本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
快速套件的 IAM 策略示例
本节提供了您可以在 Quick Suite 中使用的 IAM 策略的示例。
Quick Suite 的 IAM 基于身份的策略
本节显示了在 Quick Suite 中使用的基于身份的策略的示例。
适用于亚马逊 Quick Suite IAM 控制台管理的 IAM 基于身份的政策
以下示例显示了 Amazon Quick Suite IAM 控制台管理操作所需的 IAM 权限。
{ "Version": "2012-10-17" , "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog" ], "Resource": [ "*" ] } ] }
Quick Suite 的 IAM 基于身份的策略:控制面板
下面是一个 IAM 策略示例,它为特定控制面板允许控制面板共享和嵌入。
{ "Version": "2012-10-17" , "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89", "Effect": "Allow" } ] }
Quick Suite 的 IAM 基于身份的策略:命名空间
以下示例显示了允许 Amazon Quick Suite 管理员创建或删除命名空间的 IAM 策略。
创建命名空间
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "ds:DescribeDirectories", "quicksight:CreateNamespace" ], "Resource": "*" } ] }
删除命名空间
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:DescribeDirectories", "quicksight:DeleteNamespace" ], "Resource": "*" } ] }
适用于 Quick Suite 的 IAM 基于身份的策略:自定义权限
以下示例显示了允许 Amazon Quick Suite 管理员或开发者管理自定义权限的 IAM 策略。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:*CustomPermissions" ], "Resource": "*" } ] }
以下示例显示了另一种授予与上一个示例中所示相同权限的方法。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:CreateCustomPermissions", "quicksight:DescribeCustomPermissions", "quicksight:ListCustomPermissions", "quicksight:UpdateCustomPermissions", "quicksight:DeleteCustomPermissions" ], "Resource": "*" } ] }
Quick Suite 的 IAM 基于身份的策略:自定义电子邮件报告模板
以下示例显示了一项策略,该策略允许在 Amazon Quick Suite 中查看、更新和创建电子邮件报告模板,以及获取亚马逊简单电子邮件服务身份的验证属性。此政策允许 Amazon Quick Suite 管理员创建和更新自定义电子邮件报告模板,并确认他们想要发送电子邮件报告的任何自定义电子邮件地址都是 SES 中经过验证的身份。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:DescribeAccountCustomization", "quicksight:CreateAccountCustomization", "quicksight:UpdateAccountCustomization", "quicksight:DescribeEmailCustomizationTemplate", "quicksight:CreateEmailCustomizationTemplate", "quicksight:UpdateEmailCustomizationTemplate", "ses:GetIdentityVerificationAttributes" ], "Resource": "*" } ] }
Quick Suite 的基于 IAM 身份的策略:使用 Amazon Quick Suite 托管用户创建企业账户
以下示例显示了一项政策,该策略允许亚马逊 Quick Suite 管理员使用亚马逊 Quick Suite 托管用户创建企业版 Amazon Quick Suite 账户。
{ "Version": "2012-10-17" , "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory" ], "Resource": [ "*" ] } ] }
适用于 Quick Suite 的 IAM 基于身份的策略:创建用户
以下示例显示的策略仅允许创建 Amazon Quick Suite 用户。对于 quicksight:CreateReader、quicksight:CreateUser 和 quicksight:CreateAdmin,您可以限制 "Resource":
"arn:aws:quicksight:: 权限。有关本指南中所述的所有其他权限,请使用 <YOUR_AWS_ACCOUNTID>:user/${aws:userid}""Resource":
"*"。您指定的资源将权限范围限制为指定的资源。
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}" } ] }
适用于 Quick Suite 的 IAM 基于身份的策略:创建和管理群组
以下示例显示了允许 Amazon Quick Suite 管理员和开发人员创建和管理群组的策略。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:ListGroups", "quicksight:CreateGroup", "quicksight:SearchGroups", "quicksight:ListGroupMemberships", "quicksight:CreateGroupMembership", "quicksight:DeleteGroupMembership", "quicksight:DescribeGroupMembership", "quicksight:ListUsers" ], "Resource": "*" } ] }
Quick Suite 的 IAM 基于身份的策略:标准版的所有访问权限
以下 Amazon Quick Suite 标准版示例显示了一项允许订阅和创建作者和读者的策略。此示例明确拒绝用户取消订阅 Amazon Quick Suite 的权限。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateUser", "quicksight:DescribeAccountSubscription", "quicksight:Subscribe" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
Quick Suite 的 IAM 基于身份的策略:带有 IAM 身份中心的企业版的所有访问权限(专业版角色)
以下 Amazon Quick Suite 企业版示例显示了一项策略,该策略允许亚马逊 Quick Suite 用户在与 IAM 身份中心集成的亚马逊 Quick Suite 账户中订阅 Amazon Quick Suite、创建用户和管理活动目录。
该政策还允许用户订阅 Amazon Quick Suite Pro 角色,这些角色授予在 Quick Suite 生成商业智能功能中访问 Amazon Q 的权限。有关 Amazon Quick Suite 中专业角色的更多信息,请参阅生成式 BI 入门。
