AWS适用于 的 托管式策略AWS Trusted Advisor - AWS 支持
AWSTrustedAdvisorPriorityFullAccess AWSTrustedAdvisorPriorityReadOnlyAccess AWSTrustedAdvisorServiceRolePolicy AWSTrustedAdvisorReportingServiceRolePolicy 策略更新

AWS适用于 的 托管式策略AWS Trusted Advisor

Trusted Advisor 具有以下 AWS 托管策略。

AWS 托管式策略:AWSTrustedAdvisorPriorityFullAccess

AWSTrustedAdvisorPriorityFullAccess 策略授予对 Trusted Advisor Priority 的完全访问权限。此策略还允许用户将 Trusted Advisor 添加为具有 AWS Organizations 受信任服务,并为 Trusted Advisor Priority 指定委派管理员帐户。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的账户和组织。

  • 描述 Trusted Advisor Priority 的已识别风险。这些权限允许您下载和更新风险状态。

  • 描述 Trusted Advisor Priority 电子邮件通知的配置。这些权限允许您配置电子邮件通知,并为委派管理员禁用这些通知。

  • 设置 Trusted Advisor 以便您的账户可以启用 AWS Organizations。

在第二条语句中,此策略包含 organizations 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 列出您为了使用 Organizations 以启用的 AWS 服务。

在第三条语句中,此策略包含 organizations 的以下权限:

  • 列出 Trusted Advisor Priority 的委派管理员。

  • 启用和禁用 Organizations 的受信任访问。

在第四条语句中,此策略包含 iam 的以下权限:

  • 创建 AWSServiceRoleForTrustedAdvisorReporting 服务关联角色。

在第五条语句中,此策略包含 organizations 的以下权限:

  • 允许您注册和注销 Trusted Advisor Priority 的委派管理员。

JSON
{
	"Version":"2012-10-17",		 	 	 
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityFullAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:UpdateRiskStatus",
				"trustedadvisor:DescribeNotificationConfigurations",
				"trustedadvisor:UpdateNotificationConfigurations",
				"trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin",
				"trustedadvisor:SetOrganizationAccess"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators",
				"organizations:EnableAWSServiceAccess",
				"organizations:DisableAWSServiceAccess"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AllowCreateServiceLinkedRole",
			"Effect": "Allow",
			"Action": "iam:CreateServiceLinkedRole",
			"Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AllowRegisterDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:RegisterDelegatedAdministrator",
				"organizations:DeregisterDelegatedAdministrator"
			],
			"Resource": "arn:aws:organizations::*:*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS 托管式策略:AWSTrustedAdvisorPriorityReadOnlyAccess

AWSTrustedAdvisorPriorityReadOnlyAccess 策略授予 Trusted Advisor Priority 包括查看委派管理员帐户在内的权限。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 描述 Trusted Advisor Priority 的已识别风险并允许您下载这些风险。

  • 描述 Trusted Advisor Priority 电子邮件通知的配置。

在第二条和第三条语句中,此策略包含 organizations 的以下权限:

  • 使用 Organizations 描述您的组织。

  • 列出您为了使用 Organizations 以启用的 AWS 服务。

  • 列出 Trusted Advisor Priority 的委派管理员

JSON
{
	"Version":"2012-10-17",		 	 	 
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:DescribeNotificationConfigurations"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS 托管策略:AWSTrustedAdvisorServiceRolePolicy

此策略附加到 AWSServiceRoleForTrustedAdvisor 服务关联角色。此角色允许服务关联角色为您执行操作。您不能将 AWSTrustedAdvisorServiceRolePolicy 附加到您的 AWS Identity and Access Management(IAM)实体。有关更多信息,请参阅 将服务关联角色用于 Trusted Advisor

