Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
Autorizzazioni per l'utilizzo delle funzionalità AMS
Per consentire agli utenti di leggere e configurare le funzionalità di AMS Accelerate, come l'accesso alla console AMS o la configurazione dei backup, è necessario concedere autorizzazioni esplicite ai rispettivi ruoli IAM per eseguire tali azioni. Il seguente AWS CloudFormation modello contiene le politiche necessarie per leggere e configurare i servizi associati ad AMS in modo da poterli assegnare ai ruoli IAM. Sono progettati per allinearsi strettamente alle responsabilità lavorative comuni nel settore IT, in cui sono richieste le autorizzazioni di amministratore o di sola lettura; tuttavia, se è necessario concedere autorizzazioni diverse agli utenti, è possibile modificare la politica per includere o escludere autorizzazioni specifiche. Puoi anche creare policy personalizzate.
Il modello fornisce due politiche. La AMSAccelerateAdminAccess policy è pensata per essere utilizzata per configurare e utilizzare i componenti AMS Accelerate. Questa politica viene in genere adottata da un amministratore IT e concede le autorizzazioni per configurare le funzionalità AMS come l'applicazione di patch e i backup. AMSAccelerateReadOnlyConcede le autorizzazioni minime richieste per la visualizzazione delle risorse relative ad AMS Accelerate.
AWSTemplateFormatVersion: 2010-09-09 Description: AMSAccelerateCustomerAccessPolicies Resources: AMSAccelerateAdminAccess: Type: 'AWS::IAM::ManagedPolicy' Properties: ManagedPolicyName: AMSAccelerateAdminAccess Path: / PolicyDocument: Fn::Sub: - | { "Version": "2012-10-17", "Statement": [ { "Sid": "AmsSelfServiceReport", "Effect": "Allow", "Action": "amsssrv:*", "Resource": "*" }, { "Sid": "AmsBackupPolicy", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::${AWS::AccountId}:role/ams-backup-iam-role" }, { "Sid": "AmsChangeRecordKMSPolicy", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*" ], "Condition": { "ForAnyValue:StringLike": { "kms:ResourceAliases": "alias/AMSCloudTrailLogManagement" } } }, { "Sid": "AmsChangeRecordAthenaReadPolicy", "Effect": "Allow", "Action": [ "athena:BatchGetNamedQuery", "athena:Get*", "athena:List*", "athena:StartQueryExecution", "athena:UpdateWorkGroup", "glue:GetDatabase*", "glue:GetTable*", "s3:GetAccountPublicAccessBlock", "s3:ListAccessPoints", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AmsChangeRecordS3ReadPolicy", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}", "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*", "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}", "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}/*" ] }, { "Sid": "AmsChangeRecordS3WritePolicy", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention" ], "Resource": [ "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*" ] }, { "Sid": "MaciePolicy", "Effect": "Allow", "Action": [ "macie2:GetFindingStatistics" ], "Resource": "*" }, { "Sid": "GuardDutyPolicy", "Effect": "Allow", "Action": [ "guardduty:GetFindingsStatistics", "guardduty:ListDetectors" ], "Resource": "*" }, { "Sid": "SupportPolicy", "Effect": "Allow", "Action": "support:*", "Resource": "*" }, { "Sid": "ConfigPolicy", "Effect": "Allow", "Action": [ "config:Get*", "config:Describe*", "config:Deliver*", "config:List*", "config:StartConfigRulesEvaluation" ], "Resource": "*" }, { "Sid": "AppConfigReadPolicy", "Effect": "Allow", "Action": [ "appconfig:List*", "appconfig:Get*" ], "Resource": "*" }, { "Sid": "AppConfigPolicy", "Effect": "Allow", "Action": [ "appconfig:StartDeployment", "appconfig:StopDeployment", "appconfig:CreateHostedConfigurationVersion", "appconfig:ValidateConfiguration" ], "Resource": [ "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSAlarmManagerConfigurationApplicationId}", "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSAlarmManagerConfigurationApplicationId}/configurationprofile/${AMSAlarmManagerConfigurationCustomerManagedAlarmsProfileID}", "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSAlarmManagerConfigurationApplicationId}/environment/*", "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSResourceTaggerConfigurationApplicationId}", "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSResourceTaggerConfigurationApplicationId}/configurationprofile/${AMSResourceTaggerConfigurationCustomerManagedTagsProfileID}", "arn:aws:appconfig:*:${AWS::AccountId}:application/${AMSResourceTaggerConfigurationApplicationId}/environment/*", "arn:aws:appconfig:*:${AWS::AccountId}:deploymentstrategy/*" ] }, { "Sid": "CloudFormationStacksPolicy", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": "*" }, { "Sid": "EC2Policy", "Action": [ "ec2:DescribeInstances" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "SSMPolicy", "Effect": "Allow", "Action": [ "ssm:AddTagsToResource", "ssm:CancelCommand", "ssm:CancelMaintenanceWindowExecution", "ssm:CreateAssociation", "ssm:CreateAssociationBatch", "ssm:CreateMaintenanceWindow", "ssm:CreateOpsItem", "ssm:CreatePatchBaseline", "ssm:DeleteAssociation", "ssm:DeleteMaintenanceWindow", "ssm:DeletePatchBaseline", "ssm:DeregisterPatchBaselineForPatchGroup", "ssm:DeregisterTargetFromMaintenanceWindow", "ssm:DeregisterTaskFromMaintenanceWindow", "ssm:Describe*", "ssm:Get*", "ssm:List*", "ssm:PutConfigurePackageResult", "ssm:RegisterDefaultPatchBaseline", "ssm:RegisterPatchBaselineForPatchGroup", "ssm:RegisterTargetWithMaintenanceWindow", "ssm:RegisterTaskWithMaintenanceWindow", "ssm:RemoveTagsFromResource", "ssm:SendCommand", "ssm:StartAssociationsOnce", "ssm:StartAutomationExecution", "ssm:StartSession", "ssm:StopAutomationExecution", "ssm:TerminateSession", "ssm:UpdateAssociation", "ssm:UpdateAssociationStatus", "ssm:UpdateMaintenanceWindow", "ssm:UpdateMaintenanceWindowTarget", "ssm:UpdateMaintenanceWindowTask", "ssm:UpdateOpsItem", "ssm:UpdatePatchBaseline" ], "Resource": "*" }, { "Sid": "AmsPatchRestrictAMSResources", "Effect": "Deny", "Action": [ "ssm:DeletePatchBaseline", "ssm:UpdatePatchBaseline" ], "Resource": [ "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:patchbaseline/*" ], "Condition": { "StringLike": { "aws:ResourceTag/ams:resourceOwner": "*" } } }, { "Sid": "AmsPatchRestrictAmsTags", "Effect": "Deny", "Action": [ "ssm:AddTagsToResource", "ssm:RemoveTagsFromResource" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "AMS*", "Ams*", "ams*" ] } } }, { "Sid": "TagReadPolicy", "Effect": "Allow", "Action": [ "tag:GetResources", "tag:GetTagKeys" ], "Resource": "*" }, { "Sid": "CloudtrailReadPolicy", "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Sid": "EventBridgePolicy", "Effect": "Allow", "Action": [ "events:Describe*", "events:List*", "events:TestEventPattern" ], "Resource": "*" }, { "Sid": "IAMReadOnlyPolicy", "Action": [ "iam:ListRoles", "iam:GetRole" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "AmsResourceSchedulerPassRolePolicy", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::${AWS::AccountId}:role/ams_resource_scheduler_ssm_automation_role", "Condition": { "StringEquals": { "iam:PassedToService": "ssm.amazonaws.com" } } } ] } - AMSAlarmManagerConfigurationApplicationId: !ImportValue "AMS-Alarm-Manager-Configuration-ApplicationId" AMSAlarmManagerConfigurationCustomerManagedAlarmsProfileID: !ImportValue "AMS-Alarm-Manager-Configuration-CustomerManagedAlarms-ProfileID" AMSResourceTaggerConfigurationApplicationId: !ImportValue "AMS-ResourceTagger-Configuration-ApplicationId" AMSResourceTaggerConfigurationCustomerManagedTagsProfileID: !ImportValue "AMS-ResourceTagger-Configuration-CustomerManagedTags-ProfileID" AMSAccelerateReadOnly: Type: 'AWS::IAM::ManagedPolicy' Properties: ManagedPolicyName: AMSAccelerateReadOnly Path: / PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Sid": "AmsSelfServiceReport", "Effect": "Allow", "Action": "amsssrv:*", "Resource": "*" }, { "Sid": "AmsBackupPolicy", "Effect": "Allow", "Action": [ "backup:Describe*", "backup:Get*", "backup:List*" ], "Resource": "*" }, { "Action": [ "rds:DescribeDBSnapshots", "rds:ListTagsForResource", "rds:DescribeDBInstances", "rds:describeDBSnapshots", "rds:describeDBEngineVersions", "rds:describeOptionGroups", "rds:describeOrderableDBInstanceOptions", "rds:describeDBSubnetGroups", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBParameterGroups", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBInstanceAutomatedBackups" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "dynamodb:ListBackups", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "elasticfilesystem:DescribeFilesystems" ], "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:describeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeSubnets", "ec2:DescribePlacementGroups", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "tag:GetTagKeys", "tag:GetTagValues", "tag:GetResources" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "storagegateway:DescribeCachediSCSIVolumes", "storagegateway:DescribeStorediSCSIVolumes" ], "Resource": "arn:aws:storagegateway:*:*:gateway/*/volume/*" }, { "Effect": "Allow", "Action": [ "storagegateway:ListGateways" ], "Resource": "arn:aws:storagegateway:*:*:*" }, { "Effect": "Allow", "Action": [ "storagegateway:DescribeGatewayInformation", "storagegateway:ListVolumes", "storagegateway:ListLocalDisks" ], "Resource": "arn:aws:storagegateway:*:*:gateway/*" }, { "Action": [ "iam:ListRoles", "iam:GetRole" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" }, { "Action": "fsx:DescribeBackups", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:backup/*" }, { "Action": "fsx:DescribeFileSystems", "Effect": "Allow", "Resource": "arn:aws:fsx:*:*:file-system/*" }, { "Action": "ds:DescribeDirectories", "Effect": "Allow", "Resource": "*" }, { "Sid": "AmsChangeRecordKMSPolicy", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*" ], "Condition": { "ForAnyValue:StringLike": { "kms:ResourceAliases": "alias/AMSCloudTrailLogManagement" } } }, { "Sid": "AmsChangeRecordAthenaReadPolicy", "Effect": "Allow", "Action": [ "athena:BatchGetNamedQuery", "athena:Get*", "athena:List*", "athena:StartQueryExecution", "athena:UpdateWorkGroup", "glue:GetDatabase*", "glue:GetTable*", "s3:GetAccountPublicAccessBlock", "s3:ListAccessPoints", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AmsChangeRecordS3ReadPolicy", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}", "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*", "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}", "arn:aws:s3:::ams-a${AWS::AccountId}-cloudtrail-${AWS::Region}/*" ] }, { "Sid": "AmsChangeRecordS3WritePolicy", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention" ], "Resource": [ "arn:aws:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*" ] }, { "Sid": "MaciePolicy", "Effect": "Allow", "Action": [ "macie2:GetFindingStatistics" ], "Resource": "*" }, { "Sid": "GuardDutyReadPolicy", "Effect": "Allow", "Action": [ "guardduty:GetFindingsStatistics", "guardduty:ListDetectors" ], "Resource": "*" }, { "Sid": "SupportReadPolicy", "Effect": "Allow", "Action": "support:Describe*", "Resource": "*" }, { "Sid": "ConfigReadPolicy", "Effect": "Allow", "Action": [ "config:Get*", "config:Describe*", "config:List*" ], "Resource": "*" }, { "Sid": "AppConfigReadPolicy", "Effect": "Allow", "Action": [ "appconfig:List*", "appconfig:Get*" ], "Resource": "*" }, { "Sid": "CloudFormationReadPolicy", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": "*" }, { "Sid": "EC2ReadPolicy", "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": "*" }, { "Sid": "SSMReadPolicy", "Effect": "Allow", "Action": [ "ssm:Describe*", "ssm:Get*", "ssm:List*" ], "Resource": "*" }, { "Sid": "TagReadPolicy", "Effect": "Allow", "Action": [ "tag:GetResources", "tag:GetTagKeys" ], "Resource": "*" }, { "Sid": "CloudtrailReadPolicy", "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Sid": "EventBridgePolicy", "Effect": "Allow", "Action": [ "events:Describe*", "events:List*", "events:TestEventPattern" ], "Resource": "*" } ] }
