本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AMS 中的 IAM 使用者角色
IAM 角色類似於 IAM 使用者,因為它是具有許可政策的 AWS 身分,可決定身分可以和不可以執行的操作 AWS。但是,角色的目的是讓需要它的任何人可代入,而不是單獨地與某個人員關聯。
對於標準 AMS 帳戶,目前有一個 AMS 預設使用者角色 `Customer_ReadOnly_Role`,對於具有 Managed Active Directory `customer_managed_ad_user_role`的 AMS 帳戶,則有一個額外的角色。
角色政策會設定 CloudWatch 和 Amazon S3 日誌動作、AMS 主控台存取、大多數的唯讀限制 AWS 服務、帳戶 S3 主控台的限制存取,以及 AMS 變更類型存取的許可。
此外, `Customer_ReadOnly_Role`具有可變的 reserved-instances 許可,可讓您保留執行個體。它有一些節省成本的值,因此,如果您知道需要長時間特定數量的 Amazon EC2 執行個體,您可以呼叫這些 APIs。若要進一步了解,請參閱 [Amazon EC2 預留執行個體](https://aws.amazon.com/ec2/pricing/reserved-instances/)。
**注意**
為 IAM 使用者建立自訂 IAM 政策的 AMS 服務水準目標 (SLO) 為四個工作天,除非將重複使用現有政策。如果您想要修改現有的 IAM 使用者角色,或新增新的角色,請分別提交 [IAM:更新實體](https://docs.aws.amazon.com/managedservices/latest/ctref/management-advanced-identity-and-access-management-iam-update-entity-or-policy-review-required.html)或 [IAM:建立實體](https://docs.aws.amazon.com/managedservices/latest/ctref/deployment-advanced-identity-and-access-management-iam-create-entity-or-policy.html) RFC。
如果您不熟悉 Amazon IAM 角色,請參閱 [IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)以取得重要資訊。
**多帳戶登陸區域 (MALZ)**:若要查看 AMS 多帳戶登陸區域預設、非自訂的使用者角色政策,請參閱 [MALZ:預設 IAM 使用者角色](#json-default-role-malz),下一步。
## MALZ:預設 IAM 使用者角色
預設多帳戶 AMS 多帳戶登陸區域使用者角色的 JSON 政策陳述式。
**注意**
使用者角色是可自訂的,而且可能因帳戶而異。提供尋找角色的說明。
這些是預設 MALZ 使用者角色的範例。若要確保您已設定所需的政策,請執行 AWS 命令[https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html)或登入 AWS Management -> [IAM 主控台](https://console.aws.amazon.com/iam/),然後在導覽窗格中選擇**角色**。
### 核心 OU 帳戶角色
核心帳戶是 MALZ 管理的基礎設施帳戶。AMS 多帳戶登陸區域 核心帳戶包括管理帳戶和聯網帳戶。
**核心 OU 帳戶:常用角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/managedservices/latest/userguide/defaults-user-role.html)
**核心 OU 帳戶:管理帳戶角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/managedservices/latest/userguide/defaults-user-role.html)
**核心 OU 帳戶:聯網帳戶角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/managedservices/latest/userguide/defaults-user-role.html)
### 應用程式帳戶角色
應用程式帳戶角色會套用至您的應用程式特定帳戶。
**應用程式帳戶:角色和政策**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/managedservices/latest/userguide/defaults-user-role.html)
### 政策範例
範例適用於大多數使用的政策。若要檢視 ReadOnlyAccess 政策 (只要提供所有 AWS 服務的唯讀存取權),如果您有作用中的 AWS 帳戶:[ReadOnlyAccess](https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess$serviceLevelSummary),您可以使用此連結。此外,此處也包含精簡版本。
#### AMSBillingPolicy
`AMSBillingPolicy`
您的會計部門可以使用新的帳單角色來檢視和變更 管理帳戶中的帳單資訊或帳戶設定。若要存取替代聯絡人、檢視帳戶資源用量,或保留帳單標籤,或甚至修改付款方式等資訊,請使用此角色。這個新角色包含 [ AWS Billing IAM 動作網頁](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#example-billing-deny-modifyaccount)中列出的所有許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ModifyBilling"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToBilling"
},
{
"Action": [
"aws-portal:ViewAccount",
"aws-portal:ModifyAccount"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToAccountSettings"
},
{
"Action": [
"budgets:ViewBudget",
"budgets:ModifyBudget"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToAccountBudget"
