InfoGrab Docs

Discovery Service AWS IAM 레퍼런스

요약

Teleport Discovery Service는 AWS 리소스를 검색하기 위해 AWS IAM 권한이 필요합니다. 아래의 각 섹션은 특정 유형의 AWS 리소스를 검색하는 데 사용되는 IAM 권한을 설명합니다. You can use a list of ARNs and narrow the scope of the permissions to specific regions or EKS clusters instead of using a wildcard.

Teleport Discovery Service는 AWS 리소스를 검색하기 위해 AWS IAM 권한이 필요합니다. 이러한 권한은 Discovery Service 인스턴스가 사용할 수 있는 AWS IAM 자격 증명에 연결되어야 합니다.

아래의 각 섹션은 특정 유형의 AWS 리소스를 검색하는 데 사용되는 IAM 권한을 설명합니다.

EC2#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2Discovery",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ssm:DescribeInstanceInformation",
                "ssm:GetCommandInvocation",
                "ssm:ListCommandInvocations",
                "ssm:SendCommand"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
EC2Discovery Discover EC2 instances.

EKS#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EKSDiscovery",
            "Effect": "Allow",
            "Action": [
              "eks:DescribeCluster",
              "eks:ListClusters"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EKSManageAccess",
            "Effect": "Allow",
            "Action": [
              "eks:AssociateAccessPolicy",
              "eks:CreateAccessEntry",
              "eks:DeleteAccessEntry",
              "eks:DescribeAccessEntry",
              "eks:TagResource",
              "eks:UpdateAccessEntry"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
EKSDiscovery Discover EKS clusters and fetch additional details about them.
EKSManageAccess Automatically set up Teleport access for discovered EKS clusters.

You can use a list of ARNs and narrow the scope of the permissions to specific regions or EKS clusters instead of using a wildcard. The resource ARN has the following format:

arn:{Partition}:eks:{Region}:{Account}:cluster/{ClusterName}

The permissions in the EKSManageAccess statement are optional because the Discovery Service will discover EKS clusters even when it cannot ensure that the Teleport Kubernetes Service has access to the clusters it discovers. If you omit any of the EKSManageAccess permissions, then it is your responsibility to ensure that the Teleport Kubernetes Service can access each EKS cluster.

데이터베이스#

DocumentDB#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DocumentDBDiscovery",
            "Effect": "Allow",
            "Action": "rds:DescribeDBClusters",
            "Resource": "*"
        }
    ]
}
Statement Purpose
DocumentDBDiscovery Discover Amazon DocumentDB Clusters.

DynamoDB#

(!docs/pages/includes/database-access/reference/auto-discovery-unavailable.mdx dbType="DynamoDB"!)

Redis 및 Valkey용 ElastiCache#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElastiCacheDiscovery",
            "Effect": "Allow",
            "Action": "elasticache:DescribeReplicationGroups",
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
ElastiCacheDiscovery Discover ElastiCache replication groups.
ElastiCacheFetchMetadata Import AWS tags and additional metadata for each database as Teleport database labels.

Redis 및 Valkey용 ElastiCache Serverless#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElastiCacheServerlessDiscovery",
            "Effect": "Allow",
            "Action": "elasticache:DescribeServerlessCaches",
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheServerlessFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "elasticache:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
ElastiCacheServerlessDiscovery Discover ElastiCache Serverless caches.
ElastiCacheServerlessFetchMetadata Import AWS tags and other metadata for each database as Teleport database labels.

Keyspaces#

(!docs/pages/includes/database-access/reference/auto-discovery-unavailable.mdx dbType="Keyspaces"!)

MemoryDB#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MemoryDBDiscovery",
            "Effect": "Allow",
            "Action": "memorydb:DescribeClusters",
            "Resource": "*"
        },
        {
            "Sid": "MemoryDBFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
MemoryDBDiscovery Discover MemoryDB databases.
MemoryDBFetchMetadata Import AWS tags and additional metadata for each database as Teleport database labels.

OpenSearch#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OpenSearchDiscovery",
            "Effect": "Allow",
            "Action": [
                "es:DescribeDomains",
                "es:ListDomainNames"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OpenSearchFetchMetadata",
            "Effect": "Allow",
            "Action": "es:ListTags",
            "Resource": "*"
        }
    ]
}
Statement Purpose
OpenSearchDiscovery Discover OpenSearch domains.
OpenSearchFetchMetadata Import each discovered domain's AWS tags as Teleport database labels.

