Berechtigungen zur Nutzung von AMS-Funktionen - AMS Accelerate-Benutzerhandbuch

Die vorliegende Übersetzung wurde maschinell erstellt. Im Falle eines Konflikts oder eines Widerspruchs zwischen dieser übersetzten Fassung und der englischen Fassung (einschließlich infolge von Verzögerungen bei der Übersetzung) ist die englische Fassung maßgeblich.

Berechtigungen zur Nutzung von AMS-Funktionen

Damit Ihre Benutzer AMS Accelerate-Funktionen lesen und konfigurieren können, z. B. den Zugriff auf die AMS-Konsole oder die Konfiguration von Backups, müssen Sie ihren IAM-Rollen explizite Berechtigungen zur Ausführung dieser Aktionen gewähren. Die folgende AWS CloudFormation Vorlage enthält die Richtlinien, die zum Lesen und Konfigurieren der mit AMS verbundenen Dienste erforderlich sind, sodass Sie sie Ihren IAM-Rollen zuweisen können. Sie sind so konzipiert, dass sie eng an die allgemeinen Aufgabenbereiche in der IT-Branche angepasst sind, wo Administrator- oder Nur-Lese-Berechtigungen erforderlich sind. Wenn Sie Benutzern jedoch unterschiedliche Berechtigungen gewähren müssen, können Sie die Richtlinie bearbeiten, um bestimmte Berechtigungen ein- oder auszuschließen. Zudem können Sie eine eigene benutzerdefinierte Richtlinie erstellen.

Die Vorlage enthält zwei Richtlinien. Die AMSAccelerateAdminAccess Richtlinie soll für die Einrichtung und den Betrieb der AMS Accelerate-Komponenten verwendet werden. Diese Richtlinie wird in der Regel von einem IT-Administrator übernommen und gewährt Berechtigungen zur Konfiguration von AMS-Funktionen wie Patching und Backups. Die AMSAccelerateReadOnly gewährt die erforderlichen Mindestberechtigungen für die Anzeige von AMS Accelerate-bezogenen Ressourcen.

AWSTemplateFormatVersion: 2010-09-09
Description: AMSAccelerateCustomerAccessPolicies
      
Resources:
  AMSAccelerateAdminAccess:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ManagedPolicyName: AMSAccelerateAdminAccess
      Path: /
      PolicyDocument: 
        Fn::Sub:
        - |
          {
            "Version": "2012-10-17",		 	 	 
            "Statement": [
              {
                 "Sid": "AmsSelfServiceReport",
                 "Effect": "Allow",
                 "Action": "amsssrv:*",
                 "Resource": "*"
              },
              {
                "Sid": "AmsBackupPolicy",
                "Effect": "Allow",
                "Action": "iam:PassRole",
                "Resource": "arn:aws:iam::${AWS::AccountId}:role/ams-backup-iam-role"
              },
              {
                "Sid": "AmsChangeRecordKMSPolicy",
                "Effect": "Allow",
                "Action": [
                  "kms:Encrypt",
                  "kms:Decrypt",
                  "kms:GenerateDataKey"
                ],
                "Resource": [
                  "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
                ],
                "Condition": {
                  "ForAnyValue:StringLike": {
                    "kms:ResourceAliases": "alias/AMSCloudTrailLogManagement"
                  }
                }
              },
              {
                "Sid": "AmsChangeRecordAthenaReadPolicy",
                "Effect": "Allow",
                "Action": [
                  "athena:BatchGetNamedQuery",
                  "athena:Get*",
                  "athena:List*",
                  "athena:StartQueryExecution",
                  "athena:UpdateWorkGroup",
                  "glue:GetDatabase*",
                  "glue:GetTable*",
                  "s3:GetAccountPublicAccessBlock",
                  "s3:ListAccessPoints",
                  "s3:ListAllMyBuckets"
                ],
                "Resource": "*"
              },
              {
                "Sid": "AmsChangeRecordS3ReadPolicy",
                "Effect": "Allow",
                "Action": [
                  "s3:Get*",
                  "s3:List*"
                ],
                "Resource": [
                  "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}",
                  "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*",
                  "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}",
                  "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}/*"
                ]
              },
              {
                "Sid": "AmsChangeRecordS3WritePolicy",
                "Effect": "Allow",
                "Action": [
                  "s3:PutObject",
                  "s3:PutObjectLegalHold",
                  "s3:PutObjectRetention"

