本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 适用于 Identity and Access 管理 AWS Compute Optimizer
您可以使用 AWS Identity and Access Management (IAM) 创建身份(用户、群组或角色),并授予这些身份访问 AWS Compute Optimizer 控制台和的权限 APIs。
默认情况下,IAM 用户无权访问 Compute Optimizer 控制台,而且。 APIs通过将 IAM 策略附加到单一用户、一组用户或角色,可授予用户访问权限。有关更多信息,请参阅[身份(用户、组和角色)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)以及[《IAM 用户指南》中的 IAM 策略概述](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html)。
创建 IAM 用户以后,您可以为这些用户提供单独的密码。然后,他们可以使用特定于账户的登录页面登录账户并查看 Compute Optimizer 信息。有关更多信息,请参阅[用户如何登录您的账户](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_how-users-sign-in.html)。
**重要**
要查看针对 EC2 实例的建议,IAM 用户需要 `ec2:DescribeInstances` 权限。
要查看针对 EBS 卷的建议,IAM 用户需要 `ec2:DescribeVolumes` 权限。
要查看针对 EC2 Auto Scaling 群组的建议,IAM 用户需要`autoscaling:DescribeAutoScalingGroups`和`autoscaling:DescribeAutoScalingInstances`权限。
要查看针对 Lambda 函数的建议,IAM 用户需要 `lambda:ListFunctions` 和 `lambda:ListProvisionedConcurrencyConfigs` 权限。
要查看针对 Fargate 上 Amazon ECS 服务的建议,IAM 用户需要 `ecs:ListServices` 和 `ecs:ListClusters` 权限。
要在 Compute Optimizer 控制台中查看当前 CloudWatch 指标数据,IAM 用户需要该`cloudwatch:GetMetricData`权限。
要查看建议商用软件许可证,需要特定 Amazon EC2 实例角色和 IAM 用户权限。有关更多信息,请参阅[启用商用软件许可证建议的策略](#license-access)。
要查看 Amazon RDS 的建议,IAM 用户需要 `rds:DescribeDBInstances` 和 `rds:DescribeDBClusters` 权限。
如果您想要授予权限的用户或组已拥有策略,则可将此处所示特定于 Compute Optimizer 的一条策略语句添加到该策略。
**Topics**
+ [的可信访问权限 AWS Organizations](#trusted-service-access)
+ [Compute Optimizer 的策略示例](#CO-policy-examples)
+ [自动化的策略示例](#COA-policy-example)
+ [其他资源](#iam-resources)
## 的可信访问权限 AWS Organizations
当您选择加入组织的管理账户并包括组织内的所有成员账户时,您的组织账户中将自动启用 Compute Optimizer 的可信访问权限。这可使 Compute Optimizer 分析这些成员账户中的计算资源,并为其生成建议。
每次访问针对成员账户的建议时,Compute Optimizer 都会验证您的组织账户中是否已启用可信访问权限。如果您在选择加入后禁用 Compute Optimizer 可信访问权限,则 Compute Optimizer 会拒绝访问针对组织成员账户的建议。此外,组织内的成员账户不会选择加入 Compute Optimizer。要重新启用可信访问权限,请使用组织的管理账户再次选择加入 Compute Optimizer,并将组织内的所有成员账户包括在内。有关更多信息,请参阅 [选择加入 AWS Compute Optimizer](account-opt-in.md)。有关 AWS Organizations 可信访问的更多信息,请参阅《*AWS Organizations 用户指南》*中的[AWS Organizations 与其他 AWS 服务一起使用](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html)。
## Compute Optimizer 的策略示例
**Topics**
+ [选择加入 Compute Optimizer 的策略](#opting-in-access)
+ [授予独立版 Compute Optimizer 访问权限的策略 AWS 账户](#standalone-account-access)
+ [向组织管理账户授予对 Compute Optimizer 的访问权限的策略](#organization-account-access)
+ [授予管理 Compute Optimizer 建议首选项的权限的策略](#enhanced-infrastructure-metrics-permissions)
+ [启用商用软件许可证建议的策略](#license-access)
+ [拒绝访问 Compute Optimizer 的策略](#deny-access)
### 选择加入 Compute Optimizer 的策略
此策略语句授予以下权限:
+ 选择加入 Compute Optimizer 的访问权限。
+ 为 Compute Optimizer 创建服务相关角色的访问权限。有关更多信息,请参阅 [将服务相关角色用于 AWS Compute Optimizer](using-service-linked-roles.md)。
+ 更新 Compute Optimizer 服务的注册状态的访问权限。
**重要**
需要此 IAM 角色才能选择加入 AWS Compute Optimizer。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
"Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
},
{
"Effect": "Allow",
"Action": "compute-optimizer:UpdateEnrollmentStatus",
"Resource": "*"
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*",
"Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer"
},
{
"Effect": "Allow",
"Action": "compute-optimizer:UpdateEnrollmentStatus",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:DescribeOrganization",
"Resource": "*"
}
]
}
```
------
### 授予独立版 Compute Optimizer 访问权限的策略 AWS 账户
以下策略语句将向独立 AWS 账户授予对 Compute Optimizer 的完全访问权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:*",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
```
------
