Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
Configuration de just-in-time l'accès avec Systems Manager
La configuration de l'accès aux just-in-time nœuds avec Systems Manager impliquait plusieurs étapes. Vous devez d'abord choisir les cibles pour lesquelles vous souhaitez configurer l'accès aux just-in-time nœuds. Les cibles comprennent les unités AWS Organizations organisationnelles (OUs) et Régions AWS. Par défaut, les mêmes cibles que celles que vous avez choisies lors de la configuration de la console unifiée Systems Manager sont sélectionnées pour l'accès aux just-in-time nœuds. Vous pouvez choisir de configurer l'accès aux just-in-time nœuds pour toutes les mêmes cibles ou pour un sous-ensemble des cibles que vous avez spécifiées lors de la configuration de la console unifiée Systems Manager. L'ajout de nouvelles cibles qui n'ont pas été sélectionnées lors de la configuration de la console unifiée Systems Manager n'est pas pris en charge.
Vous allez ensuite créer des politiques d'approbation pour déterminer quand les connexions aux nœuds nécessitent une approbation manuelle et sont automatiquement approuvées. Les politiques d'approbation sont gérées par chaque compte de votre organisation. Vous pouvez également partager une politique depuis le compte administrateur délégué afin de refuser explicitement l'approbation automatique des connexions à des nœuds spécifiques.
Note
La configuration de l'accès aux just-in-time nœuds n'affecte pas les politiques ou préférences IAM existantes que vous avez configurées pour Session Manager. Vous devez supprimer les autorisations pour Session Manager des actions telles que StartSession celles issues de vos politiques IAM pour garantir que seul l'accès aux just-in-time nœuds est utilisé lorsque les utilisateurs tentent de se connecter à vos nœuds. Après avoir configuré l'accès aux just-in-time nœuds, nous vous recommandons de tester vos politiques d'approbation auprès d'un sous-ensemble d'utilisateurs et de nœuds afin de vérifier que vos politiques fonctionnent comme vous le souhaitez avant de supprimer les autorisations de Session Manager.
Les politiques IAM suivantes décrivent les autorisations nécessaires pour administrer et permettre aux utilisateurs de créer des demandes d'accès aux just-in-time nœuds avec Systems Manager. Après avoir vérifié que vous disposez des autorisations requises pour utiliser l'accès aux just-in-time nœuds avec Systems Manager, vous pouvez poursuivre le processus de configuration. Remplacez chaque example resource
placeholder par vos propres informations.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:CreateConfigurationManager", "ssm-quicksetup:DeleteConfigurationManager", "ssm-quicksetup:GetConfiguration", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:GetServiceSettings", "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:ListTagsForResource", "ssm-quicksetup:TagResource", "ssm-quicksetup:UntagResource", "ssm-quicksetup:UpdateConfigurationDefinition", "ssm-quicksetup:UpdateConfigurationManager", "ssm-quicksetup:UpdateServiceSettings" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:DescribeStackSetOperation", "cloudformation:ListStacks", "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources", "cloudformation:ListStackSetOperations", "cloudformation:ListStackInstances", "cloudformation:DescribeStackSet", "cloudformation:ListStackSets", "cloudformation:DescribeStackInstance", "cloudformation:DescribeOrganizationsAccess", "cloudformation:ActivateOrganizationsAccess", "cloudformation:GetTemplate", "cloudformation:ListStackSetOperationResults", "cloudformation:DescribeStackEvents", "cloudformation:UntagResource", "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution", "ssm:ListAssociations", "ssm:DescribeAssociation", "ssm:GetDocument", "ssm:ListDocuments", "ssm:DescribeDocument", "ssm:GetOpsSummary", "organizations:DeregisterDelegatedAdministrator", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "organizations:ListRoots", "organizations:ListParents", "organizations:ListOrganizationalUnitsForParent", "organizations:DescribeOrganizationalUnit", "organizations:ListAWSServiceAccessForOrganization", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRole", "iam:CreatePolicy", "cloudformation:TagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:RollbackStack", "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-JITNA*", "arn:aws:cloudformation:*:*:stack/AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:type/resource/*", "arn:aws:cloudformation:*:*:stack/StackSet-SSMQuickSetup" ] }, { "Sid": "StackSetOperations", "Effect": "Allow", "Action": [ "cloudformation:CreateStackSet", "cloudformation:UpdateStackSet", "cloudformation:DeleteStackSet", "cloudformation:DeleteStackInstances", "cloudformation:CreateStackInstances", "cloudformation:StopStackSetOperation" ], "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-JITNA*", "arn:aws:cloudformation:*:*:type/resource/*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-JITNA*:*" ] }, { "Sid": "IamRolesMgmt", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:DetachRolePolicy", "iam:GetRolePolicy", "iam:ListRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-JITNA*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-JITNA*" ] }, { "Sid": "IamPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-JITNA*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-JITNA*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "cloudformation.amazonaws.com" ] } } }, { "Sid": "SSMAutomationExecution", "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:region:account id:automation-definition/AWS-EnableExplorer:*" }, { "Sid": "SSMAssociationPermissions", "Effect": "Allow", "Action": [ "ssm:DeleteAssociation", "ssm:CreateAssociation", "ssm:StartAssociationsOnce" ], "Resource": "arn:aws:ssm:region:account id:association/*" }, { "Sid": "SSMResourceDataSync", "Effect": "Allow", "Action": [ "ssm:CreateResourceDataSync", "ssm:UpdateResourceDataSync" ], "Resource": "arn:aws:ssm:region:account-id:resource-data-sync/AWS-QuickSetup-*" }, { "Sid": "ListResourceDataSync", "Effect": "Allow", "Action": [ "ssm:ListResourceDataSync" ], "Resource": "*" }, { "Sid": "CreateServiceLinkedRoles", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Condition": { "StringEquals": { "iam:AWSServiceName": [ "accountdiscovery.ssm.amazonaws.com", "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "stacksets.cloudformation.amazonaws.com" ] } }, "Resource": "*" }, { "Sid": "CreateStackSetsServiceLinkedRole", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin" }, { "Sid": "AllowSsmJitnaPoliciesCrudOperations", "Effect": "Allow", "Action": [ "ssm:CreateDocument", "ssm:UpdateDocument", "ssm:UpdateDocumentDefaultVersion", "ssm:GetDocument", "ssm:DescribeDocument", "ssm:DeleteDocument" ], "Resource": [ "arn:aws:ssm:region:account id:document/SSM-JustInTimeAccessDenyAccessOrgPolicy" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "AutoApprovalPolicy" ] } } }, { "Sid": "AllowAccessRequestOpsItemOperations", "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:DeleteOpsItem", "ssm:ListOpsItemEvents" ], "Resource": "*" }, { "Sid": "IdentityCenterPermissions", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListDirectoryAssociations", "identitystore:GetUserId", "identitystore:DescribeUser", "identitystore:DescribeGroup", "identitystore:ListGroupMembershipsForMember" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSsmJitnaPoliciesCrudOperations", "Effect": "Allow", "Action": [ "ssm:CreateDocument", "ssm:UpdateDocument", "ssm:UpdateDocumentDefaultVersion", "ssm:GetDocument", "ssm:DescribeDocument", "ssm:DeleteDocument" ], "Resource": [ "arn:aws:ssm:region:account id:document/*" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "ManualApprovalPolicy", "AutoApprovalPolicy" ] } } }, { "Sid": "AllowSsmJitnaPoliciesListOperations", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentVersions" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::account id:role/SSM-JustInTimeAccessTokenRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "justintimeaccess.ssm.amazonaws.com" ] } } }, { "Sid": "AllowAccessRequestOpsItemOperations", "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:DeleteOpsItem", "ssm:ListOpsItemEvents" ], "Resource": "*" }, { "Sid": "AllowSessionManagerPreferencesOperation", "Effect": "Allow", "Action": [ "ssm:CreateDocument", "ssm:GetDocument", "ssm:DescribeDocument", "ssm:UpdateDocument", "ssm:DeleteDocument" ], "Resource": "arn:aws:ssm:region:account id:document/SSM-SessionManagerRunShell", "Condition": { "StringEquals": { "ssm:DocumentType": "Session" } } }, { "Sid": "AllowSessionManagerOperations", "Effect": "Allow", "Action": [ "ssm:DescribeSessions", "ssm:GetConnectionStatus", "ssm:TerminateSession" ], "Resource": "*" }, { "Sid": "AllowRDPConnectionRecordingOperations", "Effect": "Allow", "Action": [ "ssm-guiconnect:UpdateConnectionRecordingPreferences", "ssm-guiconnect:GetConnectionRecordingPreferences", "ssm-guiconnect:DeleteConnectionRecordingPreferences" ], "Resource": "*" }, { "Sid": "AllowRDPConnectionRecordingKmsOperation", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "arn:aws:kms:region:account id:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/SystemsManagerJustInTimeNodeAccessManaged": "true" }, "StringLike": { "kms:ViaService": "ssm-guiconnect.*.amazonaws.com" }, "Bool": { "aws:ViaAWSService": "true" } } }, { "Sid": "AllowFleetManagerOperations", "Effect": "Allow", "Action": [ "ssm-guiconnect:GetConnection", "ssm-guiconnect:ListConnections" ], "Resource": "*" }, { "Sid": "SNSTopicManagement", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": [ "arn:aws:sns:region:account id:SSM-JITNA*" ] }, { "Sid": "SNSListTopics", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "EventBridgeRuleManagement", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets" ], "Resource": [ "arn:aws:events:region:account id:rule/SSM-JITNA*" ] }, { "Sid": "ChatbotSlackManagement", "Effect": "Allow", "Action": [ "chatbot:CreateSlackChannelConfiguration", "chatbot:UpdateSlackChannelConfiguration", "chatbot:DescribeSlackChannelConfigurations", "chatbot:DescribeSlackWorkspaces", "chatbot:DeleteSlackChannelConfiguration", "chatbot:RedeemSlackOauthCode", "chatbot:DeleteSlackWorkspaceAuthorization", "chatbot:GetSlackOauthParameters" ], "Resource": "*" }, { "Sid": "ChatbotTeamsManagement", "Effect": "Allow", "Action": [ "chatbot:ListMicrosoftTeamsChannelConfigurations", "chatbot:CreateMicrosoftTeamsChannelConfiguration", "chatbot:UpdateMicrosoftTeamsChannelConfiguration", "chatbot:ListMicrosoftTeamsConfiguredTeams", "chatbot:DeleteMicrosoftTeamsChannelConfiguration", "chatbot:RedeemMicrosoftTeamsOauthCode", "chatbot:DeleteMicrosoftTeamsConfiguredTeam", "chatbot:GetMicrosoftTeamsOauthParameters", "chatbot:TagResource" ], "Resource": "*" }, { "Sid": "SSMEmailSettings", "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:region:account id:servicesetting/ssm/access-request/email-role-mapping", "arn:aws:ssm:region:account id:servicesetting/ssm/access-request/enabled-email-notifications" ] }, { "Sid": "AllowViewingJitnaCloudWatchMetrics", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/SSM/JustInTimeAccess" } } }, { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:GetConfiguration", "ssm-quicksetup:GetConfigurationManager" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:DescribeStacks", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators" ], "Resource": "*" }, { "Sid": "ManualPolicy", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "ssm:GetServiceSetting", "iam:ListRoles" ], "Resource": "*" }, { "Sid": "SessionPreference", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AllowIamListForKMS", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "arn:aws:iam::account