                ],
                "Resource": [
                  "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*"
                ]
              },
              {
                "Sid": "MaciePolicy",
                "Effect": "Allow",
                "Action": [
                  "macie2:GetFindingStatistics"
                ],
                "Resource": "*"
              },
              {
                "Sid": "GuardDutyPolicy",
                "Effect": "Allow",
                "Action": [
                  "guardduty:GetFindingsStatistics",
                  "guardduty:ListDetectors"
                ],
                "Resource": "*"
              },
              {
                "Sid": "SupportPolicy",
                "Effect": "Allow",
                "Action": "support:*",
                "Resource": "*"
              },
              {
                "Sid": "ConfigPolicy",
                "Effect": "Allow",
                "Action": [
                  "config:Get*",
                  "config:Describe*",
                  "config:Deliver*",
                  "config:List*",
                  "config:StartConfigRulesEvaluation"
                ],
                "Resource": "*"
              },
              {
                "Sid": "AppConfigReadPolicy",
                "Effect": "Allow",
                "Action": [
                  "appconfig:List*",
                  "appconfig:Get*"
                ],
                "Resource": "*"
              },
              {
                "Sid": "AppConfigPolicy",
                "Effect": "Allow",
                "Action": [
                  "appconfig:StartDeployment",
                  "appconfig:StopDeployment",
                  "appconfig:CreateHostedConfigurationVersion",
                  "appconfig:ValidateConfiguration"
                ],
                "Resource": [
                  "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSAlarmManagerConfigurationApplicationId}",
                  "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSAlarmManagerConfigurationApplicationId}/configurationprofile/${AMSAlarmManagerConfigurationCustomerManagedAlarmsProfileID}",
                  "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSAlarmManagerConfigurationApplicationId}/environment/*",
                  "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSResourceTaggerConfigurationApplicationId}",
                  "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSResourceTaggerConfigurationApplicationId}/configurationprofile/${AMSResourceTaggerConfigurationCustomerManagedTagsProfileID}",
                  "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSResourceTaggerConfigurationApplicationId}/environment/*",
                  "arn:aws:appconfig:*:${AWS::AccountId}:deploymentstrategy/*"
                ]
              },
              {
                "Sid": "CloudFormationStacksPolicy",
                "Effect": "Allow",
                "Action": [
                  "cloudformation:DescribeStacks"
                ],
                "Resource": "*"
              },
              {
                "Sid": "EC2Policy",
                "Action": [
                  "ec2:DescribeInstances"
                ],
                "Effect": "Allow",
                "Resource": "*"
              },
              {
                "Sid": "SSMPolicy",
                "Effect": "Allow",
                "Action": [
                  "ssm:AddTagsToResource",
                  "ssm:CancelCommand",
                  "ssm:CancelMaintenanceWindowExecution",
                  "ssm:CreateAssociation",
                  "ssm:CreateAssociationBatch",
                  "ssm:CreateMaintenanceWindow",
                  "ssm:CreateOpsItem",
                  "ssm:CreatePatchBaseline",
                  "ssm:DeleteAssociation",
                  "ssm:DeleteMaintenanceWindow",
                  "ssm:DeletePatchBaseline",
                  "ssm:DeregisterPatchBaselineForPatchGroup",
                  "ssm:DeregisterTargetFromMaintenanceWindow",
                  "ssm:DeregisterTaskFromMaintenanceWindow",
                  "ssm:Describe*",
                  "ssm:Get*",
                  "ssm:List*",
