本文描述了AWS相關的調研功能,使用者所提供的資訊使用方式的說明以及安全保證。
AWS遷移成本評估
對於AWS的AK/SK調研方式,需要您提前開啟AWS Cost Explorer服務,並確保提供的帳號擁有如下許可權:
arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess
arn:aws:iam::aws:policy/Billing
arn:aws:iam::aws:rds/DescribeDbInstances由於需要使用AWS的SDK(GetCostAndUsageRequest/Response)訪問您的賬單介面,可能會產生介面讀調用帶來的相關費用。同時,需要授權RDS的唯讀許可權,來訪問RDS的配置資訊,以推薦阿里雲上合適的RDS規格。
CMH不會記錄或儲存您的敏感資訊(如AK/SK),您填寫的密鑰資訊只會被使用在當次任務。
AWS線上調研
線上AWS調研需要您提供一個AWS的帳號來擷取您的雲資源清單,該帳號需要擁有所有雲資源的讀許可權。AWS 提供一個唯讀系統策略,您可以直接用該策略進行授權:
arn:aws:iam::aws:policy/ReadOnlyAccessAWS線上調研支援的資源類型和使用的相關API參考文檔:AWS採集欄位明細。如果您希望提供更小的權限原則,您可以參考AWS唯讀許可權脫敏。
同樣,CMH不會記錄或儲存您的敏感資訊(如AK/SK),您填寫的密鑰資訊只會被使用在當次任務。
線上調研使用的相關API參考
支援的資源 | 使用的API | 使用的client |
EC2 | DescribeInstancesRequest/Response,DescribeInstanceTypesRequest/Response,DescribeImagesRequest/Response | Ec2Client |
NAT | DescribeNatGatewaysResponse | Ec2Client |
安全性群組 | DescribeSecurityGroupsResponse,DescribeSecurityGroupRulesIterable | Ec2Client |
VPC | DescribeVpcsResponse | Ec2Client |
可用性區域 | DescribeAvailabilityZonesResponse | Ec2Client |
負載平衡 | DescribeTargetGroupsResponse,DescribeInstancesResponse,DescribeLoadBalancersResponse,DescribeTagsRequest/Response | ElasticLoadBalancingV2Client,Ec2Client |
RDS | DescribeDbInstancesRequest/Response, | RdsClient |
ElastiCache | DescribeCacheClustersResponse,DescribeCacheSubnetGroupsResponse,ListTagsForResourceRequest/Response | ElastiCacheClient |
S3 | ListBucketsResponse,ListObjectsV2Request/Response,GetBucketTaggingRequest/Response,GetPublicAccessBlockRequest/Response,GetBucketLifecycleConfigurationRequest/Response,GetBucketReplicationRequest/Response,ListBucketInventoryConfigurationsRequest/Response | S3Client |
ElastiCache | DescribeCacheClustersResponse,DescribeCacheSubnetGroupsResponse,ListTagsForResourceRequest/Response | ElastiCacheClient |
DocumentDB | DescribeSecurityGroupsResponse,DescribeDbClustersResponse,ListTagsForResourceRequest/Response, | DocDbClient,Ec2Client |
ES | DescribeCacheClustersResponse,DescribeCacheSubnetGroupsResponse,ListTagsForResourceRequest/Response | ElastiCacheClient |
KAFAKA | DescribeSecurityGroupsResponse,ListClustersV2Request/Response, | KafkaClient,Ec2Client |
SECURITY_GROUP_RULE | DescribeSecurityGroupRulesRequest/Response,DescribeSecurityGroupRulesIterable | Ec2Client |
OLAPDB | DescribeClustersResponse, | RedshiftClient |
Eks | ListClustersRequest/Response,DescribeClusterRequest/Response | EksClient |
GlobalAccelerator | ListAcceleratorsRequest/Response, | GlobalAcceleratorClient |
Athena | ListDataCatalogsRequest/Response,ListDatabasesRequest/Response,ListTableMetadataRequest/Response | AthenaClient |
Lambda | ListFunctionsRequest/Response,GetFunctionRequest/Response, | LambdaClient |
CloudFront | ListDistributionsResponse,ListTagsForResourceRequest/Response, | CloudFrontClient |
MQ | ListBrokersResponse,DescribeBrokerRequest/Response, | MqClient |
SQS | ListQueuesRequest/Response,GetQueueAttributesRequest/Response,ListQueueTagsRequest/Response | SqsClient |
AutoScaling | DescribeAutoScalingGroupsRequest/Response | AutoScalingClient |
EIP | DescribeAddressesResponse | Ec2Client |