AWSAuditManagerAdministratorAccess AWSAuditManagerServiceRolePolicy 政策更新

AWS 的受管政策 AWS Audit Manager

AWS 受管政策是由 AWS AWS 受管政策建立和管理的獨立政策旨在為許多常用案例提供許可，以便您可以開始將許可指派給使用者、群組和角色。

請記住， AWS 受管政策可能不會授予特定使用案例的最低權限許可，因為這些許可可供所有 AWS 客戶使用。我們建議您定義使用案例專屬的客戶管理政策，以便進一步減少許可。

您無法變更 AWS 受管政策中定義的許可。如果 AWS 更新 AWS 受管政策中定義的許可，則更新會影響政策連接的所有主體身分（使用者、群組和角色）。當新的 AWS 服務啟動或新的 API 操作可供現有服務使用時， AWS 最有可能更新 AWS 受管政策。

如需詳細資訊，請參閱《IAM 使用者指南》中的 AWS 受管政策。

主題

AWS 受管政策：AWSAuditManagerAdministratorAccess
AWS 受管政策：AWSAuditManagerServiceRolePolicy
AWS Audit ManagerAWS 受管政策的更新

AWS 受管政策：AWSAuditManagerAdministratorAccess

您可將 AWSAuditManagerAdministratorAccess 政策連接到 IAM 身分。

此政策會授予允許完整管理存取的管理許可 AWS Audit Manager。此存取權包括啟用和停用 AWS Audit Manager、變更中的設定 AWS Audit Manager和管理所有 Audit Manager 資源的功能，例如評估、架構、控制項和評估報告。

AWS Audit Manager 需要跨多個 AWS 服務的廣泛許可。這是因為與多個 AWS 服務 AWS Audit Manager 整合，以自動從評估範圍內的 AWS 帳戶和服務收集證據。

許可詳細資訊

此政策包含以下許可：

Audit Manager — 授予主體 AWS Audit Manager 資源的完整許可。
Organizations — 授予主體列出帳號和組織單位，以及註冊或取消註冊委派管理員。這是必要的，以便您可以啟用多帳戶支援，並允許在多個帳戶 AWS Audit Manager 上執行評估，並將證據合併到委派的管理員帳戶。
iam — 允許主體取得和列出 IAM 中使用者，以及建立服務連結角色。這是必要的，以便您可以指定評估的稽核擁有者和代理人。此政策也允許主體刪除服務連結角色，並擷取刪除狀態。這是必要的，因此當您選擇在中停用服務時， AWS Audit Manager 可以為您清除資源並刪除服務連結角色 AWS Management Console。
s3 — 允許主體列出可用 Amazon Simple Storage Service (Amazon S3) 儲存貯體。這是必要的，以便您可以指定您要在其中存放證據報告或上傳手動證據的 S3 儲存貯體。
kms — 允許主體列出和描述金鑰、列出別名以及建立授權。這是必要的，以便您可以選擇客戶管理金鑰進行資料加密。
sns — 允許主體列出 Amazon SNS 中的訂閱主題。這是必要的，以便您可以指定您希望作為 AWS Audit Manager 傳送通知目的地的 SNS 主題。
events ：允許主體列出和管理來自的檢查 AWS Security Hub。這是必要的，以便 AWS Audit Manager 可以自動收集受監控 AWS 服務 AWS Security Hub 的問題清單 AWS Security Hub。然後，它可以將此資料轉換為證據，以包含在您的 AWS Audit Manager 評估中。
tag — 允許主體擷取已標籤化的資源。這是必要的，以便您可以在 AWS Audit Manager中瀏覽架構、控制項和評估時使用標籤作為搜尋篩選條件。
controlcatalog – 允許主體列出 AWS Control Catalog 提供的網域、目標和常見控制項。這是必要的，以便您可以使用中的常見控制項功能 AWS Audit Manager。有了這些許可，您就可以在 AWS Audit Manager 控制程式庫中檢視常見控制項的清單，並依網域和目標篩選控制項。您也可以在建立自訂控制項時，使用常見控制項做為證據來源。

