本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
第 2 步:在 Detective 中向你的账户添加所需的 IAM 权限
本主题说明了您必须添加到您的 IAM 身份的 AWS Identity and Access Management (IAM) 权限策略的详细信息。
要启用 Detective 与 Security Lake 的集成,您必须将以下 AWS Identity and Access Management (IAM) 权限策略附加到您的 IAM 身份。
将下面的内联策略附加到角色。如果您想使用自己的 Amazon S3 存储桶来存储 Athena 查询结果,请将 athena-results-bucket 替换为您的 Amazon S3 存储桶名称。如果您希望 Detective 自动生成 Amazon S3 存储桶来存储 Athena 查询结果,请从 IAM 策略中删除全部 S3ObjectPermissions。
如果您没有将此策略附加到您的 IAM 身份所需的权限,请联系您的 AWS 管理员。如果您拥有所需权限但出现问题,请参阅 IAM 用户指南中的排除访问被拒绝错误消息。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "S3ObjectPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetPartitions",
"glue:GetTable",
"glue:GetTables"
],
"Resource": [
"arn:aws:glue:*:123456789012:database/amazon_security_lake*",
"arn:aws:glue:*:123456789012:table/amazon_security_lake*/amazon_security_lake*",
"arn:aws:glue:*:123456789012:catalog"
]
},
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryRuntimeStatistics",
"athena:GetWorkGroup",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"lakeformation:GetDataAccess",
"ram:ListResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath"
],
"Resource": [
"arn:aws:ssm:*:123456789012:parameter/Detective/SLI"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"securitylake.amazonaws.com"
]
}
}
}
]
}