以下策略语句将授予独立 AWS 账户对 Compute Optimizer 的只读访问权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
"compute-optimizer:GetRDSDatabaseRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics",
"compute-optimizer:GetIdleRecommendations",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": "*"
}
]
}
```
------
### 向组织管理账户授予对 Compute Optimizer 的访问权限的策略
以下策略语句将向组织的管理账户授予对 Compute Optimizer 的完全访问权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:*",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:EnableAWSServiceAccess",
"organizations:ListDelegatedAdministrators",
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "*"
}
]
}
```
------
以下策略语句将向组织的管理账户授予对 Compute Optimizer 的只读访问权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetEnrollmentStatusesForOrganization",
"compute-optimizer:GetRecommendationSummaries",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
"compute-optimizer:GetRDSDatabaseRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics",
"compute-optimizer:GetIdleRecommendations",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ecs:ListServices",
"ecs:ListClusters",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"cloudwatch:GetMetricData",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListDelegatedAdministrators",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": "*"
}
]
}
```
------
### 授予管理 Compute Optimizer 建议首选项的权限的策略
以下策略语句将授予查看和编辑建议首选项的权限。
**仅向 EC2 实例授予管理建议首选项的权限**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DeleteRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:PutRecommendationPreferences"
],
"Resource": "*",
"Condition" : {
"StringEquals" : {
"compute-optimizer:ResourceType" : "Ec2Instance"
}
}
}
]
}
```
------
**仅向 EC2 Auto Scaling 群组授予管理推荐首选项的访问权限**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DeleteRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:PutRecommendationPreferences"
],
"Resource": "*",
"Condition" : {
"StringEquals" : {
"compute-optimizer:ResourceType" : "AutoScalingGroup"
}
}
}
]
}
```
------
**仅授予管理 RDS 实例建议首选项的访问权限**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"compute-optimizer:DeleteRecommendationPreferences",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"compute-optimizer:GetRecommendationPreferences",
"compute-optimizer:PutRecommendationPreferences"
],
"Resource": "*",
"Condition" : {
"StringEquals" : {
"compute-optimizer:ResourceType" : "RdsDBInstance"
}
}
}
]
}
```
------
### 启用商用软件许可证建议的策略
要让 Compute Optimizer 生成许可证建议,请附加以下 Amazon EC2 实例角色和策略。
+ 用于启用 Systems Manager 的 `AmazonSSMManagedInstanceCore` 角色。有关更多信息,请参阅**《AWS Systems Manager 用户指南》中的 [AWS Systems Manager 基于身份的策略示例](https://docs.aws.amazon.com//systems-manager/latest/userguide/security_iam_id-based-policy-examples)。
+ `CloudWatchAgentServerPolicy`允许向其发布实例指标和日志的策略 CloudWatch。有关更多信息,请参阅 A *mazon [用户指南中的创建用于 CloudWatch 代理的 IAM 角色和](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent) CloudWatch 用户*。
+ 以下 IAM 内联策略语句用于读取存储在 AWS Systems Manager中的秘密 Microsoft SQL Server 连接字符串。有关内联策略的更多信息,请参阅《AWS Identity and Access Management 用户指南**》中的[托管式策略与内联策略](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-vs-inline)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ApplicationInsights-*"
}
]
}
```
------
此外,要启用和接收许可证建议,请将以下 IAM 策略附加到您的用户、组或角色。有关更多信息,请参阅 [A *mazon CloudWatch 用户指南*中的 IAM 政策](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/appinsights-iam)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"applicationinsights:*",
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"resource-groups:ListGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