JSON


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AuditManagerAccess",
            "Effect": "Allow",
            "Action": [
                "auditmanager:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OrganizationsAccess",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccountsForParent",
                "organizations:ListAccounts",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribeAccount",
                "organizations:ListParents",
                "organizations:ListChildren"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowOnlyAuditManagerIntegration",
            "Effect": "Allow",
            "Action": [
                "organizations:RegisterDelegatedAdministrator",
                "organizations:DeregisterDelegatedAdministrator",
                "organizations:EnableAWSServiceAccess"
            ],
            "Resource": "*",
            "Condition": {
                "StringLikeIfExists": {
                    "organizations:ServicePrincipal": [
                        "auditmanager.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "IAMAccess",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:ListUsers",
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMAccessCreateSLR",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/auditmanager.amazonaws.com/AWSServiceRoleForAuditManager*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "auditmanager.amazonaws.com"
                }
            }
        },
        {
            "Sid": "IAMAccessManageSLR",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteServiceLinkedRole",
                "iam:UpdateRoleDescription",
                "iam:GetServiceLinkedRoleDeletionStatus"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/auditmanager.amazonaws.com/AWSServiceRoleForAuditManager*"
        },
        {
            "Sid": "S3Access",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KmsAccess",
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:ListKeys",
                "kms:ListAliases"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KmsCreateGrantAccess",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                },
                "StringLike": {
                    "kms:ViaService": "auditmanager.*.amazonaws.com"
                }
            }
        },
        {
            "Sid": "SNSAccess",
            "Effect": "Allow",
            "Action": [
                "sns:ListTopics"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateEventsAccess",
            "Effect": "Allow",
            "Action": [
                "events:PutRule"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "events:detail-type": "Security Hub Findings - Imported"
                },
                "ForAllValues:StringEquals": {
                    "events:source": [
                        "aws.securityhub"
                    ]
                }
            }
        },
        {
            "Sid": "EventsAccess",
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:DescribeRule",
                "events:EnableRule",
                "events:DisableRule",
                "events:ListTargetsByRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver"
        },
        {
            "Sid": "TagAccess",
            "Effect": "Allow",
            "Action": [
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
    	"Sid": "ControlCatalogAccess",
    	"Effect": "Allow",
    	"Action": [
		"controlcatalog:ListCommonControls",
		"controlcatalog:ListDomains",
		"controlcatalog:ListObjectives"
    	],
    	"Resource": "*"
        }
    ]
}

AWS 受管政策：AWSAuditManagerServiceRolePolicy

您不得將 AWSAuditManagerServiceRolePolicy 連接到 IAM 實體。此政策會連接到服務連結角色 AWSServiceRoleForAuditManager，允許代表您 AWS Audit Manager 執行動作。如需詳細資訊，請參閱使用的服務連結角色 AWS Audit Manager。

角色許可政策，AWSAuditManagerServiceRolePolicy，允許 AWS Audit Manager 代表您執行下列動作來收集自動化證據：

從下列資料來源收集資料：
- 來自的管理事件 AWS CloudTrail
- 來自的合規檢查 AWS Config 規則
- 來自的合規檢查 AWS Security Hub
使用 API 呼叫描述下列 AWS 服務的資源組態。

提示
如需 Audit Manager 用來從這些服務收集證據之 API 呼叫的詳細資訊，請參閱本指南中的自訂控制項資料來源支援的 API 呼叫。
- Amazon API Gateway
- AWS Backup
- Amazon Bedrock
- AWS Certificate Manager
- Amazon CloudFront
- AWS CloudTrail
- Amazon CloudWatch
- Amazon CloudWatch Logs
- Amazon Cognito 使用者集區
- AWS Config
- Amazon Data Firehose
- AWS Direct Connect
- Amazon DynamoDB
- Amazon EC2
- Amazon EC2 Auto Scaling
- Amazon Elastic Container Service
- Amazon Elastic File System
- Amazon Elastic Kubernetes Service
- Amazon ElastiCache
- Elastic Load Balancing
- Amazon EMR
- Amazon EventBridge
- Amazon FSx
- Amazon GuardDuty
- AWS Identity and Access Management (IAM)
- Amazon Kinesis
- AWS KMS
- AWS Lambda
- AWS License Manager
- Amazon Managed Streaming for Apache Kafka
- Amazon OpenSearch Service
- AWS Organizations
- Amazon Relational Database Service
- Amazon Redshift
- Amazon Route 53
- Amazon S3
- Amazon SageMaker AI
- AWS Secrets Manager
- AWS Security Hub
- Amazon Simple Notification Service
- Amazon Simple Queue Service
- AWS WAF