},
{
"Action": [
"aws-portal:ViewPaymentMethods",
"aws-portal:ModifyPaymentMethods"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPaymentMethods"
},
{
"Action": [
"aws-portal:ViewUsage"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToUsage"
},
{
"Action": [
"cur:DescribeReportDefinitions",
"cur:PutReportDefinition",
"cur:DeleteReportDefinition",
"cur:ModifyReportDefinition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToCostAndUsageReport"
},
{
"Action": [
"pricing:DescribeServices",
"pricing:GetAttributeValues",
"pricing:GetProducts"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPricing"
},
{
"Action": [
"ce:*",
"compute-optimizer:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToCostExplorerComputeOptimizer"
},
{
"Action": [
"purchase-orders:ViewPurchaseOrders",
"purchase-orders:ModifyPurchaseOrders"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToPurchaseOrders"
},
{
"Action": [
"redshift:AcceptReservedNodeExchange",
"redshift:PurchaseReservedNodeOffering"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToRedshiftAction"
},
{
"Action": "savingsplans:*",
"Resource": "*",
"Effect": "Allow",
"Sid": "AWSSavingsPlansFullAccess"
}
]
}
```
------
#### AMSChangeManagementReadOnlyPolicy
`AMSChangeManagementReadOnlyPolicy`
檢視所有 AMS 變更類型的許可,以及所請求變更類型的歷史記錄。
#### AMSMasterAccountSpecificChangeManagementInfrastructurePolicy
`AMSMasterAccountSpecificChangeManagementInfrastructurePolicy`
請求部署 \$1 受管登陸區域 \$1 管理帳戶 \$1 建立應用程式帳戶 (使用 VPC) 變更類型的許可。
#### AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy
`AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy `
請求部署 \$1 受管登陸區域 \$1 網路帳戶 \$1 建立應用程式路由表變更類型的許可。
#### AMSChangeManagementInfrastructurePolicy
`AMSChangeManagementInfrastructurePolicy` (適用於管理 \$1 其他 \$1 CTs)
請求 管理 \$1 其他 \$1 其他 \$1 建立和管理 \$1 其他 \$1 更新變更類型的許可。
#### AMSSecretsManagerSharedPolicy
`AMSSecretsManagerSharedPolicy`
檢視 AMS 透過 共用之秘密密碼/雜湊的許可 AWS Secrets Manager (例如,稽核基礎設施的密碼)。
建立秘密密碼/雜湊以與 AMS 共用的許可 (例如,需要部署之產品的授權金鑰)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowAccessToSharedNameSpaces",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
]
},
{
"Sid": "DenyGetSecretOnCustomerNamespace",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
},
{
"Sid": "AllowReadAccessToAMSNameSpace",
"Effect": "Deny",
"NotAction": [
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
}
]
}
```
------
#### AMSChangeManagementPolicy
`AMSChangeManagementPolicy`
請求和檢視所有 AMS 變更類型的許可,以及請求變更類型的歷史記錄。
#### AMSReservedInstancesPolicy
`AMSReservedInstancesPolicy`
管理 Amazon EC2 預留執行個體的許可;如需定價資訊,請參閱 [Amazon EC2 預留執行個體](https://aws.amazon.com/ec2/pricing/reserved-instances/)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowReservedInstancesManagement",
"Effect": "Allow",
"Action": [
"ec2:ModifyReservedInstances",
"ec2:PurchaseReservedInstancesOffering"
],
"Resource": [
"*"
]
}]
}
```
------
#### AMSS3Policy
`AMSS3Policy`
從現有 Amazon S3 儲存貯體建立和刪除檔案的許可。
