반응형
블로그 이미지
개발자로서 현장에서 일하면서 새로 접하는 기술들이나 알게된 정보 등을 정리하기 위한 블로그입니다. 운 좋게 미국에서 큰 회사들의 프로젝트에서 컬설턴트로 일하고 있어서 새로운 기술들을 접할 기회가 많이 있습니다. 미국의 IT 프로젝트에서 사용되는 툴들에 대해 많은 분들과 정보를 공유하고 싶습니다.
솔웅

최근에 올라온 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

카테고리

Secure Calling AWS Services

2018. 12. 27. 10:16 | Posted by 솔웅


반응형



Secure Calling AWS DeepRacer and Other AWS Services

To run AWS DeepRacer securely, you must have appropriate security settings configured in your account. The security settings allow you to call the AWS DeepRacer service and also allow the AWS DeepRacer service to call other AWS services on your behalf. To grant the necessary permissions, you'll work with IAM roles and policies.


AWS DeepRacer를 안전하게 실행하려면 계정에 적절한 보안 설정을 구성해야합니다. 보안 설정을 사용하면 AWS DeepRacer 서비스를 호출 할 수 있으며 AWS DeepRacer 서비스가 사용자 대신 다른 AWS 서비스를 호출 할 수 있습니다. 필요한 사용 권한을 부여하려면 IAM 역할 및 정책을 사용하십시오.


If the IAM roles and policies for your account have not yet been created, you can use the AWS DeepRacer console with a single click. You can also use the IAM console or SDK to create the required roles and policy manually. The information presented in this section helps you understand what types of IAM roles and policies are needed..


계정에 대한 IAM 역할 및 정책이 아직 작성되지 않은 경우 한 번의 클릭으로 AWS DeepRacer 콘솔을 사용할 수 있습니다. IAM 콘솔 또는 SDK를 사용하여 필요한 역할 및 정책을 수동으로 만들 수도 있습니다. 이 섹션의 정보는 필요한 IAM 역할 및 정책의 유형을 이해하는 데 도움이됩니다.





AWS Services Accessed by AWS DeepRacer Directly or Indirectly


AWS DeepRacer uses the following AWS service to manage required resources:


AWS DeepRacer는 다음 AWS 서비스를 사용하여 필요한 리소스를 관리합니다.


Amazon S3

To store trained model artifacts in an Amazon S3 bucket.

AWS Lambda

To create and run the reward functions.

AWS CloudFormation

To create training jobs for AWS DeepRacer models.

Amazon SageMaker

To train the AWS DeepRacer models.

AWS RoboMaker

To simulate an environment for both training and evaluation.


The dependent AWS Lambda, AWS CloudFormation, Amazon SageMaker and AWS RoboMaker in turn use other AWS services including CloudWatch and CloudWatch Logs.


AWS Lambda, AWS CloudFormation, Amazon SageMaker 및 AWS RoboMaker에 대해 CloudWatch 및 CloudWatch Logs와 같은 다른 AWS 서비스를 사용할 수 있습니다.


The following table shows AWS services used by AWS DeepRacer, directly or indirectly.


다음 표는 AWS DeepRacer가 직접 또는 간접적으로 사용하는 AWS 서비스를 보여줍니다.



AWS Services that AWS DeepRacer uses directly or indirectly

AWS service principal

Comments

application-autoscaling

Indirectly called by Amazon SageMaker to automatically scale its operations.

cloudformation

Directly called by AWS DeepRacer to create training jobs for reinforcement

learning models.

cloudwatch

Directly called by AWS DeepRacer to log its operations.

Indirectly called by AWS RoboMaker to log its operations.

Indirectly called by Amazon SageMaker to log its operations.

ec2

Indirectly called by AWS CloudFormation and Amazon SageMaker to create

and run training jobs.

ecr

Indirectly called by AWS RoboMaker to work with

Amazon Elastic Container Registry.

kinesisvideo

Directly called by AWS DeepRacer to view cached training streams.