許可詳細資訊

AWSAuditManagerServiceRolePolicy 允許在指定的資源上 AWS Audit Manager 完成下列動作：

acm:GetAccountConfiguration
acm:ListCertificates
apigateway:GET
autoscaling:DescribeAutoScalingGroups
backup:ListBackupPlans
backup:ListRecoveryPointsByResource
bedrock:GetCustomModel
bedrock:GetFoundationModel
bedrock:GetModelCustomizationJob
bedrock:GetModelInvocationLoggingConfiguration
bedrock:ListCustomModels
bedrock:ListFoundationModels
bedrock:ListGuardrails
bedrock:ListModelCustomizationJobs
cloudfront:GetDistribution
cloudfront:GetDistributionConfig
cloudfront:ListDistributions
cloudtrail:DescribeTrails
cloudtrail:GetTrail
cloudtrail:ListTrails
cloudtrail:LookupEvents
cloudwatch:DescribeAlarms
cloudwatch:DescribeAlarmsForMetric
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
cognito-idp:DescribeUserPool
config:DescribeConfigRules
config:DescribeDeliveryChannels
config:ListDiscoveredResources
directconnect:DescribeDirectConnectGateways
directconnect:DescribeVirtualGateways
dynamodb:DescribeBackup
dynamodb:DescribeContinuousBackups
dynamodb:DescribeTable
dynamodb:DescribeTableReplicaAutoScaling
dynamodb:ListBackups
dynamodb:ListGlobalTables
dynamodb:ListTables
ec2:DescribeAddresses
ec2:DescribeCustomerGateways
ec2:DescribeEgressOnlyInternetGateways
ec2:DescribeFlowLogs
ec2:DescribeInstanceCreditSpecifications
ec2:DescribeInstanceAttribute
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations
ec2:DescribeLocalGateways
ec2:DescribeLocalGatewayVirtualInterfaces
ec2:DescribeNatGateways
ec2:DescribeNetworkAcls
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSecurityGroupRules
ec2:DescribeSnapshots
ec2:DescribeTransitGateways
ec2:DescribeVolumes
ec2:DescribeVpcEndpoints
ec2:DescribeVpcEndpointConnections
ec2:DescribeVpcEndpointServiceConfigurations
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
ec2:DescribeVpnGateways
ec2:GetEbsDefaultKmsKeyId
ec2:GetEbsEncryptionByDefault
ec2:GetLaunchTemplateData
ecs:DescribeClusters
eks:DescribeAddonVersions
elasticache:DescribeCacheClusters
elasticache:DescribeServiceUpdates
elasticfilesystem:DescribeAccessPoints
elasticfilesystem:DescribeFileSystems
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeSslPolicies
elasticloadbalancing:DescribeTargetGroups
elasticmapreduce:ListClusters
elasticmapreduce:ListSecurityConfigurations
es:DescribeDomains
es:DescribeDomain
es:DescribeDomainConfig
es:ListDomainNames
events:DeleteRule
events:DescribeRule
events:DisableRule
events:EnableRule
events:ListConnections
events:ListEventBuses
events:ListEventSources
events:ListRules
events:ListTargetsByRule
events:PutRule
events:PutTargets
events:RemoveTargets
firehose:ListDeliveryStreams
fsx:DescribeFileSystems
guardduty:ListDetectors
iam:GenerateCredentialReport
iam:GetAccessKeyLastUsed
iam:GetAccountAuthorizationDetails
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetGroupPolicy
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRolePolicy
