本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 整合所需的許可 如果您為要使用的整合建立 IAM 角色,而不是允許 CloudWatch Logs 建立角色,則必須包含下列許可和信任政策。如需如何建立 IAM 角色的詳細資訊,請參閱[建立角色以將許可委派給 AWS 服務](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "*" ] }, { "Sid": "CloudWatchLogsDescribeLogGroupsAccess", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "AmazonOpenSearchCollectionAccess", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*", "Condition": { "StringLike": { "aoss:collection": "cloudwatch-logs-*" } } } ] } ``` ------ **注意** 先前的角色授予從 帳戶中所有日誌群組讀取的存取權,讓您能夠為任何日誌帳戶建立儀表板,包括跨帳戶日誌群組。如果您想要限制對特定日誌群組的存取,並僅為這些日誌群組建立儀表板,您可以將該政策中的第一個陳述式更新為下列項目: ``` { "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:StartQuery", "logs:GetLogGroupFields", "logs:GetQueryResults" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup:*", "arn:aws:logs:us-east-1:123456789012:log-group:myLogGroup" ] } ```