Indirectly called by AWS RoboMaker to cache training streams.

lambda

Directly called by AWS DeepRacer to create and run the reward functions.

logs

Directly called by AWS DeepRacer to log its operations.

Indirectly called by AWS Lambda to log its operations.

Indirectly called by AWS RoboMaker to log its operations.

robomaker

Directly called by AWS DeepRacer to render a virtual reinforcement learning

environment in a simulation.

s3

Indirectly called by AWS RoboMaker to list a bucket beginning with 'deepracer'

 and to read objects in the bucket, or write objects to the bucket.

Indirectly called by Amazon SageMaker to perform
Amazon SageMaker-specific storage operations.

Directly called by AWS DeepRacer to create, list, and delete buckets

 that have names starting with "deepracer." Also called to download

objects from the buckets, upload objects to the buckets, or delete

objects from the buckets.

sagemaker

Directly called by AWS DeepRacer to train reinforcement learning models.


In order to use AWS DeepRacer and call these services, you must have appropriate IAM roles created with required policies attached to them. You'll learn the details about these policies and roles in Identity and Access Management for AWS DeepRacer.


AWS DeepRacer를 사용하고 이러한 서비스를 호출하려면 필요한 정책이 첨부 된 적절한 IAM 역할이 있어야합니다. AWS DeepRacer의 ID 및 액세스 관리에서 이러한 정책 및 역할에 대한 세부 정보를 배우게됩니다.




Identity and Access Management for AWS DeepRacer





This section explains the details of the relevant IAM roles and policies required for you to use AWS DeepRacer.


이 섹션에서는 AWS DeepRacer를 사용하는 데 필요한 IAM 역할 및 정책에 대해 자세히 설명합니다.



Permissions for Direct Access to AWS Services by AWS DeepRacer


The following IAM policy defines the required permissions for AWS DeepRacer to directly access the dependent AWS services.


다음 IAM 정책은 AWS DeepRacer가 종속 AWS 서비스에 직접 액세스하는 데 필요한 권한을 정의합니다.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "deepracer:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "robomaker:*",
                "sagemaker:*",
                "states:*",
                "sts:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/AWSDeepRacer*",
                "arn:aws:iam::*:role/service-role/AWSDeepRacer*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:InvokeFunction",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:*DeepRacer*",
                "arn:aws:lambda:*:*:function:*Deepracer*",
                "arn:aws:lambda:*:*:function:*deepracer*",
                "arn:aws:lambda:*:*:function:*dr-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:PutObject",
                "s3:PutBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::*DeepRacer*",
                "arn:aws:s3:::*Deepracer*",
                "arn:aws:s3:::*deepracer*",
                "arn:aws:s3:::dr-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/DeepRacer": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesisvideo:CreateStream",
                "kinesisvideo:DeleteStream",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:GetDataEndpoint",
                "kinesisvideo:PutMedia",
                "kinesisvideo:TagStream"
            ],
            "Resource": [
                "arn:aws:kinesisvideo:*:*:stream/dr-*"
            ]
        }
    ]
}


The IAM role, which has this policy attached to, must have AWS DeepRacer as its trusted entity. This is shown in the following trust policy:


이 정책이 첨부 된 IAM 역할은 AWS DeepRacer를 신뢰할 수있는 엔터티로 가져야합니다. 이것은 다음 트러스트 정책에 표시됩니다.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "deepracer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}






Permissions for Indirect Access to AWS Services via AWS Lambda by AWS DeepRacer


For AWS DeepRacer to call Lambda to create and run the reward function of your AWS DeepRacer model, you must grant permissions that allow Lambda to call the AWS services that Lambda relies upon. Typically, this involves an IAM role that has a trust relationship with Lambda as a trusted entity and a policy with the required permissions attached.