iam:GetUser
iam:GetUserPolicy
iam:ListAccessKeys
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListEntitiesForPolicy
iam:ListGroupsForUser
iam:ListGroupPolicies
iam:ListGroups
iam:ListMfaDeviceTags
iam:ListMfaDevices
iam:ListOpenIdConnectProviders
iam:ListPolicies
iam:ListPolicyVersions
iam:ListRolePolicies
iam:ListRoles
iam:ListSamlProviders
iam:ListUserPolicies
iam:ListUsers
iam:ListVirtualMFADevices
kafka:ListClusters
kafka:ListKafkaVersions
kinesis:ListStreams
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:ListGrants
kms:ListKeyPolicies
kms:ListKeys
lambda:ListFunctions
license-manager:ListAssociationsForLicenseConfiguration
license-manager:ListLicenseConfigurations
license-manager:ListUsageForLicenseConfiguration
logs:DescribeDestinations
logs:DescribeExportTasks
logs:DescribeLogGroups
logs:DescribeMetricFilters
logs:DescribeResourcePolicies
logs:FilterLogEvents
logs:GetDataProtectionPolicy
organizations:DescribeOrganization
organizations:DescribePolicy
rds:DescribeCertificates
rds:DescribeDBClusterEndpoints
rds:DescribeDBClusterParameterGroups
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBInstanceAutomatedBackups
rds:DescribeDBSecurityGroups
redshift:DescribeClusters
redshift:DescribeClusterSnapshots
redshift:DescribeLoggingStatus
route53:GetQueryLoggingConfig
s3:GetBucketAcl
s3:GetBucketLogging
s3:GetBucketOwnershipControls
s3:GetBucketPolicy
- 此 API 動作會在服務連結角色可用的 AWS 帳戶之範圍內運作。它無法存取跨帳戶儲存貯體政策。
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetEncryptionConfiguration
s3:GetLifecycleConfiguration
s3:ListAllMyBuckets
sagemaker:DescribeAlgorithm
sagemaker:DescribeDomain
sagemaker:DescribeEndpoint
sagemaker:DescribeEndpointConfig
sagemaker:DescribeFlowDefinition
sagemaker:DescribeHumanTaskUi
sagemaker:DescribeLabelingJob
sagemaker:DescribeModel
sagemaker:DescribeModelBiasJobDefinition
sagemaker:DescribeModelCard
sagemaker:DescribeModelQualityJobDefinition
sagemaker:DescribeTrainingJob
sagemaker:DescribeUserProfile
sagemaker:ListAlgorithms
sagemaker:ListDomains
sagemaker:ListEndpointConfigs
sagemaker:ListEndpoints
sagemaker:ListFlowDefinitions
sagemaker:ListHumanTaskUis
sagemaker:ListLabelingJobs
sagemaker:ListModels
sagemaker:ListModelBiasJobDefinitions
sagemaker:ListModelCards
sagemaker:ListModelQualityJobDefinitions
sagemaker:ListMonitoringAlerts
sagemaker:ListMonitoringSchedules
sagemaker:ListTrainingJobs
sagemaker:ListUserProfiles
securityhub:DescribeStandards
secretsmanager:DescribeSecret
secretsmanager:ListSecrets
sns:ListTagsForResource
sns:ListTopics
sqs:ListQueues
waf-regional:GetLoggingConfiguration
waf-regional:GetRule
waf-regional:GetWebAcl
waf-regional:ListRuleGroups
waf-regional:ListRules
waf-regional:ListSubscribedRuleGroups
waf-regional:ListWebACLs
waf:GetRule
waf:GetRuleGroup
waf:ListActivatedRulesInRuleGroup
waf:ListRuleGroups
waf:ListRules
waf:ListWebAcls
wafv2:ListWebAcls

