本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 步驟 2：在 Detective 中將必要的 IAM 許可新增至您的帳戶
<a name="iam-permissions"></a>

本主題說明您必須新增至 IAM 身分的 AWS Identity and Access Management (IAM) 許可政策詳細資訊。

若要啟用 Detective 與 Security Lake 的整合，您必須將下列 AWS Identity and Access Management (IAM) 許可政策連接至您的 IAM 身分。

將以下內嵌政策附加到角色。如果您想要使用自己的 Amazon S3 儲存貯體存放 Athena 查詢結果，請以 Amazon S3 儲存貯體名稱取代 `athena-results-bucket`。如果您希望 Detective 自動產生 Amazon S3 儲存貯體來存放 Athena 查詢結果，請從 IAM 政策中移除整個 `S3ObjectPermissions`。

如果您沒有將此政策連接至 IAM 身分所需的許可，請聯絡您的 AWS 管理員。如果您有必要的許可，但發生問題，請參閱《IAM 使用者指南》中的[對存取遭拒錯誤訊息進行故障診斷](https://docs.aws.amazon.com//IAM/latest/UserGuide/troubleshoot_access-denied.html)。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3ObjectPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabases",
                "glue:GetPartitions",
                "glue:GetTable",
                "glue:GetTables"
            ],
            "Resource": [
                "arn:aws:glue:*:123456789012:database/amazon_security_lake*",
                "arn:aws:glue:*:123456789012:table/amazon_security_lake*/amazon_security_lake*",
                "arn:aws:glue:*:123456789012:catalog"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "athena:BatchGetQueryExecution",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryRuntimeStatistics",
                "athena:GetWorkGroup",
                "athena:ListQueryExecutions",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution",
                "lakeformation:GetDataAccess",
                "ram:ListResources"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath"
            ],
            "Resource": [
                "arn:aws:ssm:*:123456789012:parameter/Detective/SLI"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetTemplateSummary",
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListDelegatedAdministrators"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "organizations:ServicePrincipal": [
                        "securitylake.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
```

------