本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWSSSOMasterAccountAdministrator
描述:在 AWS SSO 中提供访问权限以管理 Organiz AWS ations 主账户和成员账户以及云应用程序
AWSSSOMasterAccountAdministrator 是一项 AWS 托管式策略。
使用此策略
您可以将 AWSSSOMasterAccountAdministrator 附加到您的用户、组和角色。
策略详细信息
-
类型: AWS 托管策略
-
创建时间:2018 年 6 月 27 日 20:36 UTC
-
编辑时间:世界标准时间 2025 年 9 月 16 日 19:49
-
ARN:
arn:aws:iam::aws:policy/AWSSSOMasterAccountAdministrator
策略版本
策略版本:v11(默认)
此策略的默认版本是定义策略权限的版本。当使用该策略的用户或角色请求访问 AWS 资源时, AWS 会检查策略的默认版本以确定是否允许该请求。
JSON 策略文档
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSSSOCreateSLR", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO", "Condition" : { "StringLike" : { "iam:AWSServiceName" : "sso.amazonaws.com" } } }, { "Sid" : "AWSSSOMasterAccountAdministrator", "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO", "Condition" : { "StringLike" : { "iam:PassedToService" : "sso.amazonaws.com" } } }, { "Sid" : "AWSSSOMemberAccountAdministrator", "Effect" : "Allow", "Action" : [ "ds:DescribeTrusts", "ds:UnauthorizeApplication", "ds:DescribeDirectories", "ds:AuthorizeApplication", "iam:ListPolicies", "organizations:EnableAWSServiceAccess", "organizations:ListRoots", "organizations:ListAccounts", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:DescribeOrganization", "organizations:ListChildren", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListDelegatedAdministrators", "sso:*", "sso-directory:*", "identitystore:*", "identitystore-auth:*", "ds:CreateAlias", "access-analyzer:ValidatePolicy", "signin:CreateTrustedIdentityPropagationApplicationForConsole", "signin:ListTrustedIdentityPropagationApplicationsForConsole" ], "Resource" : "*" }, { "Sid" : "AWSSSOManageDelegatedAdministrator", "Effect" : "Allow", "Action" : [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource" : "*", "Condition" : { "StringEquals" : { "organizations:ServicePrincipal" : "sso.amazonaws.com" } } }, { "Sid" : "AllowDeleteSyncProfile", "Effect" : "Allow", "Action" : [ "identity-sync:DeleteSyncProfile" ], "Resource" : [ "arn:aws:identity-sync:*:*:profile/*" ] }, { "Sid" : "AllowKMSKeyUseViaAWSIAMIdentityCenterService", "Effect" : "Allow", "Action" : [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Encrypt", "kms:Decrypt" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "sso.*.amazonaws.com", "kms:EncryptionContext:aws:sso:instance-arn" : "*" } } }, { "Sid" : "AllowKMSKeyUseViaAWSIdentityStoreService", "Effect" : "Allow", "Action" : [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Encrypt", "kms:Decrypt" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : "identitystore.*.amazonaws.com", "kms:EncryptionContext:aws:identitystore:identitystore-arn" : "*" } } }, { "Sid" : "AllowKMSKeyDiscovery", "Effect" : "Allow", "Action" : [ "kms:ListAliases", "kms:DescribeKey" ], "Resource" : "*" } ] }
了解更多信息
