本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 使用控制台批量迁移您的策略
<a name="migrate-granularaccess-console"></a>

**注意**  
以下 AWS Identity and Access Management (IAM) 操作已于 2023 年 7 月结束标准支持：  
`aws-portal` 命名空间
`purchase-orders:ViewPurchaseOrders`
`purchase-orders:ModifyPurchaseOrders`
如果您正在使用 AWS Organizations，则可以使用[批量策略迁移器脚本](migrate-iam-permissions.md)或批量策略迁移器从您的付款人账户更新政策。您还可以使用[旧到精细操作映射参考](migrate-granularaccess-iam-mapping-reference.md)来验证需要添加的 IAM 操作。  
如果您在 2023 年 3 月 6 日上午 11:00（太平洋夏令时）当天或之后 AWS Organizations 创建，或参与其中，则细粒度操作已在您的组织中生效。 AWS 账户

本节介绍如何使用 [AWS 账单与成本管理 控制台](https://console.aws.amazon.com/billing/)将旧策略从组织账户或标准账户批量迁移到精细操作。您可以使用控制台通过两种方式完成旧策略的迁移：

**使用亚马逊云科技推荐的迁移流程**  
这是一个简化的单一操作流程，您可以将旧版操作迁移到 AWS映射的精细操作。有关更多信息，请参阅 [使用建议的操作批量迁移旧版策略](migrate-console-streamlined.md)。

**使用自定义迁移流程**  
此过程允许您在批量迁移 AWS 之前查看和更改建议的操作，以及自定义要迁移组织中的哪些帐户。有关更多信息，请参阅 [自定义批量迁移旧版策略的操作](migrate-console-customized.md)。

## 使用控制台进行批量迁移的先决条件
<a name="migrate-granularaccess-console-prereq"></a>

这两个迁移选项都需要您在控制台中征得您的同意，这样 AWS 才能为您分配的传统 IAM 操作推荐细粒度的操作。为此，您需要以 [IAM 委托](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)人身份登录您的 AWS 账户，并执行以下 IAM 操作才能继续更新政策。

------
#### [ Management account ]

```
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced",
"aws-portal:UpdateConsoleActionSetEnforced",
"purchase-orders:UpdateConsoleActionSetEnforced",
"iam:GetAccountAuthorizationDetails",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"scheduler:GetSchedule", 
"scheduler:DeleteSchedule",
"scheduler:CreateSchedule",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackSets",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:ListStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:CreateStack",
"cloudformation:UpdateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:DescribeStacks",
"ec2:DescribeRegions",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"iam:GenerateOrganizationsAccessReport",
"iam:GetOrganizationsAccessReport",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"sts:AssumeRole",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:GetInlinePolicyForPermissionSet",
"sso:DescribePermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
```

------
#### [ Member account or standard account ]

```
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced", // Not needed for member account
"aws-portal:UpdateConsoleActionSetEnforced", // Not needed for member account
"purchase-orders:UpdateConsoleActionSetEnforced", // Not needed for member account
"iam:GetAccountAuthorizationDetails",
"ec2:DescribeRegions",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl", 
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
```

------

**Topics**
+ [使用控制台进行批量迁移的先决条件](#migrate-granularaccess-console-prereq)
+ [使用建议的操作批量迁移旧版策略](migrate-console-streamlined.md)
+ [自定义批量迁移旧版策略的操作](migrate-console-customized.md)
+ [回滚您的批量迁移策略更改](migrate-console-rollback.md)
+ [确认您的迁移](#migrate-console-complete)

## 确认您的迁移
<a name="migrate-console-complete"></a>

您可以使用迁移工具查看是否还有需要迁移的 AWS Organizations 账户。

**确认是否所有账户均已迁移**

1. 登录到 [AWS 管理控制台](https://console.aws.amazon.com/)。

1. 在页面顶部的搜索栏中，输入**Bulk Policy Migrator**。

1. 在**管理新的 IAM 操作**页面上，选择**迁移账户**选项卡。

如果表中未显示任何剩余账户，则所有账户均已成功迁移。