本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
CloudWatch Canary 的必要角色和許可
建立和管理 Canary 的使用者以及 Canary 本身都必須具有特定許可。
AWS CloudWatch Synthetics 的 受管政策
若要新增許可給使用者、群組和角色,使用 AWS 受管政策比自己撰寫政策更容易。建立 IAM 客戶受管政策需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。若要快速開始使用,您可以使用我們的 AWS 受管政策。這些政策涵蓋常見的使用案例,並且可在您的帳戶中使用 AWS 。如需 AWS 受管政策的詳細資訊,請參閱《IAM 使用者指南》中的AWS 受管政策 AWS 受管政策。
AWS 服務會維護和更新 AWS 受管政策。您無法變更 AWS 受管政策中的許可。服務偶爾會變更 AWS 受管政策中的許可。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。
CloudWatch Synthetics 的 AWS 受管政策更新
檢視自此服務開始追蹤這些變更以來CloudWatch Synthetics AWS 受管政策更新的詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 CloudWatch 文件歷史記錄頁面上的 RSS 摘要。
| 變更 | 描述 | 日期 |
|---|---|---|
|
已從 CloudWatchSyntheticsFullAccess 中移除冗餘動作 |
CloudWatch Synthetics 從 CloudWatchSyntheticsFullAccess 政策中移除了 |
2021 年 3 月 12 日 |
|
CloudWatch Synthetics 開始追蹤變更 |
CloudWatch Synthetics 開始追蹤其 AWS 受管政策的變更。 |
2021 年 3 月 10 日 |
CloudWatchSyntheticsFullAccess
以下是 CloudWatchSyntheticsFullAccess 政策的內容:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "synthetics:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::cw-syn-results-*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "s3:ListAllMyBuckets", "xray:GetTraceSummaries", "xray:BatchGetTraces", "apigateway:GET" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::cw-syn-*" }, { "Effect": "Allow", "Action": [ "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::aws-synthetics-library-*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "synthetics.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:Synthetics-*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "arn:aws:cloudwatch:*:*:alarm:*" ] }, { "Effect": "Allow", "Action": [ "logs:GetLogRecord", "logs:DescribeLogStreams", "logs:StartQuery", "logs:GetLogEvents", "logs:FilterLogEvents", "logs:GetLogGroupFields" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/cwsyn-*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:AddPermission", "lambda:PublishVersion", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:DeleteFunction", "lambda:ListTags", "lambda:TagResource", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:*:function:cwsyn-*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetLayerVersion", "lambda:PublishLayerVersion", "lambda:DeleteLayerVersion" ], "Resource": [ "arn:aws:lambda:*:*:layer:cwsyn-*", "arn:aws:lambda:*:*:layer:Synthetics:*", "arn:aws:lambda:*:*:layer:Synthetics_Selenium:*", "arn:aws:lambda:*:*:layer:AWS-CW-Synthetics*:*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:ListSubscriptionsByTopic" ], "Resource": [ "arn:*:sns:*:*:Synthetics-*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn:aws:kms:*:*:key/*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringLike": { "kms:ViaService": [ "s3.*.amazonaws.com" ] } } } ] }
CloudWatchSyntheticsReadOnlyAccess
以下是 CloudWatchSyntheticsReadOnlyAccess 政策的內容:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "synthetics:Describe*", "synthetics:Get*", "synthetics:List*" ], "Resource": "*" } ] }