                  "ssm:PutConfigurePackageResult",
                  "ssm:RegisterDefaultPatchBaseline",
                  "ssm:RegisterPatchBaselineForPatchGroup",
                  "ssm:RegisterTargetWithMaintenanceWindow",
                  "ssm:RegisterTaskWithMaintenanceWindow",
                  "ssm:RemoveTagsFromResource",
                  "ssm:SendCommand",
                  "ssm:StartAssociationsOnce",
                  "ssm:StartAutomationExecution",
                  "ssm:StartSession",
                  "ssm:StopAutomationExecution",
                  "ssm:TerminateSession",
                  "ssm:UpdateAssociation",
                  "ssm:UpdateAssociationStatus",
                  "ssm:UpdateMaintenanceWindow",
                  "ssm:UpdateMaintenanceWindowTarget",
                  "ssm:UpdateMaintenanceWindowTask",
                  "ssm:UpdateOpsItem",
                  "ssm:UpdatePatchBaseline"
                ],
                "Resource": "*"
              },
              {
                "Sid": "AmsPatchRestrictAMSResources",
                "Effect": "Deny",
                "Action": [
                  "ssm:DeletePatchBaseline",
                  "ssm:UpdatePatchBaseline"
                ],
                "Resource": [
                  "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:patchbaseline/*"
                ],
                "Condition": {
                  "StringLike": {
                    "aws:ResourceTag/ams:resourceOwner": "*"
                  }
                }
              },
              {
                "Sid": "AmsPatchRestrictAmsTags",
                "Effect": "Deny",
                "Action": [
                  "ssm:AddTagsToResource",
                  "ssm:RemoveTagsFromResource"
                ],
                "Resource": "*",
                "Condition": {
                  "ForAnyValue:StringLike": {
                    "aws:TagKeys": [
                      "AMS*",
                      "Ams*",
                      "ams*"
                    ]
                  }
                }
              },
              {
                "Sid": "TagReadPolicy",
                "Effect": "Allow",
                "Action": [
                  "tag:GetResources",
                  "tag:GetTagKeys"
                ],
                "Resource": "*"
              },
              {
                "Sid": "CloudtrailReadPolicy",
                "Effect": "Allow",
                "Action": [
                  "cloudtrail:DescribeTrails",
                  "cloudtrail:GetTrailStatus",
                  "cloudtrail:LookupEvents"
                ],
                "Resource": "*"
              },
              {
                "Sid": "EventBridgePolicy",
                "Effect": "Allow",
                "Action": [
                  "events:Describe*",
                  "events:List*",
                  "events:TestEventPattern"
                ],
                "Resource": "*"
              },
              {
                "Sid": "IAMReadOnlyPolicy",
                "Action": [
                    "iam:ListRoles",
                    "iam:GetRole"
                ],
                "Effect": "Allow",
                "Resource": "*"
              },
              {
                "Sid": "AmsResourceSchedulerPassRolePolicy",
                "Effect": "Allow",
                "Action": "iam:PassRole",
                "Resource": "arn:aws:iam::${AWS::AccountId}:role/ams_resource_scheduler_ssm_automation_role",
                "Condition": {
                    "StringEquals": {
                        "iam:PassedToService": "ssm.amazonaws.com"
                    }
                }
              }
            ]
          }
        - AMSAlarmManagerConfigurationApplicationId: !ImportValue "AMS-Alarm-Manager-Configuration-ApplicationId"
          AMSAlarmManagerConfigurationCustomerManagedAlarmsProfileID: !ImportValue "AMS-Alarm-Manager-Configuration-CustomerManagedAlarms-ProfileID"
          AMSResourceTaggerConfigurationApplicationId: !ImportValue "AMS-ResourceTagger-Configuration-ApplicationId"
          AMSResourceTaggerConfigurationCustomerManagedTagsProfileID: !ImportValue "AMS-ResourceTagger-Configuration-CustomerManagedTags-ProfileID"
        