JSON


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"acm:GetAccountConfiguration",
				"acm:ListCertificates",
				"autoscaling:DescribeAutoScalingGroups",
				"backup:ListBackupPlans",
				"backup:ListRecoveryPointsByResource",
				"bedrock:GetCustomModel",
				"bedrock:GetFoundationModel",
				"bedrock:GetModelCustomizationJob",
				"bedrock:GetModelInvocationLoggingConfiguration",
				"bedrock:ListCustomModels",
				"bedrock:ListFoundationModels",
				"bedrock:ListGuardrails",
				"bedrock:ListModelCustomizationJobs",
				"cloudfront:GetDistribution",
				"cloudfront:GetDistributionConfig",
				"cloudfront:ListDistributions",
				"cloudtrail:GetTrail",
				"cloudtrail:ListTrails",
				"cloudtrail:DescribeTrails",
				"cloudtrail:LookupEvents",
				"cloudwatch:DescribeAlarms",
				"cloudwatch:DescribeAlarmsForMetric",
				"cloudwatch:GetMetricStatistics",
				"cloudwatch:ListMetrics",
				"cognito-idp:DescribeUserPool",
				"config:DescribeConfigRules",
				"config:DescribeDeliveryChannels",
				"config:ListDiscoveredResources",
				"directconnect:DescribeDirectConnectGateways",
				"directconnect:DescribeVirtualGateways",
				"dynamodb:DescribeContinuousBackups",
				"dynamodb:DescribeBackup",
				"dynamodb:DescribeTableReplicaAutoScaling",
				"dynamodb:DescribeTable",
				"dynamodb:ListBackups",
				"dynamodb:ListGlobalTables",
				"dynamodb:ListTables",
				"ec2:DescribeInstanceCreditSpecifications",
				"ec2:DescribeInstanceAttribute",
				"ec2:DescribeSecurityGroupRules",
				"ec2:DescribeVpcEndpointConnections",
				"ec2:DescribeVpcEndpointServiceConfigurations",
				"ec2:GetLaunchTemplateData",
				"ec2:DescribeAddresses",
				"ec2:DescribeCustomerGateways",
				"ec2:DescribeEgressOnlyInternetGateways",
				"ec2:DescribeFlowLogs",
				"ec2:DescribeInstances",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
				"ec2:DescribeLocalGateways",
				"ec2:DescribeLocalGatewayVirtualInterfaces",
				"ec2:DescribeNatGateways",
				"ec2:DescribeNetworkAcls",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSnapshots",
				"ec2:DescribeTransitGateways",
				"ec2:DescribeVolumes",
				"ec2:DescribeVpcEndpoints",
				"ec2:DescribeVpcPeeringConnections",
				"ec2:DescribeVpcs",
				"ec2:DescribeVpnConnections",
				"ec2:DescribeVpnGateways",
				"ec2:GetEbsDefaultKmsKeyId",
				"ec2:GetEbsEncryptionByDefault",
				"ecs:DescribeClusters",
				"eks:DescribeAddonVersions",
				"elasticache:DescribeCacheClusters",
				"elasticache:DescribeServiceUpdates",
				"elasticfilesystem:DescribeAccessPoints",
				"elasticfilesystem:DescribeFileSystems",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeSslPolicies",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticmapreduce:ListClusters",
				"elasticmapreduce:ListSecurityConfigurations",
				"events:DescribeRule",
				"events:ListConnections",
				"events:ListEventBuses",
				"events:ListEventSources",
				"events:ListRules",
				"firehose:ListDeliveryStreams",
				"fsx:DescribeFileSystems",
				"guardduty:ListDetectors",
				"iam:GenerateCredentialReport",
				"iam:GetAccountAuthorizationDetails",
				"iam:GetAccessKeyLastUsed",
				"iam:GetCredentialReport",
				"iam:GetGroupPolicy",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRolePolicy",
				"iam:GetUser",
				"iam:GetUserPolicy",
				"iam:GetAccountPasswordPolicy",
				"iam:GetAccountSummary",
				"iam:ListAttachedGroupPolicies",
				"iam:ListAttachedUserPolicies",
				"iam:ListEntitiesForPolicy",
				"iam:ListGroupsForUser",
				"iam:ListGroupPolicies",
				"iam:ListGroups",
				"iam:ListOpenIdConnectProviders",
				"iam:ListPolicies",
				"iam:ListRolePolicies",
				"iam:ListRoles",
				"iam:ListSamlProviders",
				"iam:ListUserPolicies",
				"iam:ListUsers",
				"iam:ListVirtualMFADevices",
				"iam:ListPolicyVersions",
				"iam:ListAccessKeys",
				"iam:ListAttachedRolePolicies",
				"iam:ListMfaDeviceTags",
				"iam:ListMfaDevices",
				"kafka:ListClusters",
				"kafka:ListKafkaVersions",
				"kinesis:ListStreams",
				"kms:DescribeKey",
				"kms:GetKeyPolicy",
				"kms:GetKeyRotationStatus",
				"kms:ListGrants",
				"kms:ListKeyPolicies",
				"kms:ListKeys",
				"lambda:ListFunctions",
