amazon-web-services - aws cloudformation - 权限控制/例程

Question

这是我当前使用的角色，是通过 IAM 控制台创建的。
然后，我尝试使用 cloudformation 引用下面的教程创建具有相同权限的另一个角色。
https://blog.petej.org/2020/01/04/infrastructure-as-code-with-aws-lambda-and-api-gateway/

但是，创建角色后，我发现所有策略都是内联策略。
与我目前的角色在权限方面有什么区别吗？
我使用 Role.json 作为堆栈的模板。

角色.json

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
      "LambdaRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
          "RoleName": "hello-world-Admin",
          "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {
                "Service": ["lambda.amazonaws.com"]
              },
              "Action": ["sts:AssumeRole"]
            }]
          },
          "Path": "/",
          "Policies": [{
              "PolicyName": "AWSLambdaBasicExecutionRole",
              "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                  "Effect": "Allow",
                  "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents"
                  ],
                  "Resource": "*"
                }]
              }
            },
            {
              "PolicyName": "AmazonS3GetObject",
              "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                  "Effect": "Allow",
                  "Action": "s3:GetObject",
                  "Resource": [
                    "arn:aws:s3:::pj-lambda-functions/",
                    "arn:aws:s3:::pj-lambda-functions/*"
                  ]
                }]
              }
            },
            {
                "PolicyName": "AmazonS3FullAccess",
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{
                    "Effect": "Allow",
                    "Action": "s3:*",
                    "Resource": "*"
                    }]
                }
            },
            {
                "PolicyName": "AmazonDynamoDBFullAccess",
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Action": [
                                "dynamodb:*",
                                "dax:*",
                                "application-autoscaling:DeleteScalingPolicy",
                                "application-autoscaling:DeregisterScalableTarget",
                                "application-autoscaling:DescribeScalableTargets",
                                "application-autoscaling:DescribeScalingActivities",
                                "application-autoscaling:DescribeScalingPolicies",
                                "application-autoscaling:PutScalingPolicy",
                                "application-autoscaling:RegisterScalableTarget",
                                "cloudwatch:DeleteAlarms",
                                "cloudwatch:DescribeAlarmHistory",
                                "cloudwatch:DescribeAlarms",
                                "cloudwatch:DescribeAlarmsForMetric",
                                "cloudwatch:GetMetricStatistics",
                                "cloudwatch:ListMetrics",
                                "cloudwatch:PutMetricAlarm",
                                "datapipeline:ActivatePipeline",
                                "datapipeline:CreatePipeline",
                                "datapipeline:DeletePipeline",
                                "datapipeline:DescribeObjects",
                                "datapipeline:DescribePipelines",
                                "datapipeline:GetPipelineDefinition",
                                "datapipeline:ListPipelines",
                                "datapipeline:PutPipelineDefinition",
                                "datapipeline:QueryObjects",
                                "ec2:DescribeVpcs",
                                "ec2:DescribeSubnets",
                                "ec2:DescribeSecurityGroups",
                                "iam:GetRole",
                                "iam:ListRoles",
                                "kms:DescribeKey",
                                "kms:ListAliases",
                                "sns:CreateTopic",
                                "sns:DeleteTopic",
                                "sns:ListSubscriptions",
                                "sns:ListSubscriptionsByTopic",
                                "sns:ListTopics",
                                "sns:Subscribe",
                                "sns:Unsubscribe",
                                "sns:SetTopicAttributes",
                                "lambda:CreateFunction",
                                "lambda:ListFunctions",
                                "lambda:ListEventSourceMappings",
                                "lambda:CreateEventSourceMapping",
                                "lambda:DeleteEventSourceMapping",
                                "lambda:GetFunctionConfiguration",
                                "lambda:DeleteFunction",
                                "resource-groups:ListGroups",
                                "resource-groups:ListGroupResources",
                                "resource-groups:GetGroup",
                                "resource-groups:GetGroupQuery",
                                "resource-groups:DeleteGroup",
                                "resource-groups:CreateGroup",
                                "tag:GetResources"
                            ],
                            "Effect": "Allow",
                            "Resource": "*"
                        },
                        {
                            "Action": "cloudwatch:GetInsightRuleReport",
                            "Effect": "Allow",
                            "Resource": "arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*"
                        },
                        {
                            "Action": [
                                "iam:PassRole"
                            ],
                            "Effect": "Allow",
                            "Resource": "*",
                            "Condition": {
                                "StringLike": {
                                    "iam:PassedToService": [
                                        "application-autoscaling.amazonaws.com",
                                        "dax.amazonaws.com"
                                    ]
                                }
                            }
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "iam:CreateServiceLinkedRole"
                            ],
                            "Resource": "*",
                            "Condition": {
                                "StringEquals": {
                                    "iam:AWSServiceName": [
                                        "replication.dynamodb.amazonaws.com",
                                        "dax.amazonaws.com",
                                        "dynamodb.application-autoscaling.amazonaws.com",
                                        "contributorinsights.dynamodb.amazonaws.com"
                                    ]
                                }
                            }
                        }
                    ]
                }
            },
            {
                "PolicyName" : "CognitoUserPoolsManagement",
                "PolicyDocument" : {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "VisualEditor0",
                            "Effect": "Allow",
                            "Action": "cognito-idp:ListUsers",
                            "Resource": "*"
                        }
                    ]
                }
            },
            {
                "PolicyName" : "DynamoDBWriteAccess",
                "PolicyDocument" : {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "VisualEditor0",
                            "Effect": "Allow",
                            "Action": [
                                "dynamodb:PutItem",
                                "dynamodb:DeleteItem",
                                "dynamodb:GetItem",
                                "dynamodb:Scan",
                                "dynamodb:UpdateItem"
                            ],
                            "Resource": "arn:aws:dynamodb:us-east-1:063575524122:table/test_users"
                        }
                    ]
                }
            },
            {
                "PolicyName" : "hello-world-s3-policy",
                "PolicyDocument" : {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "VisualEditor0",
                            "Effect": "Allow",
                            "Action": [
                                "s3:PutObject",
                                "s3:GetObject",
                                "s3:PutObjectAcl"
                            ],
                            "Resource": "arn:aws:s3:::kwai-tsing-dev/*"
                        }
                    ]
                }
            }
          ]
        }
      },
      "ApiGatewayRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
          "RoleName": "kwai-tsing-api-for-lambda",
          "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Principal": {
                "Service": ["apigateway.amazonaws.com"]
              },
              "Action": ["sts:AssumeRole"]
            }]
          },
          "Policies": [{
              "PolicyName": "AWSApiGateWay",
              "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                  "Effect": "Allow",
                  "Action": "lambda:InvokeFunction",
                  "Resource": "*"
                }]
              }
            },
            {
              "PolicyName": "ApiGatewayFullAccess",
              "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [{
                  "Effect": "Allow",
                  "Action": [
                    "apigateway:*"
                  ],
                  "Resource": "*"
                }]
              }
            }
          ]
        }
      },
      "MyRestApi": {
        "Type": "AWS::ApiGateway::RestApi",
        "Properties": {
            "Body": {
                "OpenAPI specification": null
            },
            "Description": "A test API",
            "Name": "MyRestAPI"
        }
    }
    }
  }