RDS#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSDiscovery",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
RDSDiscovery Discover RDS instances and Aurora clusters.

When configured to discover RDS databases, the Teleport Discovery Service will attempt to discover both RDS instances and Aurora clusters. The rds:DescribeDBInstances permission is used to find RDS instances, but it is also used to find additional information about discovered Aurora clusters, so you should include this permission even if you only have Aurora clusters to discover. If you don't want Aurora cluster discovery, then you can omit the rds:DescribeDBClusters permission.

RDS Proxy#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSProxyDiscovery",
            "Effect": "Allow",
            "Action": "rds:DescribeDBProxies",
            "Resource": "*"
        },
        {
            "Sid": "RDSProxyFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBProxyEndpoints",
                "rds:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
RDSProxyDiscovery Discover RDS Proxies and register each proxy's default endpoint as a Teleport database.
RDSProxyFetchMetadata Fetch metadata for discovered proxies to import AWS resource tags as Teleport database labels and register custom endpoints as Teleport databases.

Redshift#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RedshiftDiscovery",
            "Effect": "Allow",
            "Action": "redshift:DescribeClusters",
            "Resource": "*"
        }
    ]
}
Statement Purpose
RedshiftDiscovery Discover Amazon Redshift Clusters.

Redshift Serverless#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RedshiftServerlessDiscovery",
            "Effect": "Allow",
            "Action": "redshift-serverless:ListWorkgroups",
            "Resource": "*"
        },
        {
            "Sid": "RedshiftServerlessFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "redshift-serverless:ListEndpointAccess",
                "redshift-serverless:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
RedshiftServerlessDiscovery Discover Redshift Serverless Workgroups.
RedshiftServerlessFetchMetadata Fetch metadata for discovered workgroups to import AWS tags as Teleport database labels and register any VPC endpoints as Teleport databases.

Discovery Service AWS IAM 레퍼런스

원문 보기
요약

Teleport Discovery Service는 AWS 리소스를 검색하기 위해 AWS IAM 권한이 필요합니다. 아래의 각 섹션은 특정 유형의 AWS 리소스를 검색하는 데 사용되는 IAM 권한을 설명합니다. You can use a list of ARNs and narrow the scope of the permissions to specific regions or EKS clusters instead of using a wildcard.

Teleport Discovery Service는 AWS 리소스를 검색하기 위해 AWS IAM 권한이 필요합니다. 이러한 권한은 Discovery Service 인스턴스가 사용할 수 있는 AWS IAM 자격 증명에 연결되어야 합니다.

아래의 각 섹션은 특정 유형의 AWS 리소스를 검색하는 데 사용되는 IAM 권한을 설명합니다.

EC2#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2Discovery",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ssm:DescribeInstanceInformation",
                "ssm:GetCommandInvocation",
                "ssm:ListCommandInvocations",
                "ssm:SendCommand"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
EC2Discovery Discover EC2 instances.

EKS#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EKSDiscovery",
            "Effect": "Allow",
            "Action": [
              "eks:DescribeCluster",
              "eks:ListClusters"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EKSManageAccess",
            "Effect": "Allow",
            "Action": [
              "eks:AssociateAccessPolicy",
              "eks:CreateAccessEntry",
              "eks:DeleteAccessEntry",
              "eks:DescribeAccessEntry",
              "eks:TagResource",
              "eks:UpdateAccessEntry"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
EKSDiscovery Discover EKS clusters and fetch additional details about them.
EKSManageAccess Automatically set up Teleport access for discovered EKS clusters.

You can use a list of ARNs and narrow the scope of the permissions to specific regions or EKS clusters instead of using a wildcard. The resource ARN has the following format:

arn:{Partition}:eks:{Region}:{Account}:cluster/{ClusterName}

The permissions in the EKSManageAccess statement are optional because the Discovery Service will discover EKS clusters even when it cannot ensure that the Teleport Kubernetes Service has access to the clusters it discovers. If you omit any of the EKSManageAccess permissions, then it is your responsibility to ensure that the Teleport Kubernetes Service can access each EKS cluster.

