuckets | |
| oss:DescribeMetricData | List | ||
| 数据库 | RDS | rds:DescribeDBInstances | Read |
| rds:DescribeDBInstanceAttribute | Read | ||
| MongoDB | rds:DescribeDBInstances | Read | |
| rds:DescribeDBInstanceAttribute | Read | ||
| 中间件 | Redis | kvstore:DescribeInstances | List |
| kvstore:DescribeInstanceAttribute | Read | ||
| kvstore:DescribeMetricData | List | ||
| Kafka | alikafka:ListInstance | Read | |
| kafka::DescribeMetricData | List | ||
| RocketMQ | rocketmq:GetInstance | Read | |
| rocketmq::DescribeMetricData | List | ||
| 容器 | K8S ACK | cs:GetClusters | Read |
| cs:DescribeClusterDetail | Read | ||
| k8s::DescribeMetricData | List | ||
| 大数据 | EMR | emr:ListClusters | List |
| 网络 | CEN | cen:ListTransitRouters | Read |
| cen:DescribeCenPrivateZoneRoutes | Read | ||
| cen:DescribeRouteServicesInCen | Read | ||
| cen:ListTransitRouterVpcAttachments | List | ||
| cen:ListTransitRouterVbrAttachments | List | ||
| cen:ListTransitRouterVpnAttachments | List | ||
| cen:DescribeCenAttachedChildInstances | Read | ||
| cen:DescribeCenAttachedChildInstanceAttribute | Read | ||
| cen:ListTransitRouterPeerAttachments | Read | ||
| cen:ListTransitRouterRouteTables | Read | ||
| cen:ListTransitRouterRouteEntries | Read | ||
| cen:ListTransitRouterRouteTableAssociations | Read | ||
| cen:ListTransitRouterPrefixListAssociation | Read | ||
| cen:DescribeCenRouteMaps | Read | ||
| cen:ListTransitRouterRouteTables | Read | ||
| cen:DescribeCenRegionDomainRouteEntries | Read | ||
| cen:ListTransitRouters | Read | ||
| cen:DescribeCens | Read | ||
| ALB | alb:ListLoadBalancers | Read | |
| alb:ListServerGroupServers | Read | ||
| CLB | slb:DescribeLoadBalancers | Read | |
| slb:DescribeLoadBalancerListeners | Read | ||
| slb:DescribeVServerGroupAttribute | Read | ||
| slb:DescribeMasterSlaveServerGroupAttribute | Read | ||
| slb:DescribeHealthStatus | Read | ||
| slb:DescribeMasterSlaveServerGroupAttribute | Read | ||
| slb:DescribeMasterSlaveServerGroups | Read | ||
| VPC | vpc:DescribePhysicalConnections | Read | |
| vpc:DescribeVirtualBorderRouters | Read | ||
| vpc:DescribeRouteTables | Read | ||
| vpc:DescribeRouteTableList | List | ||
| DNS | alidns:DescribeDomainRecords | Read | |
| alidns:DescribeDomains | Read | ||
| Private Zone | pvtz:DescribeZoneVpcTree | Read | |
| pvtz:DescribeZoneRecords | Read | ||
| EIP | ens:DescribeEipAddresses | Read | |
| NAT | ens:DescribeNatGateways | Read | |
| ens:DescribeSnatTableEntries | List | ||
| ens:DescribeForwardTableEntries | List |
华为云资源采集
采集华为云各类资源所需的权限参见下表。
| 资源类型 | 云服务 | Action | 最小权限策略 |
|---|---|---|---|
| 主机 | ECS | ecs:ListServersDetails ces:BatchListMetricData evs:ListVolumes eip:ListPublicips |
|
| 容器 | CCE | cce:ListNodes cce:ListClusters aom:ShowMetricsData |
|
| 大数据 | MRS | mrs:ListClusters mrs:ListHosts | MRS ReadOnlyAccess |
| 数据库 | DDS | dds:ListInstances dds:ListFlavors | DDS ReadOnlyAccess |
| RDS | rds:ListInstances | RDS ReadOnlyAccess | |
| 中间件 | 分布式消息服务Kafka版 | dms:ListInstances dms:ShowInstance dms:ListAvailableZones dms:ShowCluster ces:BatchListMetricData | DMS ReadOnlyAccess |
| 分布式缓存服务 DCS | dcs:ListInstances dcs:ListFlavors dcs:ListGroupReplicationInfo ces:BatchListMetricData | DCS ReadOnlyAccess | |
| 存储 | OBS | obs:ListBuckets obs:GetBucketPolicy obs:GetBucketAcl obs:GetBucketLifecycle obs:GetBucketMetadata obs:GetBucketVersioning obs:GetBucketStorageInfo obs:GetBucketStoragePolicy ces:BatchListMetricData |
