本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 第 2 步：在 Detective 中向你的账户添加所需的 IAM 权限
<a name="iam-permissions"></a>

本主题说明了您必须添加到您的 IAM 身份的 AWS Identity and Access Management (IAM) 权限策略的详细信息。

要启用 Detective 与 Security Lake 的集成，您必须将以下 AWS Identity and Access Management (IAM) 权限策略附加到您的 IAM 身份。

将下面的内联策略附加到角色。如果您想使用自己的 Amazon S3 存储桶来存储 Athena 查询结果，请将 `athena-results-bucket` 替换为您的 Amazon S3 存储桶名称。如果您希望 Detective 自动生成 Amazon S3 存储桶来存储 Athena 查询结果，请从 IAM 策略中删除全部 `S3ObjectPermissions`。

如果您没有将此策略附加到您的 IAM 身份所需的权限，请联系您的 AWS 管理员。如果您拥有所需权限但出现问题，请参阅 IAM 用户指南中的[排除访问被拒绝错误消息](https://docs.aws.amazon.com//IAM/latest/UserGuide/troubleshoot_access-denied.html)。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3ObjectPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::{{amzn-s3-demo-bucket}}",
                "arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabases",
                "glue:GetPartitions",
                "glue:GetTable",
                "glue:GetTables"
            ],
            "Resource": [
                "arn:aws:glue:*:{{123456789012}}:database/amazon_security_lake*",
                "arn:aws:glue:*:{{123456789012}}:table/amazon_security_lake*/amazon_security_lake*",
                "arn:aws:glue:*:{{123456789012}}:catalog"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "athena:BatchGetQueryExecution",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryRuntimeStatistics",
                "athena:GetWorkGroup",
                "athena:ListQueryExecutions",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution",
                "lakeformation:GetDataAccess",
                "ram:ListResources"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath"
            ],
            "Resource": [
                "arn:aws:ssm:*:{{123456789012}}:parameter/Detective/SLI"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetTemplateSummary",
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListDelegatedAdministrators"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "organizations:ServicePrincipal": [
                        "securitylake.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
```

------