AWS DeepRacer가 AWS DeepRacer 모델의 보상 기능을 만들고 실행하기 위해 Lambda를 호출하려면 Lambda가 Lambda가 의존하는 AWS 서비스를 호출 할 수있는 권한을 부여해야합니다. 일반적으로이 작업에는 람다와 신뢰할 수있는 엔터티로 트러스트 관계가 있고 필요한 사용 권한이 첨부 된 정책이있는 IAM 역할이 포함됩니다.


The AWS DeepRacer console helps you create this IAM role with the IAM policy with a single click of a button. For your convenience, we list the IAM policy with the necessary permissions attached to the IAM role as follows:


AWS DeepRacer 콘솔을 사용하면 한 번의 클릭으로 IAM 정책을 사용하여이 IAM 역할을 만들 수 있습니다. 편의를 위해 다음과 같이 IAM 역할에 첨부 된 필요한 권한이있는 IAM 정책을 나열합니다.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}


The IAM role, which has this policy attached to, must have Lambda as its trusted entity. This is shown in the following trust policy:


이 정책이 첨부 된 IAM 역할에는 람다가 신뢰할 수있는 엔터티 여야합니다. 이것은 다음 트러스트 정책에 표시됩니다.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}




Permissions for Indirect Access to AWS Services via Amazon SageMaker by AWS DeepRacer


For AWS DeepRacer to call Amazon SageMaker to train a model, you must grant permissions that allow Amazon SageMaker to call the AWS services that Amazon SageMaker relies upon. Typically, this involves an IAM role that has a trust relationship with Amazon SageMaker as a trusted entity and a policy with the required permissions attached.


AWS DeepRacer가 모델을 교육하기 위해 Amazon SageMaker를 호출하려면 Amazon SageMaker가 Amazon SageMaker가 사용하는 AWS 서비스를 호출 할 수 있도록 허용해야합니다. 일반적으로이 작업에는 Amazon SageMaker와 신뢰할 수있는 엔터티의 트러스트 관계가 있고 필요한 권한이 첨부 된 정책이있는 IAM 역할이 포함됩니다.


The AWS DeepRacer console helps you create this IAM role with the IAM policy with a single click of a button. For your convenience, we list the IAM policy with the necessary permissions attached to the IAM role as follows:


AWS DeepRacer 콘솔을 사용하면 한 번의 클릭으로 IAM 정책을 사용하여이 IAM 역할을 만들 수 있습니다. 편의를 위해 다음과 같이 IAM 역할에 첨부 된 필요한 권한이있는 IAM 정책을 나열합니다.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "cloudwatch:PutMetricData",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DeleteAlarms",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcEndpoints",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeleteScheduledAction",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:DescribeScheduledActions",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:PutScheduledAction",
                "application-autoscaling:RegisterScalableTarget",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
                }
            }
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "sagemaker.amazonaws.com"
                }
            }
        }
    ]
}


The IAM role, which has this policy attached to, must have Amazon SageMaker as its trusted entity. This is shown in the following trust policy:


이 정책이 첨부 된 IAM 역할에는 Amazon SageMaker가 신뢰할 수있는 엔터티 여야합니다. 이것은 다음 트러스트 정책에 표시됩니다.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "sagemaker.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}






Permissions for Indirect Access to AWS Services via AWS RoboMaker by AWS DeepRacer


For AWS DeepRacer to call AWS RoboMaker in order to render a virtual environment, grant permissions that allow AWS DeepRacer to call the AWS services that AWS RoboMaker relies upon. Typically, this involves creating an IAM role with a trust relationship with AWS RoboMaker as a trusted entity and an attached policy with the required permissions.


AWS DeepRacer가 가상 환경을 렌더링하기 위해 AWS RoboMaker를 호출하려면 AWS DeepRacer가 AWS RoboMaker가 의존하는 AWS 서비스를 호출 할 수있는 권한을 부여합니다. 일반적으로 AWS RoboMaker와의 신뢰 관계가있는 IAM 역할을 신뢰할 수있는 엔터티로 만들고 필요한 권한이있는 첨부 된 정책을 만듭니다.