데이터베이스#

DocumentDB#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DocumentDBDiscovery",
            "Effect": "Allow",
            "Action": "rds:DescribeDBClusters",
            "Resource": "*"
        }
    ]
}
Statement Purpose
DocumentDBDiscovery Discover Amazon DocumentDB Clusters.

DynamoDB#

(!docs/pages/includes/database-access/reference/auto-discovery-unavailable.mdx dbType="DynamoDB"!)

Redis 및 Valkey용 ElastiCache#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElastiCacheDiscovery",
            "Effect": "Allow",
            "Action": "elasticache:DescribeReplicationGroups",
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
ElastiCacheDiscovery Discover ElastiCache replication groups.
ElastiCacheFetchMetadata Import AWS tags and additional metadata for each database as Teleport database labels.

Redis 및 Valkey용 ElastiCache Serverless#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ElastiCacheServerlessDiscovery",
            "Effect": "Allow",
            "Action": "elasticache:DescribeServerlessCaches",
            "Resource": "*"
        },
        {
            "Sid": "ElastiCacheServerlessFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "elasticache:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
ElastiCacheServerlessDiscovery Discover ElastiCache Serverless caches.
ElastiCacheServerlessFetchMetadata Import AWS tags and other metadata for each database as Teleport database labels.

Keyspaces#

(!docs/pages/includes/database-access/reference/auto-discovery-unavailable.mdx dbType="Keyspaces"!)

MemoryDB#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MemoryDBDiscovery",
            "Effect": "Allow",
            "Action": "memorydb:DescribeClusters",
            "Resource": "*"
        },
        {
            "Sid": "MemoryDBFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "memorydb:DescribeSubnetGroups",
                "memorydb:ListTags"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
MemoryDBDiscovery Discover MemoryDB databases.
MemoryDBFetchMetadata Import AWS tags and additional metadata for each database as Teleport database labels.

OpenSearch#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OpenSearchDiscovery",
            "Effect": "Allow",
            "Action": [
                "es:DescribeDomains",
                "es:ListDomainNames"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OpenSearchFetchMetadata",
            "Effect": "Allow",
            "Action": "es:ListTags",
            "Resource": "*"
        }
    ]
}
Statement Purpose
OpenSearchDiscovery Discover OpenSearch domains.
OpenSearchFetchMetadata Import each discovered domain's AWS tags as Teleport database labels.

RDS#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSDiscovery",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
RDSDiscovery Discover RDS instances and Aurora clusters.

When configured to discover RDS databases, the Teleport Discovery Service will attempt to discover both RDS instances and Aurora clusters. The rds:DescribeDBInstances permission is used to find RDS instances, but it is also used to find additional information about discovered Aurora clusters, so you should include this permission even if you only have Aurora clusters to discover. If you don't want Aurora cluster discovery, then you can omit the rds:DescribeDBClusters permission.

RDS Proxy#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RDSProxyDiscovery",
            "Effect": "Allow",
            "Action": "rds:DescribeDBProxies",
            "Resource": "*"
        },
        {
            "Sid": "RDSProxyFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBProxyEndpoints",
                "rds:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
RDSProxyDiscovery Discover RDS Proxies and register each proxy's default endpoint as a Teleport database.
RDSProxyFetchMetadata Fetch metadata for discovered proxies to import AWS resource tags as Teleport database labels and register custom endpoints as Teleport databases.

Redshift#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RedshiftDiscovery",
            "Effect": "Allow",
            "Action": "redshift:DescribeClusters",
            "Resource": "*"
        }
    ]
}
Statement Purpose
RedshiftDiscovery Discover Amazon Redshift Clusters.

Redshift Serverless#

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RedshiftServerlessDiscovery",
            "Effect": "Allow",
            "Action": "redshift-serverless:ListWorkgroups",
            "Resource": "*"
        },
        {
            "Sid": "RedshiftServerlessFetchMetadata",
            "Effect": "Allow",
            "Action": [
                "redshift-serverless:ListEndpointAccess",
                "redshift-serverless:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}
Statement Purpose
RedshiftServerlessDiscovery Discover Redshift Serverless Workgroups.
RedshiftServerlessFetchMetadata Fetch metadata for discovered workgroups to import AWS tags as Teleport database labels and register any VPC endpoints as Teleport databases.