View a markdown version of this page

使用 AMS 資源排程器 - AMS Accelerate 使用者指南

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 AMS 資源排程器

如何在 AMS Accelerate 帳戶中使用 AMS Resource Scheduler 期間。

使用下列一組 AWS Systems Manager 自動化 Runbook,在 AMS Resource Scheduler 中管理所需的排程和期間。

注意

這些 SSM 自動化 Runbook 可在您帳戶的主要 AWS 區域中使用。

  • AWSManagedServices-AddOrUpdatePeriod

  • AWSManagedServices-AddOrUpdateSchedule

  • AWSManagedServices-DeleteScheduleOrPeriod

  • AWSManagedServices-DescribeScheduleOrPeriods

  • AWSManagedServices-EnableOrDisableAMSResourceScheduler

此外,AMS 會佈建角色 ams_resource_scheduler_ssm_automation_role,此 AWS Identity and Access Management 角色 AWS Systems Manager 需要 和 擔任 ,才能使用 Runbook。IAM 角色的範圍縮小,具有授予執行手冊功能所需 SSM 許可的最低權限內嵌政策。

先決條件

請先執行下列步驟,再開始使用 SSM 自動化 Runbook 和 AMS Resource Scheduler。

將下列政策連接至您要允許 使用自動化 Runbook 在 AMS Resource Scheduler 中管理排程和期間的適當 IAM 實體 (使用者、群組或角色)。如果您的 IAM 實體在帳戶中具有管理員或 PowerUser 許可,則不需要政策

JSON
{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPassingResourceSchedulerRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::111122223333:role/ams_resource_scheduler_ssm_automation_role",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ssm.amazonaws.com"
                }
            }
        },
        {
            "Sid": "ListAndDescribeAutomationExecutions",
            "Effect": "Allow",
            "Action": [
                "ssm:GetAutomationExecution",
                "ssm:DescribeAutomationStepExecutions"
            ],
            "Resource": "arn:aws:ssm:*:111122223333:automation-execution/*"
        },
        {
            "Sid": "ListAndDescribeResourceSchedulerSSMDocuments",
            "Effect": "Allow",
            "Action": [
                "ssm:ListDocumentVersions",
                "ssm:DescribeDocument",
                "ssm:ListDocumentMetadataHistory",
                "ssm:DescribeDocumentParameters",
                "ssm:GetDocument",
                "ssm:DescribeDocumentPermission"
            ],
            "Resource": [
                "arn:aws:ssm:*::document/AWSManagedServices-AddOrUpdatePeriod",
                "arn:aws:ssm:*::document/AWSManagedServices-AddOrUpdateSchedule",
                "arn:aws:ssm:*::document/AWSManagedServices-DeleteScheduleOrPeriod",
                "arn:aws:ssm:*::document/AWSManagedServices-DescribeScheduleOrPeriods",
                "arn:aws:ssm:*::document/AWSManagedServices-EnableOrDisableAMSResourceScheduler"
            ]
        },
        {
            "Sid": "AllowExecutionOfResourceSchedulerSSMDocuments",
            "Effect": "Allow",
            "Action": [
                "ssm:StartAutomationExecution"
            ],
            "Resource": [
                "arn:aws:ssm:*::document/AWSManagedServices-AddOrUpdatePeriod",
                "arn:aws:ssm:*::document/AWSManagedServices-AddOrUpdateSchedule",
                "arn:aws:ssm:*::document/AWSManagedServices-DeleteScheduleOrPeriod",
                "arn:aws:ssm:*::document/AWSManagedServices-DescribeScheduleOrPeriods",
                "arn:aws:ssm:*::document/AWSManagedServices-EnableOrDisableAMSResourceScheduler",
                "arn:aws:ssm:*:111122223333:automation-execution/*"
            ]
        },
        {
            "Sid": "AllowListingAllDocuments",
            "Effect": "Allow",
            "Action": "ssm:ListDocuments",
            "Resource": "*"
        },
        {
            "Sid": "AllowListingAllSSMExecutions",
            "Effect": "Allow",
            "Action": "ssm:DescribeAutomationExecutions",
            "Resource": "*"
        },
        {
            "Sid": "AllowListingIAMRolesForStartingExecutionViaConsole",
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "*"
        }
    ]
}

您可以從 AWS Systems Manager 主控台或使用 CLI AWS 執行自動化。如果使用 AWS CLI,您可能需要安裝和設定它,或尚未安裝 PowerShell AWS 的工具。如需詳細資訊,請參閱安裝或升級 AWS 命令列工具