AWS Systems Manager Incident Manager 不再向新客户开放。现有客户可以继续正常使用该服务。有关更多信息，请参阅 [AWS Systems Manager Incident Manager 可用性变更](https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-manager-availability-change.html)。

本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 基于资源的策略示例 AWS Systems Manager Incident Manager
<a name="security_iam_resource-based-policy-examples"></a>

AWS Systems Manager Incident Manager 支持事件管理器响应计划和联系人的基于资源的权限策略。

事件管理器不支持基于资源的策略，这些策略拒绝访问使用 AWS RAM共享的资源。

要了解如何创建响应计划或联系人，请参阅 [在事件管理器中创建和配置响应计划](response-plans.md) 和 [在事件管理器中创建和配置联系人](contacts.md)。

## 限制组织访问 Incident Manager 响应计划
<a name="security_iam_resource-based-policy-examples-restrict-response-plan-by-org"></a>

以下示例向组织中具有组织 ID `o-abc123def45` 的用户授予权限，以响应使用响应计划 `myplan` 创建的事件。

该`Condition`模块使用`StringEquals`条件和`aws:PrincipalOrgID`条件键，后者是 AWS Organizations 特定的条件键。有关这些条件密钥的更多信息，请参阅[在策略中指定条件](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html)。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "OrganizationAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-abc123def45"
                }
            },
            "Action": [
                "ssm-incidents:GetResponsePlan",
                "ssm-incidents:StartIncident",
                "ssm-incidents:UpdateIncidentRecord",
                "ssm-incidents:GetIncidentRecord",
                "ssm-incidents:CreateTimelineEvent",
                "ssm-incidents:UpdateTimelineEvent",
                "ssm-incidents:GetTimelineEvent",
                "ssm-incidents:ListTimelineEvents",
                "ssm-incidents:UpdateRelatedItems",
                "ssm-incidents:ListRelatedItems"
            ],
            "Resource": [
                "arn:aws:ssm-incidents:*:111122223333:response-plan/myplan",
                "arn:aws:ssm-incidents:*:111122223333:incident-record/myplan/*"
            ]
        }
    ]
}
```

------

## 提供 Incident Manager 联系人访问主体的权限
<a name="security_iam_resource-based-policy-examples-provide-contact-access-to-principal"></a>

以下示例向拥有 ARN `arn:aws:iam::999988887777:root` 的主体授予与该联系人 `mycontact` 创建互动的权限。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "PrincipalAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::999988887777:root"
            },
            "Action": [
                "ssm-contacts:GetContact",
                "ssm-contacts:StartEngagement",
                "ssm-contacts:DescribeEngagement",
                "ssm-contacts:ListPagesByContact"
            ],
            "Resource": [
                "arn:aws:ssm-contacts:*:111122223333:contact/mycontact",
                "arn:aws:ssm-contacts:*:111122223333:engagement/mycontact/*"
            ]
        }
    ]
}
```

------