				"license-manager:ListAssociationsForLicenseConfiguration",
				"license-manager:ListLicenseConfigurations",
				"license-manager:ListUsageForLicenseConfiguration",
				"logs:DescribeDestinations",
				"logs:DescribeExportTasks",
				"logs:DescribeLogGroups",
				"logs:DescribeMetricFilters",
				"logs:DescribeResourcePolicies",
				"logs:FilterLogEvents",
				"logs:GetDataProtectionPolicy",
				"es:DescribeDomains",
				"es:DescribeDomain",
				"es:DescribeDomainConfig",
				"es:ListDomainNames",
				"organizations:DescribeOrganization",
				"organizations:DescribePolicy",
				"rds:DescribeCertificates",
				"rds:DescribeDBClusterEndpoints",
				"rds:DescribeDBClusterParameterGroups",
				"rds:DescribeDBInstances",
				"rds:DescribeDBSecurityGroups",
				"rds:DescribeDBClusters",
				"rds:DescribeDBInstanceAutomatedBackups",
				"redshift:DescribeClusters",
				"redshift:DescribeClusterSnapshots",
				"redshift:DescribeLoggingStatus",
				"route53:GetQueryLoggingConfig",
				"sagemaker:DescribeAlgorithm",
				"sagemaker:DescribeFlowDefinition",
				"sagemaker:DescribeHumanTaskUi",
				"sagemaker:DescribeModelBiasJobDefinition",
				"sagemaker:DescribeModelCard",
				"sagemaker:DescribeModelQualityJobDefinition",
				"sagemaker:DescribeDomain",
				"sagemaker:DescribeEndpoint",
				"sagemaker:DescribeEndpointConfig",
				"sagemaker:DescribeLabelingJob",
				"sagemaker:DescribeModel",
				"sagemaker:DescribeTrainingJob",
				"sagemaker:DescribeUserProfile",
				"sagemaker:ListAlgorithms",
				"sagemaker:ListDomains",
				"sagemaker:ListEndpoints",
				"sagemaker:ListEndpointConfigs",
				"sagemaker:ListFlowDefinitions",
				"sagemaker:ListHumanTaskUis",
				"sagemaker:ListLabelingJobs",
				"sagemaker:ListModels",
				"sagemaker:ListModelBiasJobDefinitions",
				"sagemaker:ListModelCards",
				"sagemaker:ListModelQualityJobDefinitions",
				"sagemaker:ListMonitoringAlerts",
				"sagemaker:ListMonitoringSchedules",
				"sagemaker:ListTrainingJobs",
				"sagemaker:ListUserProfiles",
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketVersioning",
				"s3:GetEncryptionConfiguration",
				"s3:GetLifecycleConfiguration",
				"s3:ListAllMyBuckets",
				"secretsmanager:DescribeSecret",
				"secretsmanager:ListSecrets",
				"securityhub:DescribeStandards",
				"sns:ListTagsForResource",
				"sns:ListTopics",
				"sqs:ListQueues",
				"waf-regional:GetRule",
				"waf-regional:GetWebAcl",
				"waf:GetRule",
				"waf:GetRuleGroup",
				"waf:ListActivatedRulesInRuleGroup",
				"waf:ListWebAcls",
				"wafv2:ListWebAcls",
				"waf-regional:GetLoggingConfiguration",
				"waf-regional:ListRuleGroups",
				"waf-regional:ListSubscribedRuleGroups",
				"waf-regional:ListWebACLs",
				"waf-regional:ListRules",
				"waf:ListRuleGroups",
				"waf:ListRules"
			],
			"Resource": "*",
			"Sid": "APIsAccess"
		},
		{
			"Sid": "S3Access",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketAcl",
				"s3:GetBucketLogging",
				"s3:GetBucketOwnershipControls",
				"s3:GetBucketPolicy",
				"s3:GetBucketTagging"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": [
						"${aws:PrincipalAccount}"
					]
				}
			}
		},
		{
			"Sid": "APIGatewayAccess",
			"Effect": "Allow",
			"Action": [
				"apigateway:GET"
			],
			"Resource": [
				"arn:aws:apigateway:*::/restapis",
				"arn:aws:apigateway:*::/restapis/*/stages/*",
				"arn:aws:apigateway:*::/restapis/*/stages"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": [
						"${aws:PrincipalAccount}"
					]
				}
			}
		},
		{
			"Sid": "CreateEventsAccess",
			"Effect": "Allow",
			"Action": [
				"events:PutRule"
			],
			"Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver",
			"Condition": {
				"StringEquals": {
					"events:detail-type": "Security Hub Findings - Imported"
				},
				"Null": {
					"events:source": "false"
				},
				"ForAllValues:StringEquals": {
					"events:source": [
						"aws.securityhub"
					]
				}
			}
		},
		{
			"Sid": "EventsAccess",
			"Effect": "Allow",
			"Action": [
				"events:DeleteRule",
				"events:DescribeRule",
				"events:EnableRule",
				"events:DisableRule",
				"events:ListTargetsByRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver"
		}
	]
}