以上两个策略不包含的action需要创建自定义策略 |
| SFS Turbo | sfsturbo:ListShares | SFS Turbo ReadOnlyAccess | |
| 网络 | ELB | elb:ListListeners elb:ListLoadbalancers elb:ListPools elb:ListL7policies elb:ListL7rules elb:ListMembers elb:ListFlavors vpc:ListSubnets | ELB ReadOnlyAccess |
| DNS | dns:ListPublicZones dns:ListPrivateZones dns:ListRecordSetsByZone | DNS ReadOnlyAccess | |
| EIP | eip:ListPublicips | EIP ReadOnlyAccess | |
| NAT | nat:ListNatGateways nat:ListNatGatewayDnatRules nat:ListNatGatewaySnatRules vpc:ShowPort vpc:ShowSubnet vpc:ListSubnets | NAT ReadOnlyAccess | |
| VPC | vpc:ListRouteTables vpc:ShowRouteTable vpc:ListVpcs vpc:ListSecurityGroups vpc:ListSecurityGroupRules vpc:ListSubnets | VPC ReadOnlyAccess |
AWS资源采集
采集AWS各类资源所需的权限参见下表。
| 资源类型 | 云服务 | Action | 最小权限策略 |
|---|---|---|---|
| 主机 | EC2 | ec2:DescribeInstances | AmazonEC2ReadOnlyAccess |
| ec2:DescribeAddresses | |||
| ec2:DescribeImages | |||
| ec2:DescribeVolumes | |||
| cloudwatch:GetMetricStatistics | |||
| 存储 | EFS | elasticfilesystem:DescribeFileSystems | AmazonElasticFileSystemReadOnlyAccess |
| elasticfilesystem:DescribeMountTargets | |||
| cloudwatch:GetMetricStatistics | |||
| S3 | s3:GetBucketPolicy | AmazonS3ReadOnlyAccess | |
| s3:GetBucketLocation | |||
| s3:GetBucketAcl | |||
| s3:GetBucketVersioning | |||
| s3:ListAllMyBuckets | |||
| s3:GetLifecycleConfiguration | |||
| cloudwatch:GetMetricStatistics | CloudWatchReadOnlyAccess | ||
| 数据库 | RDS | rds:DescribeDBClusters | AmazonRDSReadOnlyAccess |
| rds:DescribeDBInstances | |||
| ec2:DescribeSecurityGroups | |||
| 中间件 | ElastiCache | elasticache:DescribeCacheClusters | AmazonElastiCacheReadOnlyAccess |
| elasticache:DescribeReplicationGroups | |||
| cloudwatch:GetMetricStatistics | |||
| memorydb:DescribeClusters | AmazonMemoryDBReadOnlyAccess | ||
| MSK | kafka:ListClustersV2 | AmazonMSKReadOnlyAccess | |
| cloudwatch:GetMetricStatistics | |||
| 容器 | EKS | eks:DescribeCluster | 无对应的权限策略,需自定义策略 |
| eks:ListClusters | |||
| ec2:DescribeInstances | |||
| ec2:DescribeSubnets | |||
| cloudwatch:GetMetricStatistics | |||
| 大数据 | EMR | elasticmapreduce:DescribeCluster | AmazonEMRReadOnlyAccessPolicy_v2 |
| elasticmapreduce:ListClusters | |||
| elasticmapreduce:ListInstanceGroups | |||
| elasticmapreduce:ListInstances | |||
| ec2:DescribeInstances | AmazonEC2ReadOnlyAccess | ||
| 网络 | EIP | ec2:DescribeAddresses | AmazonEC2ReadOnlyAccess |
| ELB | elasticloadbalancing:DescribeLoadBalancers | ElasticLoadBalancingReadOnly | |
| NAT | ec2:DescribeNatGateways | AmazonEC2ReadOnlyAccess | |
| Route53(PublicDomain) | route53:ListHostedZones | AmazonRoute53ReadOnlyAccess | |
| route53:ListResourceRecordSets | |||
| RouteTable | ec2:DescribeRouteTables | AmazonEC2ReadOnlyAccess | |
| SecurityGroup | ec2:DescribeSecurityGroups | AmazonEC2ReadOnlyAccess | |
| ec2:DescribeSecurityGroupRules | |||
| Route53(VpcDomain) | route53:GetHostedZone | AmazonRoute53ReadOnlyAccess | |
| route53:ListHostedZones | |||
| route53:ListResourceRecordSets | |||
| VPC | ec2:DescribeSubnets | AmazonEC2ReadOnlyAccess | |
| ec2:DescribeVpcs |
腾讯云资源采集
采集腾讯云各类资源所需的权限参见下表。
| 资源类型 | 云服务 | Action | 最小权限策略 |
|---|---|---|---|
