本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AMS 中的 IAM 用户角色
IAM 角色与 IAM 用户类似,因为它是一个具有权限策略的 AWS 身份,该策略决定了该身份可以做什么和不能做什么 AWS。但是,角色旨在让需要它的任何人代入,而不是唯一地与某个人员关联。
目前,对于标准 AMS 账户,有一个 AMS 默认用户角色`Customer_ReadOnly_Role`,还有一个角色适用于使用托管 Active Directory 的 AMS 账户。`customer_managed_ad_user_role`
角色策略设置了 Amazon S3 日志操作的权限、AMS 控制台访问权限、对大多数控制台的只读限制 AWS 服务、对账户 S3 控制台的限制访问以及 AMS 更改类型访问权限。 CloudWatch
此外,还`Customer_ReadOnly_Role`具有可变的预留实例权限,允许您预留实例。它具有一些节省成本的价值,因此,如果您知道在很长一段时间内将需要一定数量的 Amazon EC2 实例,则可以调用这些 APIs实例。要了解更多信息,请参阅 [Amazon EC2 预留实例](https://aws.amazon.com/ec2/pricing/reserved-instances/)。
**注意**
除非要重复使用现有策略,否则为 IAM 用户创建自定义 IAM 策略的 AMS 服务级别目标 (SLO) 为四个工作日。如果您想修改现有的 IAM 用户角色或添加新角色,请分别提交 [IAM:更新实体](https://docs.aws.amazon.com/managedservices/latest/ctref/management-advanced-identity-and-access-management-iam-update-entity-or-policy-review-required.html)或 [IAM:创建实体](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-identity-and-access-management-iam-create-entity-or-policy.html) RFC。
如果您不熟悉 Amazon IAM 角色,请参阅 [IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)了解重要信息。
**多账户着陆区 (MALZ)**:要查看 AMS 多账户着陆区默认、未自定义的用户角色政策,请参阅下文。[MALZ:默认 IAM 用户角色](#json-default-role-malz)
## MALZ:默认 IAM 用户角色
默认多账户 AMS 多账户 landing zone 用户角色的 JSON 政策声明。
**注意**
用户角色是可自定义的,并且可能因每个账户而异。提供了如何找到您的角色的说明。
以下是默认 MALZ 用户角色的示例。要确保设置了所需的策略,请运行 AWS 命令[https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html)或登录 AWS 管理-> [IAM 控制台](https://console.aws.amazon.com/iam/),然后在导航窗格中选择**角色**。
### OU 账户的核心
核心账户是 MALZ 管理的基础设施账户。AMS 多账户 landing zone Core 账户包括一个管理账户和一个网络账户。
**OU 核心 OU 账户:常见角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/managedservices/latest/userguide/defaults-user-role.html)
**核心 OU 账户:管理账户角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/managedservices/latest/userguide/defaults-user-role.html)
**核心 OU 账户:网络账户角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/managedservices/latest/userguide/defaults-user-role.html)
### 应用程序账户角色
应用程序账户角色适用于您的应用程序专用账户。
**应用程序账户:角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/managedservices/latest/userguide/defaults-user-role.html)
### 策略示例
提供了大多数使用的策略的示例。要查看该 ReadOnlyAccess 政策(只要它提供对所有 AWS 服务的只读访问权限,则为页面),如果您有活跃的 AWS 账户,则可以使用此链接:[ReadOnlyAccess](https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess$serviceLevelSummary)。此外,此处还包括精简版。
#### AMSBilling政策
`AMSBillingPolicy`
您的会计部门可以使用新的账单角色来查看和更改管理账户中的账单信息或账户设置。要访问诸如备用联系人之类的信息、查看账户资源使用情况、查看账单甚至修改付款方式,您可以使用此角色。这个新角色包含 [AWS 账单 IAM 操作网页](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#example-billing-deny-modifyaccount)中列出的所有权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ModifyBilling"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToBilling"
},
{
"Action": [
"aws-portal:ViewAccount",
"aws-portal:ModifyAccount"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToAccountSettings"
},
{
"Action": [
"budgets:ViewBudget",
"budgets:ModifyBudget"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToAccountBudget"
},
{
"Action": [
"aws-portal:ViewPaymentMethods",
"aws-portal:ModifyPaymentMethods"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPaymentMethods"
},
{
"Action": [
"aws-portal:ViewUsage"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToUsage"
},
{
"Action": [
"cur:DescribeReportDefinitions",
"cur:PutReportDefinition",
"cur:DeleteReportDefinition",
"cur:ModifyReportDefinition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToCostAndUsageReport"
},
{
"Action": [
"pricing:DescribeServices",
"pricing:GetAttributeValues",
"pricing:GetProducts"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPricing"
},
{
"Action": [
"ce:*",
"compute-optimizer:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToCostExplorerComputeOptimizer"
},
{
"Action": [
"purchase-orders:ViewPurchaseOrders",
"purchase-orders:ModifyPurchaseOrders"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPurchaseOrders"
},
{
"Action": [
"redshift:AcceptReservedNodeExchange",
"redshift:PurchaseReservedNodeOffering"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToRedshiftAction"
},
{