AWS Audit ManagerAWS 受管政策的更新

檢視自此服務開始追蹤這些變更 AWS Audit Manager 以來， AWS 受管政策更新的詳細資訊。如需此頁面變更的自動提醒，請訂閱 AWS Audit Manager 文件歷史記錄頁面上的 RSS 摘要。

變更	描述	日期
AWSAuditManagerServiceRolePolicy — 更新至現有政策	服務連結角色現在允許 AWS Audit Manager 執行 `bedrock:ListGuardrails`動作。需要此 API 動作才能支援 AWS 生成式 AI 最佳實務架構 v2。它可讓 Audit Manager 收集有關生成式 AI 模型資料訓練資料集的防護機制的自動化證據。	09/24/2024
AWSAuditManagerServiceRolePolicy — 更新至現有政策	我們已將下列許可新增至 `AWSAuditManagerServiceRolePolicy`。 AWS Audit Manager 現在可以執行下列動作，以收集有關中資源的自動化證據 AWS 帳戶。 `sagemaker:DescribeAlgorithm` `sagemaker:DescribeDomain` `sagemaker:DescribeEndpoint` `sagemaker:DescribeFlowDefinition` `sagemaker:DescribeHumanTaskUi` `sagemaker:DescribeLabelingJob` `sagemaker:DescribeModel` `sagemaker:DescribeModelBiasJobDefinition` `sagemaker:DescribeModelCard` `sagemaker:DescribeModelQualityJobDefinition` `sagemaker:DescribeTrainingJob` `sagemaker:DescribeUserProfile` `sagemaker:ListAlgorithms` `sagemaker:ListDomains` `sagemaker:ListEndpoints` `sagemaker:ListFlowDefinitions` `sagemaker:ListHumanTaskUis` `sagemaker:ListLabelingJobs` `sagemaker:ListModels` `sagemaker:ListModelBiasJobDefinitions` `sagemaker:ListModelCards` `sagemaker:ListModelQualityJobDefinitions` `sagemaker:ListMonitoringAlerts` `sagemaker:ListMonitoringSchedules` `sagemaker:ListTrainingJobs` `sagemaker:ListUserProfiles`	06/10/2024
AWSAuditManagerServiceRolePolicy — 更新至現有政策	我們已將下列許可新增至 `AWSAuditManagerServiceRolePolicy`。 AWS Audit Manager 現在可以執行下列動作，以收集有關中資源的自動化證據 AWS 帳戶。 `iam:ListAttachedGroupPolicies` `iam:ListAttachedUserPolicies` `iam:ListGroupsForUser` `es:ListDomainNames` 我們也在政策 () 的 `APIGatewayAccess`區段中新增了新的資源`arn:aws:apigateway:*::/restapis`。政策現在不僅對 API Gateway REST APIs 的階段和階段資源授予指定的許可（在此案例中為 `apigateway:GET`動作），還對 REST APIs本身授予指定許可。除了與這些 APIs 相關聯的階段和階段資源之外，此變更可有效地擴展政策的範圍，包括擷取 API Gateway REST APIs 本身相關資訊的能力。	05/17/2024
AWSAuditManagerAdministratorAccess — 更新至現有政策	我們將以下許可新增到 `AWSAuditManagerAdministratorAccess`： `controlcatalog:ListCommonControls` `controlcatalog:ListDomains` `controlcatalog:ListObjectives` 此更新可讓您檢視 Control Catalog 提供的 AWS 控制網域、控制目標和常見控制項。如果您想要使用中的常見控制項功能，則需要這些許可 AWS Audit Manager。	05/15/2024
AWSAuditManagerServiceRolePolicy – 更新現有政策	我們已將下列許可新增至 `AWSAuditManagerServiceRolePolicy`。 AWS Audit Manager 現在可以執行下列動作，以收集有關中資源的自動化證據 AWS 帳戶。 `apigateway:GET` `autoscaling:DescribeAutoScalingGroups` `backup:ListBackupPlans` `cloudfront:GetDistribution` `cloudfront:GetDistributionConfig` `cloudfront:ListDistributions` `cloudtrail:GetTrail` `cloudtrail:ListTrails` `dynamodb:DescribeContinuousBackups` `dynamodb:DescribeBackup` `dynamodb:DescribeTableReplicaAutoScaling` `ec2:DescribeInstanceCreditSpecifications` `ec2:DescribeInstanceAttribute` `ec2:DescribeSecurityGroupRules` `ec2:DescribeVpcEndpointConnections` `ec2:DescribeVpcEndpointServiceConfigurations` `ec2:GetLaunchTemplateData` `es:DescribeDomains` `es:DescribeDomain` `es:DescribeDomainConfig` `iam:GetAccessKeyLastUsed` `iam:GetGroupPolicy` `iam:GetPolicy` `iam:GetPolicyVersion` `iam:GetRolePolicy` `iam:GetUser` `iam:GetUserPolicy` `iam:ListAccessKeys` `iam:ListAttachedRolePolicies` `iam:ListMfaDeviceTags` `iam:ListMfaDevices` `iam:ListPolicyVersions` `logs:GetDataProtectionPolicy` `rds:DescribeDBInstanceAutomatedBackups` `rds:DescribeDBClusterEndpoints` `rds:DescribeDBClusterParameterGroups` `redshift:DescribeClusterSnapshots` `redshift:DescribeLoggingStatus` `s3:GetBucketAcl` `s3:GetBucketLogging` `s3:GetBucketOwnershipControls` `s3:GetBucketTagging` `sagemaker:DescribeEndpointConfig` `sagemaker:ListEndpointConfigs` `secretsmanager:DescribeSecret` `secretsmanager:ListSecrets` `sns:ListTagsForResource` `waf-regional:GetRule` `waf-regional:GetWebAcl` `waf-regional:ListRules` `waf:GetRule` `waf:GetRuleGroup` `waf:ListRuleGroups` `waf:ListRules` `waf:ListWebAcls` `wafv2:ListWebAcls`	05/15/2024
