本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWSBackupGuardDutyRolePolicyForScans
描述:提供读取 AWS Backup 恢复点以进行恶意软件扫描的 GuardDuty 权限
AWSBackupGuardDutyRolePolicyForScans 是一项 AWS 托管式策略。
使用此策略
您可以将 AWSBackupGuardDutyRolePolicyForScans 附加到您的用户、组和角色。
策略详细信息
-
类型: AWS 托管策略
-
创建时间:世界标准时间 2025 年 11 月 20 日 03:34
-
编辑时间:世界标准时间 2025 年 11 月 20 日 03:34
-
ARN:
arn:aws:iam::aws:policy/AWSBackupGuardDutyRolePolicyForScans
策略版本
策略版本:v1(默认)
此策略的默认版本是定义策略权限的版本。当使用该策略的用户或角色请求访问 AWS 资源时, AWS 会检查策略的默认版本以确定是否允许该请求。
JSON 策略文档
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "EBSDirectReadAPIPermissions", "Effect" : "Allow", "Action" : [ "ebs:ListSnapshotBlocks", "ebs:ListChangedBlocks", "ebs:GetSnapshotBlock" ], "Resource" : "arn:aws:ec2:*::snapshot/*", "Condition" : { "Null" : { "aws:ResourceTag/aws:backup:source-resource" : "false" }, "StringLike" : { "aws:ResourceTag/aws:backup:source-resource" : "*" } } }, { "Sid" : "CreateGrantForEncryptedVolumeCreation", "Effect" : "Allow", "Action" : "kms:CreateGrant", "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:EncryptionContext:aws:guardduty:id" : "snap-*", "kms:ViaService" : [ "guardduty.*.amazonaws.com", "backup.*.amazonaws.com" ] }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Decrypt", "CreateGrant", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ] }, "Null" : { "kms:GrantOperations" : "false" } } }, { "Sid" : "CreateGrantForReEncryptAndEBSDirect", "Effect" : "Allow", "Action" : "kms:CreateGrant", "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:EncryptionContext:aws:ebs:id" : "snap-*", "kms:ViaService" : [ "guardduty.*.amazonaws.com", "backup.*.amazonaws.com" ] }, "ForAllValues:StringEquals" : { "kms:GrantOperations" : [ "Decrypt", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ] }, "Null" : { "kms:GrantOperations" : "false" } } }, { "Sid" : "DescribeKeyPermissions", "Effect" : "Allow", "Action" : "kms:DescribeKey", "Resource" : "arn:aws:kms:*:*:key/*" }, { "Sid" : "EC2ReadAPIPermissions", "Effect" : "Allow", "Action" : [ "ec2:DescribeImages", "ec2:DescribeSnapshots" ], "Resource" : "*" }, { "Sid" : "ShareSnapshotPermissions", "Effect" : "Allow", "Action" : [ "ec2:ModifySnapshotAttribute" ], "Resource" : "arn:aws:ec2:*:*:snapshot/*", "Condition" : { "Null" : { "aws:ResourceTag/aws:backup:source-resource" : "false" }, "StringLike" : { "aws:ResourceTag/aws:backup:source-resource" : "*" } } }, { "Sid" : "ShareSnapshotKMSPermissions", "Effect" : "Allow", "Action" : [ "kms:ReEncryptTo", "kms:ReEncryptFrom" ], "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:EncryptionContext:aws:ebs:id" : [ "vol-*", "snap-*" ], "kms:ViaService" : "ec2.*.amazonaws.com" } } }, { "Sid" : "CreateBackupAccessPointPermissions", "Effect" : "Allow", "Action" : [ "backup:CreateBackupAccessPoint" ], "Resource" : "arn:aws:backup:*:*:recovery-point:*" }, { "Sid" : "ReadAndDeleteBackupAccessPointPermissions", "Effect" : "Allow", "Action" : [ "backup:DescribeBackupAccessPoint", "backup:DeleteBackupAccessPoint" ], "Resource" : "*" }, { "Sid" : "BackupRecoveryPointApiPermissions", "Effect" : "Allow", "Action" : [ "backup:DescribeRecoveryPoint" ], "Resource" : "arn:aws:backup:*:*:recovery-point:*" }, { "Sid" : "DecryptKMSEncryptedDataByAWSBackup", "Effect" : "Allow", "Action" : [ "kms:Decrypt" ], "Resource" : "arn:aws:kms:*:*:key/*", "Condition" : { "StringLike" : { "kms:EncryptionContext:aws:backup:backup-vault" : "*", "kms:ViaService" : "backup.*.amazonaws.com" } } } ] }
了解更多
