Amazon Web Services Adapter IAM Access Authorization

When using Amazon Web Services adapter, appropriate authorization is required to accounts used to connect to each Amazon Web Services.
For IAM Access Authorization required to each adapter depending on the functions, refer the following.

Amazon DynamoDB adapter

IAM access authority that Amazon DynamoDB adapter requires is as follows.

Global resource

Action name Remarks
dynamodb:ListTables
  • Required when executing [Connection test].

Operation

Retrieve Item(scan)

Action name Remarks
dynamodb:ListTables
  • Required when executing [Update table name list].
dynamodb:DescribeTable
  • Required when executing [Update index name list] and [Update schema definition].
dynamodb:Scan  

Retrieve Item(Query)

Action name Remarks
dynamodb:ListTables
  • Required when executing [Update table name list].
dynamodb:DescribeTable
  • Required when executing [Update index name list]and [Update attribute list].
dynamodb:Scan
  • Required when executing [Update attribute list].
dynamodb:Query  

Create/Replace Item

Action name Remarks
dynamodb:ListTables
  • Required when executing [Update table name list].
dynamodb:DescribeTable
  • Required when executing [Update attribute list].
dynamodb:Scan
  • Required when executing [Update attribute list].
dynamodb:PutItem  

Delete Item

Action name Remarks
dynamodb:ListTables
  • Required when executing [Update table name list].
dynamodb:DescribeTable
  • Required when executing [Update primary key list].
dynamodb:Scan
  • Required when executing [Update primary key list].
dynamodb:DeleteItem  

Amazon EC2 Adapter

IAM Access Authorization required to Amazon EC2 Adapter, refer the following.

Global Resource

Action name Remarks
ec2:DescribeAvailabilityZones
  • Required when executing [Connection Test].

Operation

Start Servers

Action name Remarks
ec2:DescribeAddresses
  • Required when getting [Instance List].
ec2:DescribeInstances  
ec2:StartInstances  

Stop Servers

Action name Remarks
ec2:DescribeInstances  
ec2:StopInstances  

Describe Servers

Action name Remarks
ec2:DescribeImages  
ec2:DescribeInstances  

Amazon S3 Adapter

The IAM Access authorization required to Amazon S3 adapter is as follows.

Global Resource

Action name Remarks
s3:ListAllMyBuckets
  • Required when executing [Connection Test].

Operation

Get Bucket List

Action name Remarks
s3:ListBucket
  • Targeted Bucket needs to be included in the available Resource.
s3:ListAllMyBuckets  

Get File/ Folder List

Action name Remarks
s3:GetObjectAcl  
s3:ListBucket
  • Targeted Bucket needs to be included in the available Resource.
s3:ListAllMyBuckets  

Read File/Folder

Action name Remarks
s3:GetObject  
s3:GetObjectAcl
  • Required if you check in [With information of file access rights].
s3:ListBucket
  • Targeted Bucket needs to be included in the available Resource.
s3:ListAllMyBuckets  

Write File/Folder

Action name Remarks
s3:PutObject  
s3:GetObjectAcl
  • Required if you check in [With information of file access rights].
s3:PutObjectAcl
  • Required if you select "Public" in [Access rights].
s3:CreateBucket
  • Required if you check in [Create bucket when it doesn't exist].
s3:ListBucket
  • Targeted Bucket needs to be included in the available Resource.
s3:ListAllMyBuckets  

Delete File/Folder

Action name Remarks
s3:GetObject  
s3:DeleteObject  
s3:DeleteBucket
  • Required if you check in [Delete bucket].
s3:ListBucket
  • Targeted Bucket needs to be included in the available Resource.
s3:ListAllMyBuckets  

Read File/Folder(Data)

Action name Remarks
s3:GetObject  
s3:GetObjectAcl
  • Required if you check in [Retrieve ACL information].
s3:ListAllMyBuckets  

Write File/Folder(Data)

Action name Remarks
s3:PutObject  
s3:GetObjectAcl
  • Required if you check in [Retrieve ACL information].
s3:CreateBucket
  • Required if you check in [Create bucket when it doesn't exist].
s3:ListBucket
  • Targeted Bucket needs to be included in the available Resource.
s3:ListAllMyBuckets  

Amazon SQS Adapter

IAM Access authorization required for Amazon SQS adapter is as follows.

Global Resource

Action name Remarks
sqs:ListQueues
  • Required when executing [Connection Test].

Operation

Receive message

Action name Remarks
sqs:GetQueueUrl  
sqs:ReceiveMessage  

Send message

Action name Remarks
sqs:GetQueueUrl  
sqs:ListQueues
  • Required when getting list of [Queue name].
sqs:SendMessage  

Delete message

Action name Remarks
sqs:DeleteMessage  
sqs:GetQueueUrl  
sqs:ListQueues
  • Required when getting list of [Queue name].

Amazon SimpleDB Adapter

IAM Access authorization required for Amazon SimpleDB adapter is as follows.

Global Resource

Action name Remarks
sdb:ListDomains
  • Required when executing [Connection Test].

Operation

Read Item

Action name Remarks
sdb:ListDomains  
sdb:Select  

Execute Query

Action name Remarks
sdb:ListDomains  
sdb:Select  

Put item

Action name Remarks
sdb:BatchPutAttributes  
sdb:ListDomains
  • Required when getting list of [Domain name].

Delete Item

Action name Remarks
sdb:BatchDeleteAttributes  
sdb:ListDomains
  • Required when getting list of [Domain name].

Create Domain

Action name Remarks
sdb:CreateDomain  
sdb:ListDomains  

Delete Domain

Action name Remarks
sdb:DeleteDomain  
sdb:ListDomains  

Amazon Redshift Adapter

For Access authorization required as COPY command specification used in Amazon Redshift adapter, refer to "Amazon Redshift document-developer guide- COPY"(http://docs.aws.amazon.com/ja_jp/redshift/latest/dg/r_COPY.html).

ScriptRunner for Amazon SQS

IAM Access authorization required for ScriptRunner for Amazon SQS is as follows.

ScriptRunner for Amazon SQS Setting

Action name Remarks
sqs:GetQueueUrl
  • Required when executing [Connection Test].

ScriptRunner for Amazon SQS Manager

Action name Remarks
sqs:GetQueueUrl
  • Required for the storing queue of script execution request and storing queue of script execution result.
sqs:ReceiveMessage
  • Required for the storing queue of script execution request.
sqs:SendMessage
  • Required for the storing queue of script execution result.
sqs:DeleteMessage
  • Required for the storing queue of script execution request.

ScriptRunner AmazonSQS Client

Action name Remarks
sqs:GetQueueUrl
  • Required for the storing queue of script execution request and storing queue of script execution result.
sqs:ReceiveMessage
  • Required for the storing queue of script execution result.
sqs:SendMessage
  • Required for the storing queue of script execution request.
sqs:DeleteMessage
  • Required for the storing queue of script execution result.

Amazon Kinesis Trigger

For details on access permissions to use Amazon Kinesis Trigger, please refer to "Developing Amazon Kinesis Streams Consumers Using the Amazon Kinesis Client Library"(http://docs.aws.amazon.com/kinesis/latest/dev/developing-consumers-with-kcl.html).