本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 使用主控台大量遷移您的政策
<a name="migrate-granularaccess-console"></a>

**注意**  
下列 AWS Identity and Access Management (IAM) 動作已於 2023 年 7 月結束標準支援：  
`aws-portal` 命名空間
`purchase-orders:ViewPurchaseOrders`
`purchase-orders:ModifyPurchaseOrders`
如果您使用的是 AWS Organizations，您可以使用[大量政策 migrator 指令碼](migrate-iam-permissions.md)或大量政策 migrator 從您的付款人帳戶更新政策。也可以使用[舊動作至精細動作對應參考](migrate-granularaccess-iam-mapping-reference.md)來確認需要新增的 IAM 動作。  
如果您有 在 2023 年 3 月 6 日上午 11：00 (PDT) 或之後 AWS Organizations 建立的 AWS 帳戶或 的一部分，則精細動作已在組織中生效。

本節說明如何使用 [AWS 帳單與成本管理 主控台](https://console.aws.amazon.com/billing/)，將舊版政策從 Organizations 帳戶或標準帳戶大量遷移至精細動作。您可以使用主控台以兩種方式完成遷移舊版政策：

**使用 AWS 建議的遷移程序**  
這是一個簡化的單一動作程序，您可以將舊版動作遷移至所映射的精細動作 AWS。如需詳細資訊，請參閱[使用建議的動作大量遷移舊版政策](migrate-console-streamlined.md)。

**使用自訂遷移程序**  
此程序可讓您檢閱和變更大量遷移 AWS 之前 建議的動作，以及自訂組織中要遷移哪些帳戶。如需詳細資訊，請參閱[自訂動作以大量遷移舊版政策](migrate-console-customized.md)。

## 使用主控台大量遷移的先決條件
<a name="migrate-granularaccess-console-prereq"></a>

這兩個遷移選項都需要您在 主控台中同意，以便 AWS 可以向您指派的舊版 IAM 動作建議精細動作。若要這樣做，您將需要以 [IAM 主體](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)身分登入 AWS 您的帳戶，並執行下列 IAM 動作，才能繼續更新政策。

------
#### [ Management account ]

```
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced",
"aws-portal:UpdateConsoleActionSetEnforced",
"purchase-orders:UpdateConsoleActionSetEnforced",
"iam:GetAccountAuthorizationDetails",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"scheduler:GetSchedule", 
"scheduler:DeleteSchedule",
"scheduler:CreateSchedule",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackSets",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:ListStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:CreateStack",
"cloudformation:UpdateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:DescribeStacks",
"ec2:DescribeRegions",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"iam:GenerateOrganizationsAccessReport",
"iam:GetOrganizationsAccessReport",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"sts:AssumeRole",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:GetInlinePolicyForPermissionSet",
"sso:DescribePermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
```

------
#### [ Member account or standard account ]

```
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced", // Not needed for member account
"aws-portal:UpdateConsoleActionSetEnforced", // Not needed for member account
"purchase-orders:UpdateConsoleActionSetEnforced", // Not needed for member account
"iam:GetAccountAuthorizationDetails",
"ec2:DescribeRegions",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl", 
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
```

------

**Topics**
+ [使用主控台大量遷移的先決條件](#migrate-granularaccess-console-prereq)
+ [使用建議的動作大量遷移舊版政策](migrate-console-streamlined.md)
+ [自訂動作以大量遷移舊版政策](migrate-console-customized.md)
+ [復原大量遷移政策變更](migrate-console-rollback.md)
+ [確認您的遷移](#migrate-console-complete)

## 確認您的遷移
<a name="migrate-console-complete"></a>

您可以使用遷移工具查看是否有任何 AWS Organizations 帳戶仍需要遷移。

**確認所有帳戶是否已遷移**

1. 登入 [AWS 管理主控台](https://console.aws.amazon.com/)。

1. 在頁面頂端的搜尋列中，輸入 **Bulk Policy Migrator**。

1. 在**管理新的 IAM 動作**頁面上，選擇**遷移帳戶**索引標籤。

如果資料表未顯示任何剩餘的帳戶，則所有帳戶都已成功遷移。