本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon EVS 身分型政策範例
根據預設, IAM 使用者 和 角色沒有建立或修改 Amazon EVS 資源的許可。他們也無法使用 AWS 管理主控台 AWS CLI或 AWS API 執行任務。 IAM 管理員必須建立 IAM 政策,授予使用者和角色對所需指定資源執行特定 API 操作的許可。然後,管理員必須將這些政策連接到需要這些許可的 IAM 使用者 或 群組。
若要了解如何使用這些範例 JSON 政策文件建立 IAM 身分型政策,請參閱《*IAM 使用者指南*》中的[使用 JSON 編輯器建立政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor)。
**Topics**
+ [政策最佳實務](#security_iam_service-with-iam-policy-best-practices)
+ [使用 Amazon EVS 主控台](#security-iam-id-based-policy-examples-console)
+ [允許使用者檢視他們自己的許可](#security-iam-id-based-policy-examples-view-own-permissions)
+ [建立和管理 Amazon EVS 環境](#security-iam-id-based-policy-examples-create-env)
+ [取得並列出 Amazon EVS 環境、主機和 VLANs](#security-iam-id-based-policy-examples-list-env)
## 政策最佳實務
身分型政策會判斷您帳戶中的某個人員是否可以建立、存取或刪除 Amazon EVS 資源。這些動作可能會讓您的 AWS 帳戶產生費用。當您建立或編輯身分型政策時,請遵循下列準則及建議事項:
+ **開始使用 AWS 受管政策並轉向最低權限許可** – 若要開始將許可授予您的使用者和工作負載,請使用將許可授予許多常見使用案例的 AWS 受管政策。它們可在您的 中使用 AWS 帳戶。我們建議您定義特定於使用案例 AWS 的客戶受管政策,以進一步減少許可。如需更多資訊,請參閱《*IAM 使用者指南*》中的 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)或[任務職能的AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
+ **套用最低權限許可** – 當您使用 IAM 政策設定許可時,請僅授予執行任務所需的許可。為實現此目的,您可以定義在特定條件下可以對特定資源採取的動作,這也稱為*最低權限許可*。如需使用 IAM 套用許可的詳細資訊,請參閱《*IAM 使用者指南*》中的 [中的政策和許可 IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ **使用 IAM 政策中的條件來進一步限制存取** – 您可以將條件新增至政策,以限制對動作和資源的存取。例如,您可以撰寫政策條件,指定必須使用 SSL 傳送所有請求。如果透過特定 例如 使用服務動作 AWS 服務,您也可以使用條件來授予其存取權 CloudFormation。如需詳細資訊,請參閱《*IAM 使用者指南*》中的 [IAM JSON 政策元素:條件](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html)。
+ **使用 IAM Access Analyzer 驗證您的 IAM 政策以確保安全和功能許可** – IAM Access Analyzer 驗證新的和現有的政策,以便政策遵守 IAM 政策語言 (JSON) 和 IAM 最佳實務。 IAM Access Analyzer 提供超過 100 個政策檢查和可行的建議,以協助您撰寫安全和功能政策。如需詳細資訊,請參閱《*IAM 使用者指南*》中的[IAM Access Analyzer 政策驗證](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html)。
+ **需要多重要素驗證 (MFA)** – 如果您的案例需要帳戶中的 IAM 使用者 或根使用者,請開啟 MFA 以提高安全性。如需在呼叫 API 操作時請求 MFA,請將 MFA 條件新增至您的政策。如需更多資訊,請參閱 [IAM 使用者指南](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)中的*設定 MFA 保護的 API 存取*。
## 使用 Amazon EVS 主控台
若要存取 Amazon EVS 主控台,IAM 主體必須擁有一組最低許可。這些許可必須允許委託人列出和檢視您 中 Amazon EVS 資源的詳細資訊 AWS 帳戶。如果您建立比最低必要許可更嚴格的身分型政策,則對於具有該政策的主體而言,主控台將無法如預期運作。
為了確保您的 IAM 主體仍然可以使用 Amazon EVS 主控台,請使用您自己的唯一名稱建立政策,例如 `AmazonEVSAdminPolicy`。將政策連接至主體。如需詳細資訊,請參閱《IAM 使用者指南》**中的[新增許可到使用者](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console)。
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"evs:*"
],
"Resource": "*"
},
{
"Sid": "EVSServiceLinkedRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/evs.amazonaws.com/AWSServiceRoleForEVS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "evs.amazonaws.com"
}
}
}
]
}
```
對於僅呼叫 AWS CLI 或 AWS API 的使用者,您不需要允許最低主控台許可。反之,只需允許存取符合您嘗試執行之 API 作業的動作就可以了。
## 允許使用者檢視他們自己的許可
此範例示範如何建立政策, IAM 使用者 允許 檢視連接至其使用者身分的內嵌和受管政策。此政策包含在主控台或使用 或 AWS CLI AWS API 以程式設計方式完成此動作的許可。
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## 建立和管理 Amazon EVS 環境
此範例政策包含建立和刪除 Amazon EVS 環境所需的許可,以及在建立環境之後新增或刪除主機。
您可以將 AWS 區域 取代為您要 AWS 區域 在其中建立環境的 。如果您的帳戶已具有 `AWSServiceRoleForAmazonEVS` 角色,您可以移除來自政策的 `iam:CreateServiceLinkedRole` 動作。如果您曾經在帳戶中建立 Amazon EVS 環境,除非您刪除,否則具有這些許可的角色已存在。
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyDescribeActions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeInstanceStatus",
"ec2:DescribeHosts",
"ec2:DescribeDhcpOptions",
"ec2:DescribeAddresses",
"ec2:DescribeKeyPairs",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstances",
"ec2:DescribeRouteServers",
"ec2:DescribeRouteServerEndpoints",
"ec2:DescribeRouteServerPeers",
"ec2:DescribePlacementGroups",
"ec2:DescribeVolumes",