此策略授予管理权限,允许服务关联角色访问 AWS 服务。这些权限允许 Trusted Advisor 的检查来评估您的账户。

权限详细信息

该策略包含以下权限。

  • accessanalyzer – 描述 AWS Identity and Access Management Access Analyzer 资源

  • Auto Scaling – 描述 Amazon EC2 Auto Scaling 账户配额和资源

  • cloudformation – 描述 AWS CloudFormation (CloudFormation) 账户配额和堆栈

  • cloudfront – 描述 Amazon CloudFront 分发

  • cloudtrail – 描述 AWS CloudTrail (CloudTrail) 跟踪

  • dynamodb – 描述 Amazon DynamoDB 账户配额和资源

  • dynamodbaccelerator – 描述 DynamoDB Accelerator 资源

  • ec2 – 描述 Amazon Elastic Compute Cloud (Amazon EC2) 账户配额和资源

  • elasticloadbalancing - 描述弹性负载均衡(ELB)账户配额和资源

  • iam – 获取 IAM 资源,如证书、密码策略和证书

  • networkfirewall – 描述 AWS Network Firewall 资源

  • kinesis – 描述 Amazon Kinesis (Kinesis) 账户配额

  • rds – 描述 Amazon Relational Database Service (Amazon RDS) 资源

  • redshift – 描述 Amazon Redshift 资源

  • route53 – 描述 Amazon Route 53 账户配额和资源

  • s3 – 描述 Amazon Simple Storage Service (Amazon S3) 资源

  • ses – 获取 Amazon Simple Email Service (Amazon SES) 发送配额

  • sqs – 列出 Amazon Simple Queue Service (Amazon SQS) 队列

  • cloudwatch – 获取 Amazon CloudWatch Events (CloudWatch Events) 指标统计数据

  • ce – 获取 Cost Explorer 服务 (Cost Explorer) 建议

  • route53resolver – 获取 Amazon Route 53 Resolver Resolver 端点和资源

  • kafka – 获取 Amazon Managed Streaming for Apache Kafka 资源

  • ecs – 获取 Amazon ECS 资源

  • outposts – 获取 AWS Outposts 资源

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "TrustedAdvisorServiceRolePermissions",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:ListAnalyzers",
                "autoscaling:DescribeAccountLimits",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "ce:GetReservationPurchaseRecommendation",
                "ce:GetSavingsPlansPurchaseRecommendation",
                "cloudformation:DescribeAccountLimits",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudfront:ListDistributions",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:GetEventSelectors",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "dax:DescribeClusters",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:DescribeAddresses",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeImages",
                "ec2:DescribeNatGateways",
                "ec2:DescribeVolumes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:GetManagedPrefixListEntries",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTaskDefinitions",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "iam:ListSAMLProviders",
                "kinesis:DescribeLimits",
                "kafka:DescribeClusterV2",
                "kafka:ListClustersV2",
                "kafka:ListNodes",
                "network-firewall:ListFirewalls",
                "network-firewall:DescribeFirewall",
                "outposts:GetOutpost",
                "outposts:ListAssets",
                "outposts:ListOutposts",
                "rds:DescribeAccountAttributes",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEvents",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "redshift:DescribeClusters",
                "redshift:DescribeReservedNodeOfferings",
                "redshift:DescribeReservedNodes",
                "route53:GetAccountLimit",
                "route53:GetHealthCheck",
                "route53:GetHostedZone",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:ListResolverEndpointIpAddresses",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "ses:GetSendQuota",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

AWS 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy

此策略附加到 AWSServiceRoleForTrustedAdvisorReporting 服务关联角色,使 Trusted Advisor 能够执行组织视图功能的操作。您不能将 AWSTrustedAdvisorReportingServiceRolePolicy 附加到您的 IAM 实体。有关更多信息,请参阅 将服务关联角色用于 Trusted Advisor

此策略授予管理权限,允许服务关联角色执行 AWS Organizations 操作。

权限详细信息

该策略包含以下权限。

  • organizations – 描述您的组织并列出服务访问权限、账户、父级、子级和组织单位

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListDelegatedAdministrators",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribeAccount"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Trusted Advisor 更新了 AWS 托管式策略

