博客园  :: 首页  :: 管理

AWS平台-SAP-DB-HANA-数据库-跨账号实现-Backint-恢复的配置

Posted on 2024-01-15 11:27  520_1351  阅读(34)  评论(0编辑  收藏  举报

生产环境账号:221234567891

生产环境S3桶:project-backup-prd。

生产环境S3桶的KMS: ccefc2e5-d396-5e23-915f-6eb70b40293d

实现的目标:在另一个账号的EC2上(awtxxx05,awtxxx06),使用backint进行数据恢复

 

实现过程:

1、到生产环境的S3桶上,添加权限如下策略,即允许另一个账号下的EC2的role来访问自己,因为是恢复,读就可以了

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws-cn:iam::901234567892:role/Role-For-awtxxx05",
                    "arn:aws-cn:iam::901234567892:role/Role-For-awtxxx06"
                ]
            },
            "Action": [
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws-cn:s3:::project-backup-prd/*",
                "arn:aws-cn:s3:::project-backup-prd"
            ]
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws-cn:iam::901234567892:role/Role-For-awtxxx05",
                    "arn:aws-cn:iam::901234567892:role/Role-For-awtxxx06"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws-cn:s3:::project-backup-prd/*"
        }
    ]
}

2、到生产环境的KMS上,添加另一个账号下的EC2的role来访问自己,需要有如下的权限策略片段(注意,只是部分)

{
    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws-cn:iam::901234567892:role/Role-For-awtxxx05",
            "arn:aws-cn:iam::901234567892:role/Role-For-awtxxx06"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

3、到其他账号的EC2上的Role上添加如下的策略 For-s3-project-backup-prd,允许对生产S3、KMS的权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws-cn:s3:::project-backup-prd/*",
                "arn:aws-cn:s3:::project-backup-prd"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws-cn:kms:cn-north-1:221234567891:key/ccefc2e5-d396-5e23-915f-6eb70b40293d"
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObjectTagging",
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws-cn:s3:::project-backup-prd/*"
        }
    ]
}

4、最后修改其他账号的EC2上的backint的配置文件即可

注意:这里的S3BucketName,只需要写名称就可以了

 

 

 

尊重别人的劳动成果 转载请务必注明出处:https://www.cnblogs.com/5201351/p/17965005