Amazon Web Services适用于 Amazon Trusted Advisor 的托管策略
Trusted Advisor 具有以下 Amazon Web Services 托管策略。
目录
Amazon托管策略:AWSTrustedAdvisorPriorityFullAccess
AWSTrustedAdvisorPriorityFullAccess
权限详细信息
在第一条语句中,此策略包含 trustedadvisor 的以下权限:
-
描述您的账户和组织。
-
描述 Trusted Advisor Priority 的已识别风险。这些权限允许您下载和更新风险状态。
-
描述 Trusted Advisor Priority 电子邮件通知的配置。这些权限允许您配置电子邮件通知,并为委派管理员禁用这些通知。
-
设置 Trusted Advisor 以便您的账户可以启用 Amazon Organizations。
在第二条语句中,此策略包含 organizations 的以下权限:
-
描述您的 Trusted Advisor 账户和组织。
-
列出您为了使用 Organizations 以启用的 Amazon Web Services。
在第三条语句中,此策略包含 organizations 的以下权限:
-
列出 Trusted Advisor Priority 的委派管理员。
-
启用和禁用 Organizations 的受信任访问。
在第四条语句中,此策略包含 iam 的以下权限:
-
创建
AWSServiceRoleForTrustedAdvisorReporting服务相关角色。
在第五条语句中,此策略包含 organizations 的以下权限:
-
允许您注册和注销 Trusted Advisor Priority 的委派管理员。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:UpdateRiskStatus", "trustedadvisor:DescribeNotificationConfigurations", "trustedadvisor:UpdateNotificationConfigurations", "trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators", "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting", "Condition": { "StringLike": { "iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws:organizations::*:*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }
Amazon托管策略:AWSTrustedAdvisorPriorityReadOnlyAccess
AWSTrustedAdvisorPriorityReadOnlyAccess
权限详细信息
在第一条语句中,此策略包含 trustedadvisor 的以下权限:
-
描述您的 Trusted Advisor 账户和组织。
-
描述 Trusted Advisor Priority 的已识别风险并允许您下载这些风险。
-
描述 Trusted Advisor Priority 电子邮件通知的配置。
在第二条和第三条语句中,此策略包含 organizations 的以下权限:
-
使用 Organizations 描述您的组织。
-
列出您为了使用 Organizations 以启用的 Amazon Web Services。
-
列出 Trusted Advisor Priority 的委派管理员
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:DescribeNotificationConfigurations" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }
Amazon 托管策略:AWSTrustedAdvisorServiceRolePolicy
此策略附加到 AWSServiceRoleForTrustedAdvisor 服务相关角色。此角色允许服务相关角色为您执行操作。您不能将 AWSTrustedAdvisorServiceRolePolicy
此策略授予管理权限,允许服务相关角色访问 Amazon Web Services。这些权限允许 Trusted Advisor 的检查来评估您的账户。
权限详细信息
此策略包含以下权限。
-
Auto Scaling– 描述 Amazon EC2 Auto Scaling 账户配额和资源 -
cloudformation– 描述 Amazon CloudFormation (CloudFormation) 账户配额和堆栈 -
cloudfront– 描述 Amazon CloudFront 分配 -
cloudtrail– 描述 Amazon CloudTrail (CloudTrail) 跟踪 -
dynamodb– 描述 Amazon DynamoDB 账户配额和资源 -
ec2– 描述 Amazon Elastic Compute Cloud (Amazon EC2) 账户配额和资源 -
elasticloadbalancing- 描述弹性负载均衡(ELB)账户配额和资源 -
iam– 获取 IAM 资源,如证书、密码策略和证书 -
kinesis– 描述 Amazon Kinesis (Kinesis) 账户配额 -
rds– 描述 Amazon Relational Database Service (Amazon RDS) 资源 -
redshift– 描述 Amazon Redshift 资源 -
route53– 描述 Amazon Route 53 账户配额和资源 -
s3– 描述 Amazon Simple Storage Service (Amazon S3) 资源 -
ses– 获取 Amazon Simple Email Service (Amazon SES) 发送配额 -
sqs– 列出 Amazon Simple Queue Service (Amazon SQS) 队列 -
cloudwatch– 获取 Amazon CloudWatch Events (CloudWatch Events) 指标统计数据 -
ce– 获取 Cost Explorer 服务 (Cost Explorer) 建议
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "cloudformation:DescribeAccountLimits", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeReservedInstances", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeInternetGateways", "ec2:DescribeImages", "ec2:DescribeVolumes", "ec2:DescribeSecurityGroups", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DescribeLaunchTemplateVersions", "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetServerCertificate", "iam:ListServerCertificates", "kinesis:DescribeLimits", "rds:DescribeAccountAttributes", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultParameters", "rds:DescribeEvents", "rds:DescribeOptionGroupOptions", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribeReservedDBInstances", "rds:DescribeReservedDBInstancesOfferings", "rds:ListTagsForResource", "redshift:DescribeClusters", "redshift:DescribeReservedNodeOfferings", "redshift:DescribeReservedNodes", "route53:GetAccountLimit", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:ListBucket", "s3:ListAllMyBuckets", "ses:GetSendQuota", "sqs:ListQueues", "cloudwatch:GetMetricStatistics", "ce:GetReservationPurchaseRecommendation", "ce:GetSavingsPlansPurchaseRecommendation" ], "Resource": "*" } ] }
Amazon 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy
此策略附加到 AWSServiceRoleForTrustedAdvisorReporting 服务相关角色,使 Trusted Advisor 能够执行组织视图功能的操作。您不能将 AWSTrustedAdvisorReportingServiceRolePolicy
此策略授予管理权限,允许服务相关角色执行 Amazon Organizations 操作。
权限详细信息
此策略包含以下权限。
-
organizations– 描述您的组织并列出服务访问权限、账户、父级、子级和组织单位
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListChildren", "organizations:ListParents", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount" ], "Effect": "Allow", "Resource": "*" } ] }
对 Amazon 托管式策略的 Trusted Advisor 更新
查看有关 Amazon Web Services Support 和 Trusted Advisor 的 Amazon 托管策略更新的详细信息(从这些服务开始跟踪这些更改开始)。要获得有关此页面更改的自动提示,请订阅 文档历史记录 页面上的 RSS 源。
下表介绍了自 2021 年 8 月 10 日以来对 Trusted Advisor 托管式策略的重要更新。
Trusted Advisor | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 更改 | 说明 | 日期 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
AWSTrustedAdvisorPriorityFullAccess 和 AWSTrustedAdvisorPriorityReadOnlyAccess 用于 Trusted Advisor 的新 Amazon 托管策略 |
Trusted Advisor 添加了两个新的托管策略,您可以使用这些策略来控制对 Trusted Advisor Priority 的访问权限。 |
2022 年 8 月 17 日 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新 |
Trusted Advisor 添加了新的操作来授予 Auto Scaling 组运行状况检查需要 Amazon S3 存储桶权限检查需要 |
2021 年 8 月 10 日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
已发布的更改日志 |
Trusted Advisor 托管策略的更改日志。 |
2021 年 8 月 10 日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||