  AMSAccelerateReadOnly:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ManagedPolicyName: AMSAccelerateReadOnly
      Path: /
      PolicyDocument: !Sub |
        {
          "Version": "2012-10-17",		 	 	 
          "Statement": [
          {
                 "Sid": "AmsSelfServiceReport",
                 "Effect": "Allow",
                 "Action": "amsssrv:*",
                 "Resource": "*"
               },
            {
               "Sid": "AmsBackupPolicy",
               "Effect": "Allow",
               "Action": [
                 "backup:Describe*",
                 "backup:Get*",
                 "backup:List*"
               ],
               "Resource": "*"
            },
            {
                "Action": [
                    "rds:DescribeDBSnapshots",
                    "rds:ListTagsForResource",
                    "rds:DescribeDBInstances",
                    "rds:describeDBSnapshots",
                    "rds:describeDBEngineVersions",
                    "rds:describeOptionGroups",
                    "rds:describeOrderableDBInstanceOptions",
                    "rds:describeDBSubnetGroups",
                    "rds:DescribeDBClusterSnapshots",
                    "rds:DescribeDBClusters",
                    "rds:DescribeDBParameterGroups",
                    "rds:DescribeDBClusterParameterGroups",
                    "rds:DescribeDBInstanceAutomatedBackups"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "dynamodb:ListBackups",
                    "dynamodb:ListTables"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "elasticfilesystem:DescribeFilesystems"
                ],
                "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ec2:DescribeSnapshots",
                    "ec2:DescribeVolumes",
                    "ec2:describeAvailabilityZones",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeAccountAttributes",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeImages",
                    "ec2:DescribeSubnets",
                    "ec2:DescribePlacementGroups",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceTypes"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "tag:GetTagKeys",
                    "tag:GetTagValues",
                    "tag:GetResources"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "storagegateway:DescribeCachediSCSIVolumes",
                    "storagegateway:DescribeStorediSCSIVolumes"
                ],
                "Resource": "arn:aws:storagegateway:*:*:gateway/*/volume/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "storagegateway:ListGateways"
                ],
                "Resource": "arn:aws:storagegateway:*:*:*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "storagegateway:DescribeGatewayInformation",
                    "storagegateway:ListVolumes",
                    "storagegateway:ListLocalDisks"
                ],
                "Resource": "arn:aws:storagegateway:*:*:gateway/*"
            },
            {
                "Action": [
                    "iam:ListRoles",
                    "iam:GetRole"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "organizations:DescribeOrganization",
                "Resource": "*"
            },
            {
                "Action": "fsx:DescribeBackups",
                "Effect": "Allow",
                "Resource": "arn:aws:fsx:*:*:backup/*"
            },
            {
                "Action": "fsx:DescribeFileSystems",
                "Effect": "Allow",
                "Resource": "arn:aws:fsx:*:*:file-system/*"
            },
            {
                "Action": "ds:DescribeDirectories",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
              "Sid": "AmsChangeRecordKMSPolicy",
              "Effect": "Allow",
              "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
              ],
              "Resource": [
                "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*"
              ],
              "Condition": {
                "ForAnyValue:StringLike": {
                  "kms:ResourceAliases": "alias/AMSCloudTrailLogManagement"
                }
              }
            },
            {
              "Sid": "AmsChangeRecordAthenaReadPolicy",
              "Effect": "Allow",
              "Action": [
                "athena:BatchGetNamedQuery",
                "athena:Get*",
                "athena:List*",
                "athena:StartQueryExecution",
                "athena:UpdateWorkGroup",
                "glue:GetDatabase*",
                "glue:GetTable*",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets"
              ],
              "Resource": "*"
            },
            {
              "Sid": "AmsChangeRecordS3ReadPolicy",
              "Effect": "Allow",
              "Action": [
                "s3:Get*",
                "s3:List*"
              ],
              "Resource": [
                "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}",
                "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*",
                "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}",
                "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}/*"
              ]
            },
            {
              "Sid": "AmsChangeRecordS3WritePolicy",
              "Effect": "Allow",
              "Action": [
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:PutObjectRetention"
              ],
              "Resource": [
                "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*"
              ]
            },
            {
              "Sid": "MaciePolicy",
              "Effect": "Allow",
              "Action": [
                "macie2:GetFindingStatistics"
              ],
              "Resource": "*"
            },
            {
              "Sid": "GuardDutyReadPolicy",
              "Effect": "Allow",
              "Action": [
                "guardduty:GetFindingsStatistics",
                "guardduty:ListDetectors"
              ],
              "Resource": "*"
            },
            {
              "Sid": "SupportReadPolicy",
              "Effect": "Allow",
              "Action": "support:Describe*",
              "Resource": "*"
            },
            {
              "Sid": "ConfigReadPolicy",
              "Effect": "Allow",
              "Action": [
                "config:Get*",
                "config:Describe*",
                "config:List*"
              ],
              "Resource": "*"
            },
            {
              "Sid": "AppConfigReadPolicy",
              "Effect": "Allow",
              "Action": [
                "appconfig:List*",
                "appconfig:Get*"
              ],
              "Resource": "*"
            },
            {
              "Sid": "CloudFormationReadPolicy",
              "Effect": "Allow",
              "Action": [
                "cloudformation:DescribeStacks"
              ],
              "Resource": "*"
            },
            {
              "Sid": "EC2ReadPolicy",
              "Effect": "Allow",
              "Action": [
                "ec2:DescribeInstances"
              ],
              "Resource": "*"
            },
            {
              "Sid": "SSMReadPolicy",
              "Effect": "Allow",
              "Action": [
                "ssm:Describe*",
                "ssm:Get*",
                "ssm:List*"
              ],
              "Resource": "*"
            },
            {
              "Sid": "TagReadPolicy",
              "Effect": "Allow",
              "Action": [
                "tag:GetResources",
                "tag:GetTagKeys"
              ],
              "Resource": "*"
            },
            {
              "Sid": "CloudtrailReadPolicy",
              "Effect": "Allow",
              "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:LookupEvents"
              ],
              "Resource": "*"
            },
            {
              "Sid": "EventBridgePolicy",
              "Effect": "Allow",
              "Action": [
                "events:Describe*",
                "events:List*",
                "events:TestEventPattern"
              ],
              "Resource": "*"
            }
          ]
        }