本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon 的 IAM 政策示例 QuickSight
本节提供了您可以在 Amazon 上使用的 IAM 政策的示例 QuickSight。
适用于亚马逊的 IAM 基于身份的政策 QuickSight
本部分显示了适用于Amazon的基于身份的政策的示例。 QuickSight
用于 IAM 控制台管理的 QuickSight IAM 基于身份的策略
以下示例显示了 IAM 控制台管理操作所需 QuickSight 的 IAM 权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog"
],
"Resource": [
"*"
]
}
]
}
适用于 Ama QuickSight zon 的 IAM 基于身份的政策:控制面板
下面是一个 IAM policy 示例,它为特定控制面板允许控制面板共享和嵌入。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89",
"Effect": "Allow"
}
]
}
适用于 Ama QuickSight zon 的 IAM 基于身份的政策:命名空间
以下示例显示了允许 QuickSight 管理员创建或删除命名空间的 IAM 策略。
创建命名空间
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"ds:DescribeDirectories",
"quicksight:CreateNamespace"
],
"Resource": "*"
}
]
}
删除命名空间
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:DescribeDirectories",
"quicksight:DeleteNamespace"
],
"Resource": "*"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:自定义权限
以下示例显示了允许 QuickSight 管理员或开发人员管理自定义权限的 IAM 策略。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:*CustomPermissions"
],
"Resource": "*"
}
]
}
以下示例显示了另一种授予与上一个示例中所示相同权限的方法。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:CreateCustomPermissions",
"quicksight:DescribeCustomPermissions",
"quicksight:ListCustomPermissions",
"quicksight:UpdateCustomPermissions",
"quicksight:DeleteCustomPermissions"
],
"Resource": "*"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:自定义电子邮件报告模板
以下示例显示了一项策略,该策略允许在中查看、更新和创建电子邮件报告模板 QuickSight,以及获取 Amazon Simple Email Service 身份的验证属性。此策略允许 QuickSight 管理员创建和更新自定义电子邮件报告模板,并确认他们想要发送电子邮件报告的任何自定义电子邮件地址都是 SES 中经过验证的身份。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:DescribeAccountCustomization",
"quicksight:CreateAccountCustomization",
"quicksight:UpdateAccountCustomization",
"quicksight:DescribeEmailCustomizationTemplate",
"quicksight:CreateEmailCustomizationTemplate",
"quicksight:UpdateEmailCustomizationTemplate",
"ses:GetIdentityVerificationAttributes"
],
"Resource": "*"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:使用托管用户创建企业账户 QuickSight
以下示例显示了一项策略,该策略允许 QuickSight 管理员使用 QuickSight 托管用户创建企业版 QuickSight 账户。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory"
],
"Resource": [
"*"
]
}
]
}
适用于亚马逊的 IAM 基于身份的政策 QuickSight:创建用户
以下示例显示了仅允许创建 Amazon QuickSight 用户的策略。对于 quicksight:CreateReader、quicksight:CreateUser 和 quicksight:CreateAdmin,您可以限制 "Resource":
"arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}" 权限。有关本指南中所述的所有其他权限,请使用 "Resource":
"*"。您指定的资源将权限范围限制为指定的资源。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"quicksight:CreateUser"
],
"Effect": "Allow",
"Resource": "arn:aws:quicksight:*:accountId:user/${aws:userid}"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:创建和管理群组
以下示例显示了一个允许 QuickSight 管理员和开发人员创建和管理群组的策略。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:ListGroups",
"quicksight:CreateGroup",
"quicksight:SearchGroups",
"quicksight:ListGroupMemberships",
"quicksight:CreateGroupMembership",
"quicksight:DeleteGroupMembership",
"quicksight:DescribeGroupMembership",
"quicksight:ListUsers"
],
"Resource": "*"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:标准版的所有访问权限
以下 Amazon QuickSight 标准版示例显示了允许订阅和创建作者和读者的策略。此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateUser",
"quicksight:DescribeAccountSubscription",
"quicksight:Subscribe"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:带有 IAM 身份中心的企业版的所有访问权限(专业版角色)
以下 Amazon E QuickSight nterprise 版示例显示了一项策略,该策略允许 QuickSight 用户在与 IAM 身份中心集成的 QuickSight 账户中订阅 QuickSight、创建用户和管理 Active Directory。
该政策还允许用户订阅 QuickSight 专业版角色,这些角色授予对 QuickSight 生成式商业智能功能中的 Amazon Q 的访问权限。有关 Amazon 专业角色的更多信息 QuickSight,请参阅开始使用生成式 BI。