查看有关 AWS 支持 和 Trusted Advisor 的 AWS 托管策略更新的详细信息(从这些服务开始跟踪这些更改开始)。要获得有关此页面更改的自动提示,请订阅 文档历史记录 页面上的 RSS 源。

下表介绍了自 2021 年 8 月 10 日以来对 Trusted Advisor 托管式策略的重要更新。

Trusted Advisor
更改 描述 日期

AWSTrustedAdvisorServiceRolePolicy

更新为现有策略。

Trusted Advisor 添加了新的操作来授予 elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeRules 权限。

 2024 年 10 月 30 日

AWSTrustedAdvisorServiceRolePolicy

更新为现有策略。

Trusted Advisor 添加了新的操作来授予 access-analyzer:ListAnalyzerscloudwatch:ListMetricsdax:DescribeClustersec2:DescribeNatGatewaysec2:DescribeRouteTablesec2:DescribeVpcEndpointsec2:GetManagedPrefixListEntrieselasticloadbalancing:DescribeTargetHealthiam:ListSAMLProviderskafka:DescribeClusterV2 network-firewall:ListFirewalls network-firewall:DescribeFirewallsqs:GetQueueAttributes 权限。

 2024 年 6 月 11 日

AWSTrustedAdvisorServiceRolePolicy

更新为现有策略。

Trusted Advisor 添加了新的操作来授予 cloudtrail:GetTrail cloudtrail:ListTrails cloudtrail:GetEventSelectors outposts:GetOutpostoutposts:ListAssetsoutposts:ListOutposts 权限。

 2024 年 1 月 18 日

AWSTrustedAdvisorPriorityFullAccess

更新为现有策略。

Trusted Advisor 更新了 AWSTrustedAdvisorPriorityFullAccess AWS 托管策略以包含语句 ID。

 2023 年 12 月 6 日

AWSTrustedAdvisorPriorityReadOnlyAccess

更新为现有策略。

Trusted Advisor 更新了 AWSTrustedAdvisorPriorityReadOnlyAccess AWS 托管策略以包含语句 ID。

 2023 年 12 月 6 日

AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新

Trusted Advisor 添加了新的操作来授予 ec2:DescribeRegions s3:GetLifecycleConfiguration ecs:DescribeTaskDefinitionecs:ListTaskDefinitions 权限。

 2023 年 11 月 9 日

AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新

Trusted Advisor 将新 IAM 操作 route53resolver:ListResolverEndpointsroute53resolver:ListResolverEndpointIpAddressesec2:DescribeSubnetskafka:ListClustersV2kafka:ListNodes 添加到新加入的恢复能力检查。

 2023 年 9 月 14 日

AWSTrustedAdvisorReportingServiceRolePolicy

V2 的托管策略附加到 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting 服务关联角色

将 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting 服务关联角色的 AWS 托管策略升级到 V2。V2 将再添加一个 IAM 操作 organizations:ListDelegatedAdministrators

2023 年 2 月 28 日

AWSTrustedAdvisorPriorityFullAccessAWSTrustedAdvisorPriorityReadOnlyAccess

用于 Trusted Advisor 的新 AWS 托管策略

Trusted Advisor 添加了两个新的托管策略,您可以使用这些策略来控制对 Trusted Advisor Priority 的访问权限。

2022 年 8 月 17 日

AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新

Trusted Advisor 添加了新的操作来授予 DescribeTargetGroupsGetAccountPublicAccessBlock 权限。

Auto Scaling 组运行状况检查需要 DescribeTargetGroup 权限,以检索附加到 Auto Scaling 组的非经典负载均衡器。

Amazon S3 存储桶权限检查需要 GetAccountPublicAccessBlock 权限以检索 AWS 账户 的阻止公有访问设置。

 2021 年 8 月 10 日

已发布的更改日志

Trusted Advisor 为其 AWS 托管式策略开启了跟踪更改。

 2021 年 8 月 10 日