AWSAuditManagerServiceRolePolicy – 更新現有政策	服務連結角色現在允許 AWS Audit Manager 執行 `s3:GetBucketPolicy`動作。需要此 API 動作才能支援 AWS 生成式 AI 最佳實務架構 v2。它可讓 Audit Manager 收集有關您生成式 AI 模型資料訓練資料集之政策限制的自動化證據。 `GetBucketPolicy` 動作會在可使用 AWS 帳戶 service-linked-role的範圍內操作。它無法存取跨帳戶儲存貯體政策。	12/06/2023
AWSAuditManagerServiceRolePolicy – 更新現有政策	我們已將下列許可新增至 `AWSAuditManagerServiceRolePolicy`。 AWS Audit Manager 現在可以執行下列動作，以收集有關中資源的自動化證據 AWS 帳戶。 `acm:GetAccountConfiguration` `acm:ListCertificates` `backup:ListRecoveryPointsByResource` `bedrock:GetCustomModel` `bedrock:GetFoundationModel` `bedrock:GetModelCustomizationJob` `bedrock:GetModelInvocationLoggingConfiguration` `bedrock:ListCustomModels` `bedrock:ListFoundationModels` `bedrock:ListModelCustomizationJobs` `cloudtrail:LookupEvents` `cloudwatch:DescribeAlarmsForMetric` `cloudwatch:GetMetricStatistics` `cloudwatch:ListMetrics` `directconnect:DescribeDirectConnectGateways` `directconnect:DescribeVirtualGateways` `dynamodb:ListBackups` `dynamodb:ListGlobalTables` `ec2:DescribeAddresses` `ec2:DescribeCustomerGateways` `ec2:DescribeEgressOnlyInternetGateways` `ec2:DescribeInternetGateways` `ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations` `ec2:DescribeLocalGateways` `ec2:DescribeLocalGatewayVirtualInterfaces` `ec2:DescribeNatGateways` `ec2:DescribeTransitGateways` `ec2:DescribeVpcPeeringConnections` `ec2:DescribeVpnConnections` `ec2:DescribeVpnGateways` `ec2:GetEbsDefaultKmsKeyId` `ec2:GetEbsEncryptionByDefault` `ecs:DescribeClusters` `eks:DescribeAddonVersions` `elasticache:DescribeCacheClusters` `elasticache:DescribeServiceUpdates` `elasticfilesystem:DescribeAccessPoints` `elasticloadbalancing:DescribeLoadBalancers` `elasticloadbalancing:DescribeSslPolicies` `elasticloadbalancing:DescribeTargetGroups` `elasticmapreduce:ListClusters` `elasticmapreduce:ListSecurityConfigurations` `events:ListConnections` `events:ListEventBuses` `events:ListEventSources` `events:ListRules` `firehose:ListDeliveryStreams` `fsx:DescribeFileSystems` `iam:GetAccountPasswordPolicy` `iam:GetCredentialReport` `iam:ListOpenIdConnectProviders` `iam:ListSamlProviders` `iam:ListVirtualMFADevices` `kafka:ListClusters` `kafka:ListKafkaVersions` `kinesis:ListStreams` `lambda:ListFunctions` `logs:DescribeDestinations` `logs:DescribeExportTasks` `logs:DescribeLogGroups` `logs:DescribeMetricFilters` `logs:DescribeResourcePolicies` `logs:FilterLogEvents` `rds:DescribeCertificates` `rds:DescribeDbClusterEndpoints` `rds:DescribeDbClusterParameterGroups` `rds:DescribeDbClusters` `rds:DescribeDbSecurityGroups` `redshift:DescribeClusters` `s3:GetBucketPublicAccessBlock` `s3:GetBucketVersioning` `sns:ListTopics` `sqs:ListQueues` `waf-regional:GetLoggingConfiguration` `waf-regional:ListRuleGroups` `waf-regional:ListSubscribedRuleGroups` `waf-regional:ListWebACLs`	11/06/2023
AWSAuditManagerServiceRolePolicy – 更新現有政策	我們將以下許可新增到 `AWSAuditManagerServiceRolePolicy`： `dynamodb:DescribeTable` `dynamodb:ListTables` `ec2:DescribeVolumes` `kms:GetKeyPolicy` `kms:GetKeyRotationStatus` `kms:ListKeyPolicies` `rds:DescribeDBInstances` `redshift:DescribeClusters` `s3:GetEncryptionConfiguration` `s3:ListAllMyBuckets`	07/07/2022
AWSAuditManagerServiceRolePolicy — 更新至現有政策	服務連結角色現在允許 AWS Audit Manager 執行 `organizations:DescribeOrganization`動作。我們還將 `CreateEventsAccess` 資源範圍從萬用字元 (``) 縮小到特定類型的資源 (`arn:aws:events::*:rule/AuditManagerSecurityHubFindingsReceiver`)。最後，我們為 `Null` 條件索引鍵添加 `events:source` 條件運算子，以確認來源值存在且其值不為 null。	05/20/2022
AWSAuditManagerAdministratorAccess — 更新至現有政策	我們已更新的金鑰條件政策，`events:source`以反映這是多值金鑰。	04/29/2022
AWSAuditManagerServiceRolePolicy — 更新至現有政策	我們已更新的金鑰條件政策，`events:source`以反映這是多值金鑰。	03/16/2022
AWS Audit Manager 開始追蹤變更	AWS Audit Manager 開始追蹤其 AWS 受管政策的變更。	05/06/2021

您的瀏覽器已停用或無法使用 Javascript。

您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。

文件慣用形式

資源型政策範例

故障診斷

AWS 的 受管政策 AWS Audit Manager

主題

AWS 受管政策：AWSAuditManagerAdministratorAccess

AWS 受管政策：AWSAuditManagerServiceRolePolicy

提示

AWS Audit ManagerAWS 受管政策的更新

AWS 的受管政策 AWS Audit Manager