View a markdown version of this page

AWS的托管策略AWS IoT SiteWise - AWS IoT SiteWise

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS的托管策略AWS IoT SiteWise

使用AWS托管策略简化向用户、群组和角色添加权限的过程,而不是自己编写策略。创建为团队提供确切权限的 IAM 客户管理型策略需要时间和专业知识。为了更快地进行设置,可以考虑将我们的AWS托管策略用于常见用例。在您的AWS账户中查找AWS托管政策。有关 AWS 托管式策略的更多信息,请参阅《IAM 用户指南》中的 AWS 托管式策略

AWS服务负责更新和维护AWS托管策略,这意味着您无法修改这些策略的权限。有时,AWS IoT SiteWise可能会添加权限以适应新功能,从而影响附加策略的所有身份。新服务或特征的推出往往伴随着此类更新。但是,权限永远不会被移除,这就可以确保您的设置保持不变。

此外,还AWS支持跨多个服务的工作职能的托管策略。例如,ReadOnlyAccessAWS托管策略提供对所有AWS服务和资源的只读访问权限。当服务启动一项新功能时,AWS会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 AWS 托管策略

AWS托管策略: AWSIoTSiteWiseReadOnlyAccess

使用AWSIoTSiteWiseReadOnlyAccessAWS托管策略允许只读访问AWS IoT SiteWise。

您可以将 AWSIoTSiteWiseReadOnlyAccess 策略附加到 IAM 身份。

Service-level permissions

此策略提供对的只读访问权限AWS IoT SiteWise,包括执行只读 SQL 查询的权限。此策略中不包含其他服务权限。

JSON
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:BatchGetAssetPropertyAggregates", "iotsitewise:BatchGetAssetPropertyValue", "iotsitewise:BatchGetAssetPropertyValueHistory", "iotsitewise:DescribeAccessPolicy", "iotsitewise:DescribeAction", "iotsitewise:DescribeAsset", "iotsitewise:DescribeAssetCompositeModel", "iotsitewise:DescribeAssetModel", "iotsitewise:DescribeAssetModelCompositeModel", "iotsitewise:DescribeAssetModelInterfaceRelationship", "iotsitewise:DescribeAssetProperty", "iotsitewise:DescribeBulkImportJob", "iotsitewise:DescribeComputationModel", "iotsitewise:DescribeComputationModelExecutionSummary", "iotsitewise:DescribeDashboard", "iotsitewise:DescribeDataset", "iotsitewise:DescribeDefaultEncryptionConfiguration", "iotsitewise:DescribeExecution", "iotsitewise:DescribeGateway", "iotsitewise:DescribeGatewayCapabilityConfiguration", "iotsitewise:DescribeLoggingOptions", "iotsitewise:DescribePortal", "iotsitewise:DescribeProject", "iotsitewise:DescribeStorageConfiguration", "iotsitewise:DescribeTimeSeries", "iotsitewise:GetAssetPropertyAggregates", "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetAssetPropertyValueHistory", "iotsitewise:GetInterpolatedAssetPropertyValues", "iotsitewise:ListAccessPolicies", "iotsitewise:ListActions", "iotsitewise:ListAssetModelCompositeModels", "iotsitewise:ListAssetModelProperties", "iotsitewise:ListAssetModels", "iotsitewise:ListAssetProperties", "iotsitewise:ListAssetRelationships", "iotsitewise:ListAssets", "iotsitewise:ListAssociatedAssets", "iotsitewise:ListBulkImportJobs", "iotsitewise:ListCompositionRelationships", "iotsitewise:ListComputationModelDataBindingUsages", "iotsitewise:ListComputationModelResolveToResources", "iotsitewise:ListComputationModels", "iotsitewise:ListDashboards", "iotsitewise:ListDatasets", "iotsitewise:ListExecutions", "iotsitewise:ListGateways", "iotsitewise:ListInterfaceRelationships", "iotsitewise:ListPortals", "iotsitewise:ListProjectAssets", "iotsitewise:ListProjects", "iotsitewise:ListTagsForResource", "iotsitewise:ListTimeSeries" ], "Resource": "*" } ] }

AWS托管策略: AWSServiceRoleForIoTSiteWise

AWSServiceRoleForIoTSiteWise 角色获得下列权限使用 AWSServiceRoleForIoTSiteWise 策略。本策略:

