AMS 中的 IAM 用户角色 - AMS 高级入职指南

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AMS 中的 IAM 用户角色

IAM 角色与 IAM 用户类似,因为它是一个具有权限策略的 AWS 身份,该策略决定了该身份可以做什么和不能做什么 AWS。但是,角色旨在让需要它的任何人代入,而不是唯一地与某个人员关联。

目前,对于标准 AMS 账户,有一个 AMS 默认用户角色Customer_ReadOnly_Role,还有一个角色适用于使用托管 Active Directory 的 AMS 账户。customer_managed_ad_user_role

角色策略设置了 Amazon S3 日志操作的权限、AMS 控制台访问权限、对大多数控制台的只读限制 AWS 服务、对账户 S3 控制台的限制访问以及 AMS 更改类型访问权限。 CloudWatch

此外,还Customer_ReadOnly_Role具有可变的预留实例权限,允许您预留实例。它具有一些节省成本的价值,因此,如果您知道在很长一段时间内将需要一定数量的 Amazon EC2 实例,则可以调用这些 APIs实例。要了解更多信息,请参阅 Amazon EC2 预留实例

注意

除非要重复使用现有策略,否则为 IAM 用户创建自定义 IAM 策略的 AMS 服务级别目标 (SLO) 为四个工作日。如果您想修改现有的 IAM 用户角色或添加新角色,请分别提交 IAM:更新实体IAM:创建实体 RFC。

如果您不熟悉 Amazon IAM 角色,请参阅 IAM 角色了解重要信息。

多账户着陆区 (MALZ):要查看 AMS 多账户着陆区默认、未自定义的用户角色政策,请参阅下文。MALZ:默认 IAM 用户角色

MALZ:默认 IAM 用户角色

默认多账户 AMS 多账户 landing zone 用户角色的 JSON 政策声明。

注意

用户角色是可自定义的,并且可能因每个账户而异。提供了有关如何找到您的角色的说明。

以下是默认 MALZ 用户角色的示例。要确保设置了所需的策略,请运行 AWS 命令get-role或登录 AWS 管理-> IAM 控制台,然后在导航窗格中选择角色

OU 账户的核心

核心账户是 MALZ 管理的基础设施账户。AMS 多账户 landing zone Core 账户包括一个管理账户和一个网络账户。

OU 核心 OU 账户:常见角色和政策
角色 政策或政策

AWSManagedServicesReadOnlyRole

ReadOnlyAccess(公共 AWS 托管策略)。

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupport访问权限(公有 AWS 托管策略)。

AWSManagedServicesChangeManagementRole (核心账户版本)

ReadOnlyAccess

AWSSupport访问

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementInfrastructurePolicy

核心 OU 账户:管理账户角色和政策
角色 政策或政策

AWSManagedServicesBillingRole

AMSBilling政策(AMSBilling政策)。

AWSManagedServicesReadOnlyRole

ReadOnlyAccess(公共 AWS 托管策略)。

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupport访问权限(公有 AWS 托管策略)。

AWSManagedServicesChangeManagementRole (管理账户版本)

ReadOnlyAccess

AWSSupport访问

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementInfrastructurePolicy

AMSMasterAccountSpecificChangeManagementInfrastructurePolicy

核心 OU 账户:网络账户角色和政策
角色 政策或政策

AWSManagedServicesReadOnlyRole

ReadOnlyAccess(公共 AWS 托管策略)。

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupport访问权限(公有 AWS 托管策略)。

AWSManagedServicesChangeManagementRole (网络账户版本)

ReadOnlyAccess

AWSSupport访问

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementInfrastructurePolicy

AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy

应用程序账户角色

应用程序账户角色适用于您的应用程序专用账户。

应用程序账户:角色和政策
角色 政策或政策

AWSManagedServicesReadOnlyRole

ReadOnlyAccess(公共 AWS 托管策略)。

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupport访问权限(公有 AWS 托管策略)。

该政策提供对所有支持操作和资源的访问权限。有关信息,请参阅 AWS Support 入门

AWSManagedServicesSecurityOpsRole

ReadOnlyAccess

AWSSupport访问示例

该政策提供对所有支持操作和资源的访问权限。

AWSCertificateManagerFullAccess信息,(公共 AWS 托管政策)

AWSWAFFullAccess信息,(公共 AWS 托管政策)。此政策授予对 AWS WAF 资源的完全访问权限。

AMSSecretsManagerSharedPolicy

AWSManagedServicesChangeManagementRole (应用程序账号版本)