id:user/*" }, { "Sid": "KMSPermission", "Effect": "Allow", "Action": [ "kms:TagResource", "kms:ListAliases", "kms:CreateAlias" ], "Resource": "*" }, { "Sid": "KMSCreateKey", "Effect": "Allow", "Action": [ "kms:CreateKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/SystemsManagerJustInTimeNodeAccessManaged": "true" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "SystemsManagerJustInTimeNodeAccessManaged" ] } } }, { "Sid": "AllowIamRoleForChatbotAction", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account id:role/role name", "Condition": { "StringEquals": { "iam:PassedToService": [ "chatbot.amazonaws.com" ] } } }, { "Sid": "AllowIamServiceRoleForChat", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::account id:role/aws-service-role/management.chatbot.amazonaws.com/AWSServiceRoleForAWSChatbot" }, { "Sid": "CloudWatchLogs", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:*:account id:log-group::log-stream:" }, { "Sid": "IdentityStorePermissions", "Effect": "Allow", "Action": [ "sso:ListDirectoryAssociations", "identitystore:GetUserId", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "identitystore:DescribeGroup", "identitystore:DescribeUser" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessRequestDescriptions", "Effect": "Allow", "Action": [ "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:ListOpsItemEvents" ], "Resource": "*" }, { "Sid": "AllowGetSpecificAccessRequest", "Effect": "Allow", "Action": [ "ssm:GetOpsItem" ], "Resource": "arn:aws:ssm:region:account id:opsitem/*" }, { "Sid": "AllowApprovalRejectionSignal", "Effect": "Allow", "Action": [ "ssm:SendAutomationSignal" ], "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "StringEquals": { "aws:ResourceTag/SystemsManagerJustInTimeNodeAccessManaged": "true" } } }, { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:GetConfiguration" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:DescribeStacks", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators" ], "Resource": "*" }, { "Sid": "AllowSsmJitnaPoliciesCrudOperations", "Effect": "Allow", "Action": [ "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": [ "arn:aws:ssm:region:account id:document/*" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "ManualApprovalPolicy", "AutoApprovalPolicy" ] } } }, { "Sid": "AllowSsmJitnaPoliciesListOperations", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentVersions" ], "Resource": "*" }, { "Sid": "IDCPermissions", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListDirectoryAssociations", "identitystore:GetUserId", "identitystore:DescribeUser", "identitystore:DescribeGroup", "identitystore:ListGroupMembershipsForMember" ], "Resource": "*" } ] }
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowJITNAOperations", "Effect": "Allow", "Action": [ "ssm:StartAccessRequest", "ssm:GetAccessToken" ], "Resource": "*" }, { "Sid": "AllowOpsItemCreationAndRetrieval", "Effect": "Allow", "Action": [ "ssm:CreateOpsItem", "ssm:GetOpsItem" ], "Resource": "arn:aws:ssm:*:*:opsitem/*" }, { "Sid": "AllowListAccessRequests", "Effect": "Allow", "Action": [ "ssm:DescribeOpsItems", "ssm:GetOpsSummary", "ssm:ListOpsItemEvents", "ssm:DescribeSessions" ], "Resource": "*" }, { "Sid": "RequestManualApprovals", "Action": "ssm:StartAutomationExecution", "Effect": "Allow", "Resource": "arn:aws:ssm:*:*:document/*", "Condition": { "StringEquals": { "ssm:DocumentType": "ManualApprovalPolicy" } } }, { "Sid": "StartManualApprovalsAutomationExecution", "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-execution/*" }, { "Sid": "AllowManualApprovalAutomationExecutionTagging", "Effect": "Allow", "Action": [ "ssm:AddTagsToResource" ], "Resource": [ "arn:aws:ssm:*:*:automation-execution/*" ], "Condition": { "StringEquals": { "aws:RequestTag/SystemsManagerJustInTimeNodeAccessManaged": "true" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "SystemsManagerJustInTimeNodeAccessManaged" ] } } }, { "Sid": "CancelAccessRequestManualApproval", "Effect": "Allow", "Action": "ssm:StopAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-execution/*", "Condition": { "StringEquals": { "aws:ResourceTag/SystemsManagerJustInTimeNodeAccessManaged": "true" } } }, { "Sid": "DescribeEC2Instances", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeTags", "ec2:GetPasswordData" ], "Resource": "*" }, { "Sid": "AllowListSSMManagedNodesAndTags", "Effect": "Allow", "Action": [ "ssm:DescribeInstanceInformation", "ssm:ListTagsForResource" ], "Resource": "*" }, { "Sid": "QuickSetupConfigurationManagers", "Effect": "Allow", "Action": [ "ssm-quicksetup:ListConfigurationManagers", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListConfigurations", "ssm-quicksetup:ListQuickSetupTypes", "ssm-quicksetup:GetConfiguration" ], "Resource": "*" }, { "Sid": "AllowSessionManagerOperations", "Effect": "Allow", "Action": [ "ssm:DescribeSessions", "ssm:GetConnectionStatus" ], "Resource": "*" }, { "Sid": "AllowRDPOperations", "Effect": "Allow", "Action": [ "ssm-guiconnect:ListConnections", "ssm:GetConnectionStatus" ], "Resource": "*" }, { "Sid": "QuickSetupDeployments", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:DescribeStacks", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators" ], "Resource": "*" }, { "Sid": "AllowSsmJitnaPoliciesReadOnly", "Effect": "Allow", "Action": [ "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": [ "arn:aws:ssm:*:account id:document/*" ], "Condition": { "StringEquals": { "ssm:DocumentType": [ "ManualApprovalPolicy", "AutoApprovalPolicy" ] } } }, { "Sid": "AllowSsmJitnaPoliciesListOperations", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentVersions" ], "Resource": "*" }, { "Sid": "ExploreNodes", "Effect": "Allow", "Action": [ "ssm:ListNodesSummary", "ssm:ListNodes", "ssm:DescribeInstanceProperties" ], "Resource": "*" }, { "Sid": "IdentityStorePermissions", "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListDirectoryAssociations", "identitystore:GetUserId", "identitystore:DescribeUser", "identitystore:DescribeGroup" ], "Resource": "*" } ] }
Note
Pour restreindre l'accès aux opérations d'API qui créent, mettent à jour ou suppriment des politiques d'approbation, utilisez la clé de ssm:DocumentType condition pour les types de ManualApprovalPolicy document AutoApprovalPolicy et. Les opérations StartAccessRequest et GetAccessToken API ne prennent pas en charge les clés de contexte globales suivantes :
-
lois : ViaAwsService
-
lois : MultiFactorAuthPresent
-
lois : SourceVpce
-
lois : UserAgent
Pour plus d'informations sur les clés contextuelles de condition pour Systems Manager, consultez la section Clés de condition pour AWS Systems Manager la référence d'autorisation de service.
La procédure suivante décrit comment effectuer la première étape de configuration pour l'accès aux just-in-time nœuds.
Pour configurer l'accès aux just-in-time nœuds
-
Connectez-vous au compte d'administrateur délégué de Systems Manager de votre organisation.
Ouvrez la AWS Systems Manager console à l'adresse https://console.aws.amazon.com/systems-manager/
. -
Sélectionnez Gérer l'accès aux nœuds dans le volet de navigation.
-
Sélectionnez Activer l'accès aux just-in-time nœuds.
-
Choisissez les régions dans lesquelles vous souhaitez activer l'accès aux just-in-time nœuds. Par défaut, les mêmes régions que celles que vous avez choisies lors de la configuration de la console unifiée Systems Manager sont sélectionnées pour l'accès aux just-in-time nœuds. Le choix de nouvelles régions qui n'ont pas été sélectionnées lors de la configuration de la console unifiée Systems Manager n'est pas pris en charge.
-
Sélectionnez Activer l'accès aux just-in-time nœuds.
L'utilisation de l'accès aux just-in-time nœuds pendant 30 jours après l'activation de la fonctionnalité est gratuite. Après la période d'essai de 30 jours, l'utilisation de l'accès aux just-in-time nœuds est payante. Pour plus d’informations, consultez Tarification d’AWS Systems Manager
