本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
步驟 2:在 Detective 中將必要的 IAM 許可新增至您的帳戶
本主題說明您必須新增至 IAM 身分的 AWS Identity and Access Management (IAM) 許可政策詳細資訊。
若要啟用 Detective 與 Security Lake 的整合,您必須將下列 AWS Identity and Access Management (IAM) 許可政策連接至您的 IAM 身分。
將以下內嵌政策附加到角色。如果您想要使用自己的 Amazon S3 儲存貯體存放 Athena 查詢結果,請以 Amazon S3 儲存貯體名稱取代 athena-results-bucket。如果您希望 Detective 自動產生 Amazon S3 儲存貯體來存放 Athena 查詢結果,請從 IAM 政策中移除整個 S3ObjectPermissions。
如果您沒有將此政策連接至 IAM 身分所需的許可,請聯絡您的 AWS 管理員。如果您有必要的許可,但發生問題,請參閱《IAM 使用者指南》中的對存取遭拒錯誤訊息進行故障診斷。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "S3ObjectPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetPartitions",
"glue:GetTable",
"glue:GetTables"
],
"Resource": [
"arn:aws:glue:*:123456789012:database/amazon_security_lake*",
"arn:aws:glue:*:123456789012:table/amazon_security_lake*/amazon_security_lake*",
"arn:aws:glue:*:123456789012:catalog"
]
},
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryRuntimeStatistics",
"athena:GetWorkGroup",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"lakeformation:GetDataAccess",
"ram:ListResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath"
],
"Resource": [
"arn:aws:ssm:*:123456789012:parameter/Detective/SLI"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"securitylake.amazonaws.com"
]
}
}
}
]
}