ReadOnlyAccess

AWSSupport访问权限(公有 AWS 托管策略)。

该政策提供对所有支持操作和资源的访问权限。有关信息,请参阅 AWS Support 入门

AMSSecretsManagerSharedPolicy

AMSChangeManagementPolicy

AMSReservedInstancesPolicy

AMSS3Policy

AWSManagedServicesAdminRole

ReadOnlyAccess

AWSSupport访问

AMSChangeManagementInfrastructurePolicy

AWSMarketplaceManageSubscriptions

AMSSecretsManagerSharedPolicy

AMSChangeManagementPolicy

AWSCertificateManagerFullAccess

AWSWAFFull访问

AMSS3Policy

AMSReservedInstancesPolicy

策略示例

提供了大多数使用的策略的示例。要查看该 ReadOnlyAccess 政策(只要它提供对所有 AWS 服务的只读访问权限,则为页面),如果您有活跃的 AWS 账户,则可以使用此链接:ReadOnlyAccess。此外,此处还包括精简版。

AMSBilling政策

AMSBillingPolicy

您的会计部门可以使用新的账单角色来查看和更改管理账户中的账单信息或账户设置。要访问诸如备用联系人之类的信息、查看账户资源使用情况、查看账单甚至修改付款方式,您可以使用此角色。这个新角色包含 AWS 账单 IAM 操作网页中列出的所有权限。

JSON
{ "Version":"2012-10-17", "Statement": [ { "Action": [ "aws-portal:ViewBilling", "aws-portal:ModifyBilling" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToBilling" }, { "Action": [ "aws-portal:ViewAccount", "aws-portal:ModifyAccount" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToAccountSettings" }, { "Action": [ "budgets:ViewBudget", "budgets:ModifyBudget" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToAccountBudget" }, { "Action": [ "aws-portal:ViewPaymentMethods", "aws-portal:ModifyPaymentMethods" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToPaymentMethods" }, { "Action": [ "aws-portal:ViewUsage" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToUsage" }, { "Action": [ "cur:DescribeReportDefinitions", "cur:PutReportDefinition", "cur:DeleteReportDefinition", "cur:ModifyReportDefinition" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToCostAndUsageReport" }, { "Action": [ "pricing:DescribeServices", "pricing:GetAttributeValues", "pricing:GetProducts" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToPricing" }, { "Action": [ "ce:*", "compute-optimizer:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToCostExplorerComputeOptimizer" }, { "Action": [ "purchase-orders:ViewPurchaseOrders", "purchase-orders:ModifyPurchaseOrders" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToPurchaseOrders" }, { "Action": [ "redshift:AcceptReservedNodeExchange", "redshift:PurchaseReservedNodeOffering" ], "Resource": "*", "Effect": "Allow", "Sid": "AllowAccessToRedshiftAction" }, { "Action": "savingsplans:*", "Resource": "*", "Effect": "Allow", "Sid": "AWSSavingsPlansFullAccess" } ] }

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementReadOnlyPolicy

查看所有 AMS 变更类型以及请求更改类型的历史记录的权限。

AMSMasterAccountSpecificChangeManagementInfrastructurePolicy

AMSMasterAccountSpecificChangeManagementInfrastructurePolicy

请求 Deployment | Managed landing zone | 管理账户 | 创建应用程序账户(使用 VPC)更改类型的权限。

AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy

AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy

请求 Deployment | Managed landing zone | 网络账户 | 创建应用程序路由表更改类型的权限。

AMSChangeManagementInfrastructurePolicy

AMSChangeManagementInfrastructurePolicy(管理层 | 其他 | 其他 CTs)

请求 “管理” | “其他” | “其他” | “创建” 和 “管理” | “其他” | “其他” | “更新” 更改类型的权限。

AMSSecretsManagerSharedPolicy

AMSSecretsManagerSharedPolicy

查看 AMS 通过 passwords/hashes 共享的机密的权限 AWS Secrets Manager (例如,用于审计的基础设施密码)。

创建与 AMS 共享 password/hashes 的密钥的权限。 (例如,需要部署的产品的许可证密钥)。

JSON
{ "Version":"2012-10-17", "Statement": [{ "Sid": "AllowAccessToSharedNameSpaces", "Effect": "Allow", "Action": "secretsmanager:*", "Resource": [ "arn:aws:secretsmanager:*:*:secret:ams-shared/*", "arn:aws:secretsmanager:*:*:secret:customer-shared/*" ] }, { "Sid": "DenyGetSecretOnCustomerNamespace", "Effect": "Deny", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*" }, { "Sid": "AllowReadAccessToAMSNameSpace", "Effect": "Deny", "NotAction": [ "secretsmanager:Describe*", "secretsmanager:Get*", "secretsmanager:List*" ], "Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*" } ] }