  • AWS IoT SiteWise允许部署 SiteWise Edge 网关(在上运行AWS IoT Greengrass)。

  • AWS IoT SiteWise允许执行日志记录。

  • AWS IoT SiteWise允许对AWS IoT TwinMaker数据库运行元数据搜索查询。

如果您AWS IoT SiteWise使用的是单个用户账户,则该AWSServiceRoleForIoTSiteWise角色将在您的 IAM 账户中创建AWSServiceRoleForIoTSiteWise策略,并将其附加到的AWSServiceRoleForIoTSiteWiseService-linked AWS IoT SiteWise角色中。

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowSiteWiseReadGreenGrass", "Effect": "Allow", "Action": [ "greengrass:GetAssociatedRole", "greengrass:GetCoreDefinition", "greengrass:GetCoreDefinitionVersion", "greengrass:GetGroup", "greengrass:GetGroupVersion" ], "Resource": "*" }, { "Sid": "AllowSiteWiseAccessLogGroup", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*" }, { "Sid": "AllowSiteWiseAccessLog", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*" }, { "Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker", "Effect": "Allow", "Action": [ "iottwinmaker:GetWorkspace", "iottwinmaker:ExecuteQuery" ], "Resource": "arn:aws:iottwinmaker:*:*:workspace/*", "Condition": { "ForAnyValue:StringEquals": { "iottwinmaker:linkedServices": [ "IOTSITEWISE" ] } } } ] }
JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowSiteWiseReadGreenGrass", "Effect": "Allow", "Action": [ "greengrass:GetAssociatedRole", "greengrass:GetCoreDefinition", "greengrass:GetCoreDefinitionVersion", "greengrass:GetGroup", "greengrass:GetGroupVersion" ], "Resource": "*" }, { "Sid": "AllowSiteWiseAccessLogGroup", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DescribeLogGroups" ], "Resource": "arn:aws-us-gov:logs:*:*:log-group:/aws/iotsitewise*" }, { "Sid": "AllowSiteWiseAccessLog", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "arn:aws-us-gov:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*" }, { "Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker", "Effect": "Allow", "Action": [ "iottwinmaker:GetWorkspace", "iottwinmaker:ExecuteQuery" ], "Resource": "arn:aws-us-gov:iottwinmaker:*:*:workspace/*", "Condition": { "ForAnyValue:StringEquals": { "iottwinmaker:linkedServices": [ "IOTSITEWISE" ] } } } ] }
JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowSiteWiseReadGreenGrass", "Effect": "Allow", "Action": [ "greengrass:GetAssociatedRole", "greengrass:GetCoreDefinition", "greengrass:GetCoreDefinitionVersion", "greengrass:GetGroup", "greengrass:GetGroupVersion" ], "Resource": "*" }, { "Sid": "AllowSiteWiseAccessLogGroup", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DescribeLogGroups" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*" }, { "Sid": "AllowSiteWiseAccessLog", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*" }, { "Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker", "Effect": "Allow", "Action": [ "iottwinmaker:GetWorkspace", "iottwinmaker:ExecuteQuery" ], "Resource": "arn:aws-cn:iottwinmaker:*:*:workspace/*", "Condition": { "ForAnyValue:StringEquals": { "iottwinmaker:linkedServices": [ "IOTSITEWISE" ] } } } ] }

AWS IoT SiteWise更新到AWS托管策略

您可以查看有关AWS托管策略更新的详细信息AWS IoT SiteWise,从该服务开始跟踪更改时开始。要获得有关此页面变更的自动提醒,请订阅 “AWS IoT SiteWise文档历史记录” 页面上的 RSS feed。

更改 描述 日期

AWSServiceRoleForIoTSiteWise:对现有策略的更新

AWS IoT SiteWise现在可以对AWS IoT TwinMaker数据库运行元数据搜索查询。

2023 年 11 月 6 日

AWSIoTSiteWiseReadOnlyAccess:对现有策略的更新

AWS IoT SiteWise添加了新的策略前缀BatchGet*,使您可以执行批量读取操作。

2022 年 9 月 16 日

AWSIoTSiteWiseReadOnlyAccess:新策略

AWS IoT SiteWise添加了授予只读访问权限的新策略AWS IoT SiteWise。

2021 年 11 月 24 日

AWS IoT SiteWise开始跟踪更改

AWS IoT SiteWise开始跟踪其AWS托管策略的更改。

2021 年 11 月 24 日