此示例明确拒绝用户取消订阅 Amazon Quick Suite 的权限。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "iam:CreateServiceLinkedRole", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization", "user-subscriptions:CreateClaim", "user-subscriptions:UpdateClaim", "sso-directory:DescribeUser", "sso:ListApplicationAssignments", "sso-directory:DescribeGroup", "organizations:ListAWSServiceAccessForOrganization", "identitystore:DescribeUser", "identitystore:DescribeGroup" ], "Resource": [ "*" ] } ] }
Quick Suite 的 IAM 基于身份的策略:使用 IAM 身份中心的企业版的所有访问权限
以下 Amazon Quick Suite 企业版示例显示了一项策略,该策略允许在与 IAM 身份中心集成的亚马逊 Quick Suite 账户中订阅、创建用户和管理 Active Directory。
此政策不授予在 Amazon Quick Suite 中创建 Pro 角色的权限。要创建授予在 Amazon Quick Suite 中订阅专业角色的权限的策略,请参阅 Amazon Quick Suite 的基于身份的 IAM 政策:使用 IAM Identity Center 的企业版的所有访问权限(专业角色)。
此示例明确拒绝用户取消订阅 Amazon Quick Suite 的权限。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization" ], "Resource": [ "*" ] } ] }
Quick Suite 的 IAM 基于身份的策略:使用活动目录的企业版的所有访问权限
以下 Amazon Quick Suite 企业版示例显示了一项策略,该策略允许在使用 Active Directory 进行身份管理的 Amazon Quick Suite 账户中订阅、创建用户和管理 Active Directory。此示例明确拒绝用户取消订阅 Amazon Quick Suite 的权限。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateAdmin", "quicksight:Subscribe", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
Quick Suite 的 IAM 基于身份的策略:活动目录组
以下示例显示了一个 IAM 策略,该策略允许对 Amazon Quick Suite 企业版账户进行活动目录群组管理。
{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }
Quick Suite 的 IAM 基于身份的策略:使用管理员资产管理控制台
以下示例显示了允许访问管理员资产管理控制台的 IAM 策略。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:SearchGroups", "quicksight:SearchUsers", "quicksight:ListNamespaces", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeFolderPermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListFolders", "quicksight:SearchAnalyses", "quicksight:SearchDashboards", "quicksight:SearchFolders", "quicksight:SearchDatasets", "quicksight:SearchDatasources", "quicksight:UpdateAnalysisPermissions", "quicksight:UpdateDashboardPermissions", "quicksight:UpdateDataSetPermissions", "quicksight:UpdateDataSourcePermissions", "quicksight:UpdateFolderPermissions" ], "Resource": "*" } ] }
Quick Suite 的 IAM 基于身份的策略:使用管理员密钥管理控制台
以下示例显示了允许访问管理员密钥管理控制台的 IAM 策略。
{ "Version":"2012-10-17" , "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration", "quicksight:UpdateKeyRegistration", "quicksight:ListKMSKeysForUser", "kms:CreateGrant", "kms:ListGrants", "kms:ListAliases" ], "Resource":"*" } ] }
需要"quicksight:ListKMSKeysForUser"和"kms:ListAliases"权限才能从 Amazon Quick Suite 控制台访问客户托管的密钥。 "quicksight:ListKMSKeysForUser""kms:ListAliases"并且不需要使用 Amazon Quick Suite 密钥管理 APIs。
要指定您希望用户能够访问哪些密钥,请使用UpdateKeyRegistration条件键将您希望用户访问的密钥添加到quicksight:KmsKeyArns条件中。 ARNs 用户只能访问 UpdateKeyRegistration 中指定的密钥。有关 Amazon Quick Suite 支持的条件键的更多信息,请参阅 Amaz on Quick Suite 的条件键。
以下示例为所有注册到亚马逊 Quick Suite 账户的Describe用户授予权限,并Update向注册 CMKs 到 Amazon Quick Suite 账户的特定 CMKs 用户授予权限。
{ "Version":"2012-10-17" , "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*" }, { "Effect":"Allow", "Action":[ "quicksight:UpdateKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*", "Condition":{ "ForAllValues:StringEquals":{ "quicksight:KmsKeyArns":[ "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1", "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2", "..." ] } } }, { "Effect":"Allow", "Action":[ "kms:CreateGrant", "kms:ListGrants" ], "Resource":"arn:aws:kms:us-west-2:123456789012:key/*" } ] }
AWS 资源 Quick Suite:企业版中的范围界定策略
以下 Amazon Quick Suite Enterprise 版示例显示了一个策略,该策略允许设置 AWS 资源默认访问权限和 AWS 资源权限范围策略。
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "quicksight:*IAMPolicyAssignment*", "quicksight:AccountConfigurations" ], "Effect": "Allow", "Resource": "*" } ] }