另一方面，我想问以下问题，因为我是 aws cloudformation 的初学者。
1.通过 CLI 或直接在 cloudformation 控制台中创建堆栈来管理堆栈最流行的选项是什么？
2.如何决定模板的内容，例如，如果我同时使用api gateway、lambda和dynamodb，我应该创建3个单独的模板文件，还是一个文件包含所有模板？

Answer 1

如果您不想使用内联策略，则必须创建 AWS::IAM::ManagedPolicy首先，然后在 ManagedPolicyArns 中您的角色中引用它.

Does it has any difference with my current role in terms of permission?

不，没有。托管策略的好处是您可以创建一个管理策略并在多个角色、用户或组中引用它。然而，内联策略总是必须重复，这使得管理变得更加困难。

1.what is the most popular option to manage the stack, by CLI or creating the stack in cloudformation console directly?

取决于您的用例。没有一个正确的答案可以适应所有可能的情况。但如果您想完全采用 IaC，则应避免控制台部署，并且应将所有内容作为代码置于源代码控制之下，包括部署过程/脚本。

How to decide the contents of the template, for example, if I use api gateway,lambda and dynamodb together, should I create 3 separate template files, or a single files contain all of them?

同样，这取决于情况。如果它们是同一应用程序的一部分，我会将它们保留在一个模板中。与一次部署一样，您创建整个应用程序堆栈，当您拆除它时也是如此。但如果它们彼此完全无关，我会将它们分开，这为您的修改提供了更多的空间和自由。