The AWS DeepRacer console helps you create this IAM role with the IAM policy with a single click of a button. For your convenience, we list the IAM policy with the necessary permissions attached to the IAM role as follows:


AWS DeepRacer 콘솔을 사용하면 한 번의 클릭으로 IAM 정책을 사용하여이 IAM 역할을 만들 수 있습니다. 편의를 위해 다음과 같이 IAM 역할에 첨부 된 필요한 권한이있는 IAM 정책을 나열합니다.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "robomaker:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/robomaker/SimulationJobs",
                "arn:aws:logs:*:*:log-group:/aws/robomaker/SimulationJobs:log-stream:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::*DeepRacer*",
                "arn:aws:s3:::*Deepracer*",
                "arn:aws:s3:::*deepracer*",
                "arn:aws:s3:::dr-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/DeepRacer": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "kinesisvideo:CreateStream",
                "kinesisvideo:DescribeStream",
                "kinesisvideo:GetDataEndpoint",
                "kinesisvideo:PutMedia",
                "kinesisvideo:TagStream"
            ],
            "Resource": [
                "arn:aws:kinesisvideo:*:*:stream/dr-*"
            ]
        }
    ]
}


The IAM role, which has this policy attached to, must have AWS RoboMaker as its trusted entity. This is shown in the following trust policy:


이 정책이 첨부 된 IAM 역할은 AWS RoboMaker를 신뢰할 수있는 엔터티로 가져야합니다. 이것은 다음 트러스트 정책에 표시됩니다.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "robomaker.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}




Permissions for Indirect Access to AWS Services via AWS CloudFormation by AWS DeepRacer


For AWS DeepRacer to call AWS CloudFormation in order to create a training job for your AWS DeepRacer model, grant permissions that allow AWS DeepRacer to call the AWS services that AWS CloudFormation relies upon. Typically, this involves creating an IAM role with a trust relationship with AWS CloudFormation as a trusted entity and an attached policy with the required permissions.


AWS DeepRacer 모델에 대한 교육 작업을 생성하기 위해 AWS DeepRacer가 AWS CloudFormation을 호출하기 위해 AWS DeepRacer가 AWS CloudFormation이 의존하는 AWS 서비스를 호출 할 수있는 권한을 부여합니다. 일반적으로 AWS CloudFormation과 트러스트 관계가있는 IAM 역할을 신뢰할 수있는 엔터티로 만들고 필요한 권한이있는 첨부 된 정책을 만듭니다.


The AWS DeepRacer console helps you create this IAM role with the IAM policy with a single click of a button. For your convenience, we list the IAM policy with the necessary permissions attached to the IAM role as follows:


AWS DeepRacer 콘솔을 사용하면 한 번의 클릭으로 IAM 정책을 사용하여이 IAM 역할을 만들 수 있습니다. 편의를 위해 다음과 같이 IAM 역할에 첨부 된 필요한 권한이있는 IAM 정책을 나열합니다.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:AttachInternetGateway",
                "ec2:AssociateRouteTable",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkAcl",
                "ec2:CreateNetworkAclEntry",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNatGateway",
                "ec2:DeleteNetworkAcl",
                "ec2:DeleteNetworkAclEntry",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:DeleteVpc",
                "ec2:DescribeAddresses",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:ReplaceNetworkAclAssociation",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*"
        }
    ]
}


The IAM role, which has this policy attached to, must have AWS CloudFormation as its trusted entity. This is shown in the following trust policy:


이 정책이 첨부 된 IAM 역할은 AWS CloudFormation을 신뢰할 수있는 엔터티로 가져야합니다. 이것은 다음 트러스트 정책에 표시됩니다.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "cloudformation.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


반응형