本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Application Signals 所需的許可
本節說明啟用、管理和操作 Application Signals 所需的許可。
## 啟用和管理 Application Signals 的許可
若要管理 Application Signals,必須使用必要的許可登入。若要檢視 **CloudWatchApplicationSignalsFullAccess** 政策的內容,請參閱 [CloudWatchApplicationSignalsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsFullAccess.html)。
若要在 Amazon EC2 上啟用 Application Signals,或自訂架構,請參閱[在 Amazon EC2 上啟用 Application Signals](CloudWatch-Application-Signals-Enable-EC2Main.md)。若要在 Amazon EKS 上啟用和管理使用 [Amazon CloudWatch Observability EKS 附加元件](install-CloudWatch-Observability-EKS-addon.md)的 Application Signals,需要取得下列許可。
**重要**
這些許可包括具有 `Resource "*”` 的 `iam:PassRole` 和具有 `Resource “*”` 的 `eks:CreateAddon`。這些都是強大的許可,授予它們時應小心。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsEksAddonManagementPermissions",
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:CreateAddon",
"eks:DescribeAddon",
"eks:DescribeAddonConfiguration",
"eks:DescribeAddonVersions",
"eks:DescribeCluster",
"eks:DescribeUpdate",
"eks:ListAddons",
"eks:ListClusters",
"eks:ListUpdates",
"iam:ListRoles",
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"application-signals.cloudwatch.amazonaws.com"
]
}
}
},
{
"Sid": "CloudWatchApplicationSignalsEksCloudWatchObservabilityAddonManagementPermissions",
"Effect": "Allow",
"Action": [
"eks:DeleteAddon",
"eks:UpdateAddon"
],
"Resource": "arn:aws:eks:*:*:addon/*/amazon-cloudwatch-observability/*"
}
]
}
```
------
Application Signals 儀表板會顯示與您的 SLOs相關聯的 AWS Service Catalog AppRegistry 應用程式。若要在 SLO 頁面中檢視這些應用程式,必須取得下列許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
}
]
}
```
------
## 正在運作的 Application Signals
使用 Application Signals 來監控服務和 SLO 的服務營運商必須登入具有唯讀許可的帳戶。若要檢視 **CloudWatchApplicationSignalsReadOnlyAccess** 政策的內容,請參閱 [CloudWatchApplicationSignalsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchApplicationSignalsReadOnlyAccess.html)。
若要在 Application Signals 儀表板中查看您的 SLOs相關聯的 AWS Service Catalog AppRegistry 應用程式,您必須具有下列許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsTaggingReadPermissions",
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
}
]
}
```
------
若要檢查 Amazon EKS 上是否啟用了使用 [Amazon CloudWatch Observability EKS 附加元件](install-CloudWatch-Observability-EKS-addon.md)的 Application Signals,需要取得下列許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudWatchApplicationSignalsResourceExplorerReadPermissions",
"Effect": "Allow",
"Action": [
"resource-explorer-2:ListIndexes",
"resource-explorer-2:Search"
],
"Resource": "*"
},
{
"Sid": "CloudWatchApplicationSignalsResourceExplorerSLRPermissions",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"resource-explorer-2.amazonaws.com"
]
}
}
},
{
"Sid": "CloudWatchApplicationSignalsResourceExplorerCreateIndexPermissions",
"Effect": "Allow",
"Action": [
"resource-explorer-2:CreateIndex"
],
"Resource": "arn:aws:resource-explorer-2:*:*:index/*"
}
]
}
```
------