"Action": "savingsplans:*",
"Resource": "*",
"Effect": "Allow",
"Sid": "AWSSavingsPlansFullAccess"
}
]
}
```
------
#### AMSChangeManagementReadOnlyPolicy
`AMSChangeManagementReadOnlyPolicy`
查看所有 AMS 变更类型以及请求更改类型的历史记录的权限。
#### AMSMasterAccountSpecificChangeManagementInfrastructurePolicy
`AMSMasterAccountSpecificChangeManagementInfrastructurePolicy`
请求 Deployment \$1 Managed landing zone \$1 管理账户 \$1 创建应用程序账户(使用 VPC)更改类型的权限。
#### AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy
`AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy `
请求 Deployment \$1 Managed landing zone \$1 网络账户 \$1 创建应用程序路由表更改类型的权限。
#### AMSChangeManagementInfrastructurePolicy
`AMSChangeManagementInfrastructurePolicy`(管理层 \$1 其他 \$1 其他 CTs)
请求 “管理” \$1 “其他” \$1 “其他” \$1 “创建” 和 “管理” \$1 “其他” \$1 “其他” \$1 “更新” 更改类型的权限。
#### AMSSecretsManagerSharedPolicy
`AMSSecretsManagerSharedPolicy`
查看 AMS 通过 passwords/hashes 共享的机密的权限 AWS Secrets Manager (例如,用于审计的基础设施密码)。
创建与 AMS 共享 password/hashes 的密钥的权限。 (例如,需要部署的产品的许可证密钥)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowAccessToSharedNameSpaces",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
]
},
{
"Sid": "DenyGetSecretOnCustomerNamespace",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
},
{
"Sid": "AllowReadAccessToAMSNameSpace",
"Effect": "Deny",
"NotAction": [
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
}
]
}
```
------
#### AMSChangeManagementPolicy
`AMSChangeManagementPolicy`
请求和查看所有 AMS 变更类型的权限,以及请求的更改类型的历史记录。
#### AMSReservedInstancesPolicy
`AMSReservedInstancesPolicy`
管理 Amazon EC2 预留实例的权限;有关定价信息,请参阅[亚马逊 EC2 预留实例](https://aws.amazon.com/ec2/pricing/reserved-instances/)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowReservedInstancesManagement",
"Effect": "Allow",
"Action": [
"ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering"
],
"Resource": [
"*"
]
}]
}
```
------
#### AMSS3政策
`AMSS3Policy`
在现有 Amazon S3 存储桶中创建和删除文件的权限。
**注意**
这些权限不授予创建 S3 存储桶的权限;必须使用部署 \$1 高级堆栈组件 \$1 S3 存储 \$1 创建更改类型来完成。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": "*"
}
]
}
```
------
#### AWSSupport访问权限
`AWSSupportAccess`
完全访问权限 支持。有关信息,请参阅[入门 支持](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html)。有关 Premium Support 的信息,请参阅[支持](https://aws.amazon.com/premiumsupport/)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
}]
}
```
------
#### AWSMarketplaceManageSubscriptions
`AWSMarketplaceManageSubscriptions`(公共 AWS管理政策)
订阅、取消订阅和查看订 AWS Marketplace 阅的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action": [
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe"
],
"Effect": "Allow",
"Resource": "*"
}]
}
```
------
#### AWSCertificateManagerFullAccess
`AWSCertificateManagerFullAccess`
完全访问权限 AWS Certificate Manager。有关更多信息,请参阅 [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/)。
[https://docs.aws.amazon.com/acm/latest/userguide/authen-awsmanagedpolicies.html#acm-full-access-managed-policy](https://docs.aws.amazon.com/acm/latest/userguide/authen-awsmanagedpolicies.html#acm-full-access-managed-policy)信息,(公共 AWS 托管政策)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"acm:*"
],
"Resource": "*"
}]
}
```
------
#### AWSWAFFull访问权限
`AWSWAFFullAccess`
完全访问权限 AWS WAF。有关更多信息,请参阅 [AWS WAF -Web 应用程序防火墙](https://aws.amazon.com/waf/)。
[https://docs.aws.amazon.com/waf/latest/developerguide/access-control-identity-based.html](https://docs.aws.amazon.com/waf/latest/developerguide/access-control-identity-based.html)信息,(公共 AWS 管理政策)。此政策授予对 AWS WAF 资源的完全访问权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action": [
"waf:*",
"waf-regional:*",
"elasticloadbalancing:SetWebACL"
],
"Effect": "Allow",
"Resource": "*"
}]
}
```
------
#### ReadOnlyAccess
`ReadOnlyAccess`
对 AWS 控制台上所有 AWS 服务和资源的只读访问权限。 AWS 启动新服务时,AMS 会更新 ReadOnlyAccess 政策,为新服务添加只读权限。更新的权限会应用于策略附加到的所有主体实体。
这不允许登录 EC2 主机或数据库主机。
如果您有激活的政策 AWS 账户,则可以使用此[ReadOnlyAccess](https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess$serviceLevelSummary)链接查看整个 ReadOnlyAccess 政策。只要它为所有人提供只读访问权限,整个 ReadOnlyAccess 策略就会持续很长时间 AWS 服务。以下是该 ReadOnlyAccess 政策的部分摘录。