| 主机 | CVM | cvm: DescribeInstances cvm: DescribeImages cvm:DescribeSecurityGroups cbs: DescribeDisks vpc: DescribeAddresses vpc: DescribeNetworkInterfaces vpc: DescribeSubnets monitor:GetMonitorData | QcloudCVMReadOnlyAccess |
| 数据库 | CDB | cdb:DescribeDBInstances | QcloudCDBReadOnlyAccess |
| PostgreSQL | postgres:DescribeDBInstances | QcloudPostgreSQLReadOnlyAccess | |
| MongoDB | mongodb:DescribeDBInstances mongodb:DescribeDBInstanceNodeProperty | QcloudMongoDBReadOnlyAccess | |
| SQLServer | sqlserver:DescribeDBInstances sqlserver:DescribeReadOnlyGroupList | QcloudSQLServerReadOnlyAccess | |
| 存储 | COS | cos:GetService cos:GetBucketACL cos:GetBucketLifecycle cos:GetBucketVersioning monitor:GetMonitorData | QcloudCOSReadOnlyAccess |
| CFS | cfs:DescribeCfsFileSystems cfs:DescribeMountTargets | QcloudCFSReadOnlyAccess | |
| 网络 | DNSPod | dnspod:DescribeDomainList dnspod:DescribeRecordList | QcloudDNSPodReadOnlyAccess |
| WAF | waf:DescribeDomains waf:DescribeInstances | QcloudWAFReadOnlyAccess | |
| CLB | clb:DescribeLoadBalancersDetail clb:DescribeTargets cvm: DescribeInstances | QcloudCLBReadOnlyAccess QcloudCVMReadOnlyAccess |
Azure资源采集
采集Azure各类资源所需的权限参见下表。
| 资源类型 | 云服务 | 服务 | 最小权限策略 |
|---|---|---|---|
| 主机 | Virtual Machines | Microsoft Classic Compute | Microsoft.ClassicCompute/virtualMachines/read |
| Microsoft Azure Monitor | Microsoft.Insights/MetricDefinitions/Read | ||
| Microsoft Network | Microsoft.Network/networkInterfaces/read | ||
| 存储 | Storage Accounts | Microsoft Azure Monitor | Microsoft.Insights/MetricDefinitions/Read |
| Microsoft Classic Storage | Microsoft.ClassicStorage/storageAccounts/read | ||
| 数据库 | Azure Database for PostgreSQL Flexible Server | Microsoft Management | Microsoft.Management/getEntities/action |
| Azure Database for PostgreSQL | Microsoft Management | Microsoft.Management/getEntities/action | |
| Azure Database for MySQL | Microsoft Management | Microsoft.Management/getEntities/action | |
| Azure Database for MySQL Flexible Server | Microsoft Management | Microsoft.Management/getEntities/action | |
| SQL servers | Microsoft Azure Arc Data | Microsoft.AzureArcData/sqlServerInstances/read | |
| Microsoft Management | Microsoft.Management/getEntities/action | ||
| 中间件 | Azure Cache for Redis | Microsoft Management | Microsoft.Management/getEntities/action |
| Event Hubs | Microsoft Management | Microsoft.Management/getEntities/action | |
| 容器 | Kubernetes services | Microsoft Classic Compute | Microsoft.ClassicCompute/virtualMachines/read |
| Microsoft Azure Monitor | Microsoft.Insights/MetricDefinitions/Read | ||
| Microsoft Management | Microsoft.Management/getEntities/action | ||
| 网络 | Public IP addresses | Microsoft Management | Microsoft.Management/getEntities/action |
| Load Balancer | Microsoft Management | Microsoft.Management/getEntities/action | |
| NAT gateways | Microsoft Management | Microsoft.Management/getEntities/action | |
| Route tables | Microsoft Network | Microsoft.Network/networkInterfaces/read | |
| Network security groups | Microsoft Network | Microsoft.Network/networkInterfaces/read | |
| Virtual networks | Microsoft Network | Microsoft.Network/networkInterfaces/read |
七牛云资源采集
采集七牛云存储资源所需的权限参见下表。
| 资源类型 | 云服务 | Action | 最小权限策略 |
|---|---|---|---|
| 存储 | 对象存储(Kodo) | kodo:buckets | QiniuKodoReadOnlyAccess |
金山云资源采集
采集金山云存储资源所需的权限参见下表。
| 资源类型 | 云服务 | Action | 最小权限策略 |
|---|---|---|---|
| 存储 | 对象存储(KS3) | ks3:ListBuckets | KS3ReadOnlyAccess |