此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"iam:CreateServiceLinkedRole",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization",
"user-subscriptions:CreateClaim",
"user-subscriptions:UpdateClaim",
"sso-directory:DescribeUser",
"sso:ListApplicationAssignments",
"sso-directory:DescribeGroup",
"organizations:ListAWSServiceAccessForOrganization",
"identitystore:DescribeUser",
"identitystore:DescribeGroup"
],
"Resource": [
"*"
]
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:带有 IAM 身份中心的企业版的所有访问权限
以下 Amazon E QuickSight nterprise 版示例显示了一项策略,该策略允许在与 IAM 身份中心集成的 QuickSight 账户中订阅、创建用户和管理 Active Directory。
此政策不授予在中创建 Pro 角色的权限 QuickSight。要创建授予订阅 Pro 角色权限的策略 QuickSight,请参阅适用于 Amazon 的 IAM 基于身份的政策 QuickSight:带有 IAM 身份中心的企业版的所有访问权限(专业版角色)。
此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
}
]
}
适用于亚马逊的 IAM 基于身份的政策 QuickSight:带活动目录的企业版的所有访问权限
以下 Amazon E QuickSight nterprise 版示例显示了一项策略,该策略允许在使用 Active Directory 进行身份管理的 QuickSight 账户中订阅、创建用户和管理活动目录。此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateAdmin",
"quicksight:Subscribe",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:活动目录组
以下示例显示了一个 IAM 策略,该策略允许对亚马逊 QuickSight 企业版账户进行活动目录群组管理。
- JSON
-
-
{
"Statement": [
{
"Action": [
"ds:DescribeTrusts",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:使用管理员资产管理控制台
以下示例显示了允许访问管理员资产管理控制台的 IAM policy。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:SearchGroups",
"quicksight:SearchUsers",
"quicksight:ListNamespaces",
"quicksight:DescribeAnalysisPermissions",
"quicksight:DescribeDashboardPermissions",
"quicksight:DescribeDataSetPermissions",
"quicksight:DescribeDataSourcePermissions",
"quicksight:DescribeFolderPermissions",
"quicksight:ListAnalyses",
"quicksight:ListDashboards",
"quicksight:ListDataSets",
"quicksight:ListDataSources",
"quicksight:ListFolders",
"quicksight:SearchAnalyses",
"quicksight:SearchDashboards",
"quicksight:SearchFolders",
"quicksight:SearchDatasets",
"quicksight:SearchDatasources",
"quicksight:UpdateAnalysisPermissions",
"quicksight:UpdateDashboardPermissions",
"quicksight:UpdateDataSetPermissions",
"quicksight:UpdateDataSourcePermissions",
"quicksight:UpdateFolderPermissions"
],
"Resource": "*"
}
]
}
适用于 Amazon 的 IAM 基于身份的政策 QuickSight:使用管理员密钥管理控制台
以下示例显示了允许访问管理员密钥管理控制台的 IAM policy。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration",
"quicksight:UpdateKeyRegistration",
"quicksight:ListKMSKeysForUser",
"kms:CreateGrant",
"kms:ListGrants",
"kms:ListAliases"
],
"Resource":"*"
}
]
}
需要"quicksight:ListKMSKeysForUser"和"kms:ListAliases"权限才能从 QuickSight 控制台访问客户托管的密钥。 "quicksight:ListKMSKeysForUser""kms:ListAliases"并且不需要使用 QuickSight 密钥管理 APIs。
要指定您希望用户能够访问哪些密钥,请使用UpdateKeyRegistration条件键将您希望用户访问的密钥添加到quicksight:KmsKeyArns条件中。 ARNs 用户只能访问 UpdateKeyRegistration 中指定的密钥。有关支持的条件键的更多信息 QuickSight,请参阅 Amazon 的条件键 QuickSight。
以下示例为所有 CMKs 注册到账户的Describe用户授予权限,为注册到Update CMKs 该 QuickSight 账户的特定用户授予权限。 QuickSight
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*"
},
{
"Effect":"Allow",
"Action":[
"quicksight:UpdateKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*",
"Condition":{
"ForAllValues:StringEquals":{
"quicksight:KmsKeyArns":[
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1",
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2",
"..."
]
}
}
},
{
"Effect":"Allow",
"Action":[
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource":"arn:aws:kms:us-west-2:123456789012:key/*"
}
]
}
AWS 资源 Amazon QuickSight:企业版中的范围界定政策
以下 Amazon E QuickSight nterprise 版示例显示了一个策略,该策略允许设置 AWS 资源默认访问权限和 AWS
资源权限范围策略。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"quicksight:*IAMPolicyAssignment*",
"quicksight:AccountConfigurations"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
