AWS Migration Hub 重构空间目前为预览版,可能会发生变化。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWSAWS Migration Hub 的托管策略重构空间
要向用户、组和角色添加权限,与自己编写策略相比,使用 AWS 托管策略更简单。创建仅为团队提供所需权限的 [IAM 客户托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)需要时间和专业知识。要快速入门,您可以使用我们的AWS托管式策略。这些策略涵盖常见使用案例,可在您的 AWS 账户 中使用。有关 AWS 托管策略的更多信息,请参阅 *IAM 用户指南*中的[AWS 托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
AWS服务负责维护和更新AWS托管式策略。您无法更改 AWS 托管策略中的权限。服务偶尔会向AWS托管式策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新AWS托管策略。服务不会从AWS托管策略中删除权限,因此策略更新不会破坏您的现有权限。
## AWS托管策略:awsmGigation HubbreFactor 空间完全访问
您可以将 `AWSMigrationHubRefactorSpacesFullAccess` 策略附加得到 IAM 身份。
这些区域有:`AWSMigrationHubRefactorSpacesFullAccess`策略授予对 AWS Migration Hub 重构空间、重构空间控制台功能和其他相关功能的完全访问权限AWS服务。
**权限细节**
这些区域有:`AWSMigrationHubRefactorSpacesFullAccess`策略包含以下权限。
+ `refactor-spaces`— 允许 IAM 用户账户对重构空间的完全访问权限。
+ `ec2`— 允许 IAM 用户账户执行重构空间使用的 Amazon Elastic Compute Cloud (Amazon EC2) 操作。
+ `elasticloadbalancing`— 允许 IAM 用户账户执行重构空间使用的 Elastic Load Balancing 操作。
+ `apigateway`— 允许 IAM 用户账户执行重构空间使用的 Amazon API Gateway 操作。
+ `organizations`— 允许 IAM 用户账户AWS Organizations重构空间使用的操作。
+ `cloudformation`— 允许 IAM 用户账户执行AWS CloudFormation从控制台创建一键式示例环境的操作。
+ `iam`— 允许为 IAM 用户账户创建服务相关角色,这是使用重构空间的必要条件。
### 重构空间所需的额外权限
在使用重构空间之前,除了`AWSMigrationHubRefactorSpacesFullAccess`以下所需的额外权限必须分配给您账户中的 IAM 用户、组或角色。
+ 为创建服务相关角色授予权限AWS Transit Gateway.
+ 授予将虚拟私有云 (VPC) 附加到所有资源的调用账户的传输网关的权限。
+ 为所有资源授予修改 VPC 终端节点服务的权限的权限。
+ 授予对所有资源的调用帐户返回带标记或之前标记的资源的权限。
+ 授予执行所有操作的权限AWS Resource Access Manager(AWS RAM) 对所有资源的调用帐户的操作。
+ 授予执行所有操作的权限AWS Lambda针对所有资源的调用帐户的操作。
您可以通过向 IAM 用户、组或角色添加内联策略来获取这些额外权限。但是,您可以使用以下策略 JSON 创建 IAM 策略,然后将其附加到 IAM 用户、组或角色,而不是使用内联策略。
以下策略授予了能够使用重构空间所需的额外权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "transitgateway.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGatewayVpcAttachment"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyVpcEndpointServicePermissions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": "*"
}
]
}
```
以下是`AWSMigrationHubRefactorSpacesFullAccess`政策。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RefactorSpaces",
"Effect": "Allow",
"Action": [
"refactor-spaces:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcs",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeTags",
"ec2:DescribeTransitGateways",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInternetGateways"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGateway",
"ec2:CreateSecurityGroup",
"ec2:CreateTransitGatewayVpcAttachment"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/refactor-spaces:environment-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGateway",
"ec2:CreateSecurityGroup",
"ec2:CreateTransitGatewayVpcAttachment"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/refactor-spaces:environment-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpointServiceConfiguration"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTransitGateway",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:DeleteTags"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/refactor-spaces:environment-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteVpcEndpointServiceConfigurations",
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/refactor-spaces:application-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/refactor-spaces:application-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListeners"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/refactor-spaces:route-id": [
"*"
]
}
}
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:DeleteLoadBalancer",
"Resource": "arn:*:elasticloadbalancing:*:*:loadbalancer/net/refactor-spaces-nlb-*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener"
],
"Resource": "arn:*:elasticloadbalancing:*:*:loadbalancer/net/refactor-spaces-nlb-*",
"Condition": {
"Null": {
"aws:RequestTag/refactor-spaces:route-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:DeleteListener",
"Resource": "arn:*:elasticloadbalancing:*:*:listener/net/refactor-spaces-nlb-*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "arn:*:elasticloadbalancing:*:*:targetgroup/refactor-spaces-tg-*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "arn:*:elasticloadbalancing:*:*:targetgroup/refactor-spaces-tg-*",
"Condition": {
"Null": {
"aws:RequestTag/refactor-spaces:route-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT",
"apigateway:UpdateRestApiPolicy"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/vpclinks",
"arn:aws:apigateway:*::/vpclinks/*",
"arn:aws:apigateway:*::/tags",
"arn:aws:apigateway:*::/tags/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/refactor-spaces:application-id": "false"
}
}
},
{
"Effect": "Allow",
"Action": "apigateway:GET",
"Resource": [
"arn:aws:apigateway:*::/vpclinks",
"arn:aws:apigateway:*::/vpclinks/*"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "refactor-spaces.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
}
]
}
```
## 重构空间更新为AWS托管策略
查看有关更新的详细信息AWS此服务开始跟踪这些更改以来,适用于重构 Space 的托管策略。要获取有关此页面更改的提示,请订阅 RSS 源(RSS 源)。
| 更改 | 描述 | 日期 |
| --- | --- | --- |
| [awsmGigation HubbreFactor 空间完全访问](#security-iam-awsmanpol-AWSMigrationHubRefactorSpacesFullAccess)— 发布时发布了新政策 | 这些区域有:`AWSMigrationHubRefactorSpacesFullAccess`此策略授予对重构空间、重构空间控制台功能和其他相关功能的完全访问权限。AWS服务。 | 2021 年 11 月 29 日 |
| [迁移 HubbreFactor Spaces Spaces 服务角色策略](using-service-linked-roles.md#slr-permissions)— 发布时发布了新政策 | `MigrationHubRefactorSpacesServiceRolePolicy`提供对AWSAWS Migration Hub 管理或使用的资源重构空间。AWS Service RoleForMigration Hub 为服务相关角色使用此策略。 | 2021 年 11 月 29 日 |
| 开启了跟踪更改 | 为其重构 Space 开始跟踪更改AWS托管策略。 | 2021 年 11 月 29 日 |