**单账户着陆区 (SALZ)**:要查看 AMS 单账户着陆区默认、未自定义的用户角色策略,请参阅 “下一步”。[SALZ:默认 IAM 用户角色](#json-default-role)
## SALZ:默认 IAM 用户角色
默认 AMS 单账户 landing zone 用户角色的 JSON 政策声明。
**注意**
SALZ 默认用户角色是可自定义的,可能因每个账户而异。提供了如何找到您的角色的说明。
以下是默认 SALZ 用户角色的示例。要确保已为您设置了策略,请运行[https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html)命令。或者,登录 AWS Identity and Access Management 控制台 [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/),然后选择 “**角色**”。
客户只读角色是多个策略的组合。接下来是该角色的细分 (JSON)。
Managed Services 审计政策:
托管服务 IAM ReadOnly 政策
Managed Services 用户政策
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomerToListTheLogBucketLogs",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"aws/*",
"app/*",
"encrypted",
"encrypted/",
"encrypted/app/*"
]
}
}
},
{
"Sid": "BasicAccessRequiredByS3Console",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowCustomerToGetLogs",
"Effect": "Allow",
"Action": [
"s3:GetObject*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/aws/*",
"arn:aws:s3:::mc-a*-logs-*/encrypted/app/*"
]
},
{
"Sid": "AllowAccessToOtherObjects",
"Effect": "Allow",
"Action": [
"s3:DeleteObject*",
"s3:Get*",
"s3:List*",
"s3:PutObject*"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowCustomerToListTheLogBucketRoot",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"/"
]
}
}
},
{
"Sid": "AllowCustomerCWLConsole",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*"
]
},
{
"Sid": "AllowCustomerCWLAccessLogs",
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*",
"arn:aws:logs:*:*:log-group:/infra/*",
"arn:aws:logs:*:*:log-group:/app/*",
"arn:aws:logs:*:*:log-group:RDSOSMetrics:*:*"
]
},
{
"Sid": "AWSManagedServicesFullAccess",
"Effect": "Allow",
"Action": [
"amscm:*",
"amsskms:*"
],
"Resource": [
"*"
]
},
{
"Sid": "ModifyAWSBillingPortal",
"Effect": "Allow",
"Action": [
"aws-portal:Modify*"
],
"Resource": [
"*"
]
},
{
"Sid": "DenyDeleteCWL",
"Effect": "Deny",
"Action": [
"logs:DeleteLogGroup",
"logs:DeleteLogStream"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*"
]
},
{
"Sid": "DenyMCCWL",
"Effect": "Deny",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/mc/*"
]
},
{
"Sid": "DenyS3MCNamespace",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/encrypted/mc/*",
"arn:aws:s3:::mc-a*-logs-*/mc/*",
"arn:aws:s3:::mc-a*-logs-*-audit/*",
"arn:aws:s3:::mc-a*-internal-*/*",
"arn:aws:s3:::mc-a*-internal-*"
]
},
{
"Sid": "ExplicitDenyS3CfnBucket",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::cf-templates-*"
]
},
{
"Sid": "DenyListBucketS3LogsMC",
"Action": [
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"auditlog/*",
"encrypted/mc/*",
"mc/*"
]
}
}
},
{
"Sid": "DenyS3LogsDelete",
"Effect": "Deny",
"Action": [
"s3:Delete*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/*"
]
},
{
"Sid": "DenyAccessToKmsKeysStartingWithMC",
"Effect": "Deny",
"Action": [
"kms:*"
],
"Resource": [
"arn:aws:kms::*:key/mc-*",
"arn:aws:kms::*:alias/mc-*"
]
},
{
"Sid": "DenyListingOfStacksStartingWithMC",
"Effect": "Deny",
"Action": [
"cloudformation:*"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/mc-*"
]
},
{
"Sid": "AllowCreateCWMetricsAndManageDashboards",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowCreateandDeleteCWDashboards",
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteDashboards",
"cloudwatch:PutDashboard"
],
"Resource": [
"*"
]
}
]
}
```
客户 Secrets Manager 共享政策
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsManagerListSecrets",
"Effect": "Allow",
"Action": "secretsmanager:listSecrets",
"Resource": "*"
},
{
"Sid": "AllowCustomerAdminAccessToSharedNameSpaces",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
]
},
{
"Sid": "DenyCustomerGetSecretCustomerNamespace",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
},
{
"Sid": "AllowCustomerReadOnlyAccessToAMSNameSpace",
"Effect": "Deny",
"NotAction": [
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
}
]
}
```
------
客户市场订阅政策
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowMarketPlaceSubscriptions",
"Effect": "Allow",
"Action": [
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe"
],
"Resource": [
"*"
]
}
]
}
```
------