Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
AWSSSOMasterAccountAdministrator
Deskripsi: Menyediakan akses dalam AWS SSO untuk mengelola akun master dan anggota AWS Organisasi dan aplikasi cloud
AWSSSOMasterAccountAdministratoradalah kebijakan yang AWS dikelola.
Menggunakan kebijakan ini
Anda dapat melampirkan AWSSSOMasterAccountAdministrator ke pengguna, grup, dan peran Anda.
Detail kebijakan
-
Jenis: kebijakan AWS terkelola
-
Waktu pembuatan: 27 Juni 2018, 20:36 UTC
-
Waktu telah diedit: September 16, 2025, 19:49 UTC
-
ARN:
arn:aws:iam::aws:policy/AWSSSOMasterAccountAdministrator
Versi kebijakan
Versi kebijakan: v11 (default)
Versi default kebijakan adalah versi yang menentukan izin untuk kebijakan tersebut. Saat pengguna atau peran dengan kebijakan membuat permintaan untuk mengakses AWS sumber daya, AWS periksa versi default kebijakan untuk menentukan apakah akan mengizinkan permintaan tersebut.
Dokumen kebijakan JSON
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSSSOCreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO", "Condition" : { "StringLike" : { "iam:AWSServiceName" : "sso.amazonaws.com" } } }, { "Sid" : "AWSSSOMasterAccountAdministrator", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO", "Condition" : { "StringLike" : { "iam:PassedToService" : "sso.amazonaws.com" } } }, { "Sid" : "AWSSSOMemberAccountAdministrator", "Effect" : "Allow", "Action" : [ "ds:DescribeTrusts", "ds:UnauthorizeApplication", "ds:DescribeDirectories", "ds:AuthorizeApplication", "iam:ListPolicies", "organizations:EnableAWSServiceAccess", "organizations:ListRoots", "organizations:ListAccounts", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:DescribeOrganization", "organizations:ListChildren", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListDelegatedAdministrators", "sso:*", "sso-directory:*", "identitystore:*", "identitystore-auth:*", "ds:CreateAlias", "access-analyzer:ValidatePolicy", "signin:CreateTrustedIdentityPropagationApplicationForConsole", "signin:ListTrustedIdentityPropagationApplicationsForConsole" ], "Resource" : "*" }, { "Sid" : "AWSSSOManageDelegatedAdministrator", "Effect" : "Allow", "Action" : [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource" : "*", "Condition" : { "StringEquals" : { "organizations:ServicePrincipal" : "sso.amazonaws.com" } } }, { "Sid" : "AllowDeleteSyncProfile", "Effect" : "Allow", "Action" : [ "identity-sync:DeleteSyncProfile" ], "Resource" : [ "arn:aws:identity-sync:*:*:profile/*" ] }, { "Sid" : "AllowKMSKeyUseViaAWSIAMIdentityCenterService", "Effect" : "Allow", "Action" : [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Encrypt", "kms:Decrypt" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn" : "*" } } }, { "Sid" : "AllowKMSKeyUseViaAWSIdentityStoreService", "Effect" : "Allow", "Action" : [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Encrypt", "kms:Decrypt" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn" : "*" } } }, { "Sid" : "AllowKMSKeyDiscovery", "Effect" : "Allow", "Action" : [ "kms:ListAliases", "kms:DescribeKey" ], "Resource" : "*" } ] }
Pelajari selengkapnya