### 拒绝访问 Compute Optimizer 的策略
以下策略语句将拒绝访问 Compute Optimizer。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "compute-optimizer:*",
"Resource": "*"
}
]
}
```
------
## 自动化的策略示例
**Topics**
+ [启用账户自动化功能的策略](#policy-automation-enable)
+ [在整个组织中启用自动化功能的策略](#automation-enable-org)
+ [向独立账户授予对 Compute Optimizer Automizer 自动化的完全访问权限的政策 AWS](#automation-account-full)
+ [向独立账户授予对 Compute Optimizer Automizer 自动化的只读访问权限的政策 AWS](#automation-account-read)
+ [向组织管理账户授予对 Compute Optimizer 自动化功能完全访问权限的策略](#automation-account-mgmt)
+ [向组织管理账户授予对 Compute Optimizer 自动化功能只读访问权限的策略](#automation-account-mgmt-readonly)
### 启用账户自动化功能的策略
以下政策声明为您的账户启用自动化。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
},
{
"Effect": "Allow",
"Action": "aco-automation:UpdateEnrollmentConfiguration",
"Resource": "*"
}
]
}
```
### 在整个组织中启用自动化功能的策略
以下政策声明可在整个组织中实现自动化。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
},
{
"Effect": "Allow",
"Action": "aco-automation:UpdateEnrollmentConfiguration",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:AssociateAccounts",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:DisassociateAccounts",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:ListAccounts",
"Resource": "*"
}
]
}
```
### 向独立账户授予对 Compute Optimizer Automizer 自动化的完全访问权限的政策 AWS
以下策略为独立 AWS 账户授予对 Compute Optimizer Automizer 自动化的完全访问权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:*",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
### 向独立账户授予对 Compute Optimizer Automizer 自动化的只读访问权限的政策 AWS
以下策略为独立 AWS 账户授予对 Compute Optimizer Automizer 自动化的只读访问权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:GetEnrollmentConfiguration",
"aco-automation:GetAutomationEvent",
"aco-automation:GetAutomationRule",
"aco-automation:ListAutomationEvents",
"aco-automation:ListAutomationEventSteps",
"aco-automation:ListAutomationEventSummaries",
"aco-automation:ListAutomationRules",
"aco-automation:ListAutomationRulePreview",
"aco-automation:ListAutomationRulePreviewSummaries",
"aco-automation:ListRecommendedActions",
"aco-automation:ListRecommendedActionSummaries",
"aco-automation:ListTagsForResource",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
### 向组织管理账户授予对 Compute Optimizer 自动化功能完全访问权限的策略
以下策略为组织的管理账户授予对 Compute Optimizer Automizer 自动化的完全访问权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:*",
"ec2:DescribeVolumes",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:EnableAWSServiceAccess",
"organizations:ListDelegatedAdministrators",
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "*"
}
]
}
```
### 向组织管理账户授予对 Compute Optimizer 自动化功能只读访问权限的策略
以下策略为组织的管理账户授予对 Compute Optimizer Automizer 自动化的只读访问权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:GetEnrollmentConfiguration",
"aco-automation:GetAutomationEvent",
"aco-automation:GetAutomationRule",
"aco-automation:ListAccounts",
"aco-automation:ListAutomationEvents",
"aco-automation:ListAutomationEventSteps",
"aco-automation:ListAutomationEventSummaries",
"aco-automation:ListAutomationRules",
"aco-automation:ListAutomationRulePreview",
"aco-automation:ListAutomationRulePreviewSummaries",
"aco-automation:ListRecommendedActions",
"aco-automation:ListRecommendedActionSummaries",
"aco-automation:ListTagsForResource",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
## 其他资源
+ 故障排除 – [Compute Optimizer 中的故障排除](troubleshooting-account-opt-in.md)
+ [选择加入 AWS Compute Optimizer](account-opt-in.md)
+ [AWS 的托管策略 AWS Compute Optimizer](managed-policies.md)
+ [将服务相关角色用于 AWS Compute Optimizer](using-service-linked-roles.md)
+ [使用服务相关角色实现自动化](using-service-linked-roles-automation.md)