AMSChangeManagementPolicy

AMSChangeManagementPolicy

请求和查看所有 AMS 变更类型的权限,以及请求的更改类型的历史记录。

AMSReservedInstancesPolicy

AMSReservedInstancesPolicy

管理亚马逊 EC2 预留实例的权限;有关定价信息,请参阅亚马逊 EC2 预留实例

JSON
{ "Version":"2012-10-17", "Statement": [{ "Sid": "AllowReservedInstancesManagement", "Effect": "Allow", "Action": [ "ec2:ModifyReservedInstances", "ec2:PurchaseReservedInstancesOffering" ], "Resource": [ "*" ] }] }

AMSS3政策

AMSS3Policy

在现有 Amazon S3 存储桶中创建和删除文件的权限。

注意

这些权限不授予创建 S3 存储桶的权限;必须使用部署 | 高级堆栈组件 | S3 存储 | 创建更改类型来完成。

JSON
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:PutObject" ], "Resource": "*" } ] }

AWSSupport访问权限

AWSSupportAccess

完全访问权限 支持。有关信息,请参阅入门 支持。有关 Premium Support 的信息,请参阅支持

JSON
{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "support:*" ], "Resource": "*" }] }

AWSMarketplaceManageSubscriptions

AWSMarketplaceManageSubscriptions(公共 AWS管理政策)

订阅、取消订阅和查看订 AWS Marketplace 阅的权限。

JSON
{ "Version":"2012-10-17", "Statement": [{ "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe" ], "Effect": "Allow", "Resource": "*" }] }

AWSCertificateManagerFullAccess

AWSCertificateManagerFullAccess

完全访问权限 AWS Certificate Manager。有关更多信息,请参阅 AWS Certificate Manager

AWSCertificateManagerFullAccess信息,(公共 AWS 托管政策)。

JSON
{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "acm:*" ], "Resource": "*" }] }

AWSWAFFull访问权限

AWSWAFFullAccess

完全访问权限 AWS WAF。有关更多信息,请参阅 AWS WAF -Web 应用程序防火墙

AWSWAFFullAccess信息,(公共 AWS 管理政策)。此政策授予对 AWS WAF 资源的完全访问权限。

JSON
{ "Version":"2012-10-17", "Statement": [{ "Action": [ "waf:*", "waf-regional:*", "elasticloadbalancing:SetWebACL" ], "Effect": "Allow", "Resource": "*" }] }

ReadOnlyAccess

ReadOnlyAccess

对 AWS 控制台上所有 AWS 服务和资源的只读访问权限。 AWS 启动新服务时,AMS 会更新 ReadOnlyAccess 政策,为新服务添加只读权限。更新的权限会应用于策略附加到的所有主体实体。

这并不能授予登录 EC2 主机或数据库主机的权限。

如果您有激活的政策 AWS 账户,则可以使用此ReadOnlyAccess链接查看整个 ReadOnlyAccess 政策。只要它为所有人提供只读访问权限,整个 ReadOnlyAccess 策略就会持续很长时间 AWS 服务。以下是该 ReadOnlyAccess 政策的部分摘录。

单账户着陆区 (SALZ):要查看 AMS 单账户着陆区默认、未自定义的用户角色策略,请参阅 “下一步”。SALZ:默认 IAM 用户角色

SALZ:默认 IAM 用户角色

默认 AMS 单账户 landing zone 用户角色的 JSON 政策声明。

注意

SALZ 默认用户角色是可自定义的,可能因每个账户而异。提供了有关如何找到您的角色的说明。

以下是默认 SALZ 用户角色的示例。要确保已为您设置了策略,请运行get-role命令。或者,登录 AWS Identity and Access Management 控制台 https://console.aws.amazon.com/iam/,然后选择 “角色”。

客户只读角色是多个策略的组合。以下是该角色的细分 (JSON)。

Managed Services 审计政策:

托管服务 IAM ReadOnly 政策

Managed Services 用户政策

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCustomerToListTheLogBucketLogs", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*" ], "Condition": { "StringLike": { "s3:prefix": [ "aws/*", "app/*", "encrypted", "encrypted/", "encrypted/app/*" ] } } }, { "Sid": "BasicAccessRequiredByS3Console", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "AllowCustomerToGetLogs", "Effect": "Allow", "Action": [ "s3:GetObject*" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*/aws/*", "arn:aws:s3:::mc-a*-logs-*/encrypted/app/*" ] }, { "Sid": "AllowAccessToOtherObjects", "Effect": "Allow", "Action": [ "s3:DeleteObject*", "s3:Get*", "s3:List*", "s3:PutObject*" ], "Resource": [ "*" ] }, { "Sid": "AllowCustomerToListTheLogBucketRoot", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*" ], "Condition": { "StringEquals": { "s3:prefix": [ "", "/" ] } } }, { "Sid": "AllowCustomerCWLConsole", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Sid": "AllowCustomerCWLAccessLogs", "Effect": "Allow", "Action": [ "logs:FilterLogEvents", "logs:GetLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/*", "arn:aws:logs:*:*:log-group:/infra/*", "arn:aws:logs:*:*:log-group:/app/*", "arn:aws:logs:*:*:log-group:RDSOSMetrics:*:*" ] }, { "Sid": "AWSManagedServicesFullAccess", "Effect": "Allow", "Action": [ "amscm:*", "amsskms:*" ], "Resource": [ "*" ] }, { "Sid": "ModifyAWSBillingPortal", "Effect": "Allow", "Action": [ "aws-portal:Modify*" ], "Resource": [ "*" ] }, { "Sid": "DenyDeleteCWL", "Effect": "Deny", "Action": [ "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": [ "arn:aws:logs:*:*:log-group:*" ] }, { "Sid": "DenyMCCWL", "Effect": "Deny", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/mc/*" ] }, { "Sid": "DenyS3MCNamespace", "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*/encrypted/mc/*", "arn:aws:s3:::mc-a*-logs-*/mc/*", "arn:aws:s3:::mc-a*-logs-*-audit/*", "arn:aws:s3:::mc-a*-internal-*/*", "arn:aws:s3:::mc-a*-internal-*" ] }, { "Sid": "ExplicitDenyS3CfnBucket", "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::cf-templates-*" ] }, { "Sid": "DenyListBucketS3LogsMC", "Action": [ "s3:ListBucket" ], "Effect": "Deny", "Resource": [ "arn:aws:s3:::mc-a*-logs-*" ], "Condition": { "StringLike": { "s3:prefix": [ "auditlog/*", "encrypted/mc/*", "mc/*" ] } } }, { "Sid": "DenyS3LogsDelete", "Effect": "Deny", "Action": [ "s3:Delete*", "s3:Put*" ], "Resource": [ "arn:aws:s3:::mc-a*-logs-*/*" ] }, { "Sid": "DenyAccessToKmsKeysStartingWithMC", "Effect": "Deny", "Action": [ "kms:*" ], "Resource": [ "arn:aws:kms::*:key/mc-*", "arn:aws:kms::*:alias/mc-*" ] }, { "Sid": "DenyListingOfStacksStartingWithMC", "Effect": "Deny", "Action": [ "cloudformation:*" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/mc-*" ] }, { "Sid": "AllowCreateCWMetricsAndManageDashboards", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": [ "*" ] }, { "Sid": "AllowCreateandDeleteCWDashboards", "Effect": "Allow", "Action": [ "cloudwatch:DeleteDashboards", "cloudwatch:PutDashboard" ], "Resource": [ "*" ] } ] }

客户 Secrets Manager 共享政策

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowSecretsManagerListSecrets", "Effect": "Allow", "Action": "secretsmanager:listSecrets", "Resource": "*" }, { "Sid": "AllowCustomerAdminAccessToSharedNameSpaces", "Effect": "Allow", "Action": "secretsmanager:*", "Resource": [ "arn:aws:secretsmanager:*:*:secret:ams-shared/*", "arn:aws:secretsmanager:*:*:secret:customer-shared/*" ] }, { "Sid": "DenyCustomerGetSecretCustomerNamespace", "Effect": "Deny", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*" }, { "Sid": "AllowCustomerReadOnlyAccessToAMSNameSpace", "Effect": "Deny", "NotAction": [ "secretsmanager:Describe*", "secretsmanager:Get*", "secretsmanager:List*" ], "Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*" } ] }

客户市场订阅政策

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AllowMarketPlaceSubscriptions", "Effect": "Allow", "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:Subscribe" ], "Resource": [ "*" ] } ] }