"ec2:DescribeSecurityGroups",
"support:DescribeServices",
"support:DescribeSupportLevel",
"servicequotas:GetServiceQuota",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
},
{
"Sid": "ModifyNetworkInterfaceStatement",
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "ModifyNetworkInterfaceStatementForSubnetAssociation",
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "arn:aws:ec2:*:*:subnet/*",
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "CreateNetworkInterfaceWithTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"Null": {
"aws:RequestTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "CreateNetworkInterfaceAdditionalResources",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "TagOnCreateEC2Resources",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateNetworkInterface",
"RunInstances",
"CreateSubnet",
"CreateVolume"
]
},
"Null": {
"aws:RequestTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "DetachNetworkInterface",
"Effect": "Allow",
"Action": [
"ec2:DetachNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "RunInstancesWithTag",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "RunInstancesWithTagResource",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "RunInstancesWithoutTag",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:placement-group/*"
]
},
{
"Sid": "TerminateInstancesWithTag",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "CreateSubnetWithTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "CreateSubnetWithoutTagForExistingVPC",
"Effect": "Allow",
"Action": [
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "DeleteSubnetWithTag",
"Effect": "Allow",
"Action": [
"ec2:DeleteSubnet"
],
"Resource": "arn:aws:ec2:*:*:subnet/*",
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "VolumeDeletion",
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "VolumeDetachment",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "RouteServerAccess",
"Effect": "Allow",
"Action": [
"ec2:GetRouteServerAssociations"
],
"Resource": "arn:aws:ec2:*:*:route-server/*"
},
{
"Sid": "EVSServiceLinkedRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/evs.amazonaws.com/AWSServiceRoleForEVS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "evs.amazonaws.com"
}
}
},
{
"Sid": "SecretsManagerCreateWithTag",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"StringEquals": {
"aws:RequestTag/AmazonEVSManaged": "true"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AmazonEVSManaged"
]
}
}
},
{
"Sid": "SecretsManagerTagging",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"StringEquals": {
"aws:RequestTag/AmazonEVSManaged": "true",
"aws:ResourceTag/AmazonEVSManaged": "true"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AmazonEVSManaged"
]
}
}
},
{
"Sid": "SecretsManagerOps",
"Effect": "Allow",
"Action": [
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:UpdateSecret"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"Null": {
"aws:ResourceTag/AmazonEVSManaged": "false"
}
}
},
{
"Sid": "SecretsManagerRandomPassword",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword"
],
"Resource": "*"
},
{
"Sid": "EVSPermissions",
"Effect": "Allow",
"Action": [
"evs:*"
],
"Resource": "*"
},
{
"Sid": "KMSKeyAccessInConsole",
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:*:*:key/*"
},
{
"Sid": "KMSKeyAliasAccess",
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": "*"
}
]
}
```
## 取得並列出 Amazon EVS 環境、主機和 VLANs
此範例政策包含管理員取得和列出 us-east-2 中指定帳戶內所有 Amazon EVS 環境、主機和 VLANs 所需的最低許可 AWS 區域。
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"evs:Get*",
"evs:List*"
],
"Resource": "*"
}
]
}
```