**注意**
這些許可不會授予建立 S3 儲存貯體的能力;這些儲存貯體必須使用部署 \$1 進階堆疊元件 \$1 S3 儲存 \$1 建立變更類型來完成。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": "*"
}
]
}
```
------
#### AWSSupportAccess
`AWSSupportAccess`
完整存取 支援。如需詳細資訊,請參閱 [入門 支援](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html)。如需 Premium Support 資訊,請參閱 [支援](https://aws.amazon.com/premiumsupport/)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"support:*"
],
"Resource": "*"
}]
}
```
------
#### AWSMarketplaceManageSubscriptions
`AWSMarketplaceManageSubscriptions` (公有 AWS受管政策)
訂閱、取消訂閱和檢視 AWS Marketplace 訂閱的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action": [
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe"
],
"Effect": "Allow",
"Resource": "*"
}]
}
```
------
#### AWSCertificateManagerFullAccess
`AWSCertificateManagerFullAccess`
完整存取 AWS Certificate Manager。如需詳細資訊,請參閱[AWS Certificate Manager](https://aws.amazon.com/certificate-manager/)。
[https://docs.aws.amazon.com/acm/latest/userguide/authen-awsmanagedpolicies.html#acm-full-access-managed-policy](https://docs.aws.amazon.com/acm/latest/userguide/authen-awsmanagedpolicies.html#acm-full-access-managed-policy) 資訊,(公有 AWS 受管政策)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"acm:*"
],
"Resource": "*"
}]
}
```
------
#### AWSWAFFullAccess
`AWSWAFFullAccess`
完整存取 AWS WAF。如需詳細資訊,請參閱 [AWS WAF - Web Application Firewall](https://aws.amazon.com/waf/)。
[https://docs.aws.amazon.com/waf/latest/developerguide/access-control-identity-based.html](https://docs.aws.amazon.com/waf/latest/developerguide/access-control-identity-based.html) 資訊 (公有 AWS 受管政策)。此政策授予 AWS WAF 資源的完整存取權。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action": [
"waf:*",
"waf-regional:*",
"elasticloadbalancing:SetWebACL"
],
"Effect": "Allow",
"Resource": "*"
}]
}
```
------
#### ReadOnlyAccess
`ReadOnlyAccess`
在 AWS 主控台上唯讀存取所有 AWS 服務和資源。 AWS 啟動新服務時,AMS 會更新 ReadOnlyAccess 政策,為新服務新增唯讀許可。更新的許可會套用於政策連接到的所有主體實體。
這不會授予登入 EC2 主機或資料庫主機的能力。
如果您有作用中的 AWS 帳戶,則可以使用此連結 [ReadOnlyAccess](https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess$serviceLevelSummary) 來檢視整個 ReadOnlyAccess 政策。整個 ReadOnlyAccess 政策只要提供所有 的唯讀存取權即可 AWS 服務。以下是 ReadOnlyAccess 政策的部分摘錄。
**單一帳戶登陸區域 (SALZ)**:若要查看 AMS 單一帳戶登陸區域預設、非自訂的使用者角色政策,請參閱 [SALZ:預設 IAM 使用者角色](#json-default-role),下一步。
## SALZ:預設 IAM 使用者角色
預設 AMS 單一帳戶登陸區域使用者角色的 JSON 政策陳述式。
**注意**
SALZ 預設使用者角色可自訂,且可能因帳戶而異。提供尋找角色的說明。
以下是預設 SALZ 使用者角色的範例。若要確保您已為您設定政策,請執行 [https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html)命令。或者,前往 https://[https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/) 登入 AWS Identity and Access Management 主控台,然後選擇**角色**。
客戶唯讀角色是多個政策的組合。角色 (JSON) 的明細如下。
Managed Services 稽核政策:
Managed Services IAM ReadOnly 政策
Managed Services 使用者政策
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCustomerToListTheLogBucketLogs",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"aws/*",
"app/*",
"encrypted",
"encrypted/",
"encrypted/app/*"
]
}
}
},
{
"Sid": "BasicAccessRequiredByS3Console",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowCustomerToGetLogs",
"Effect": "Allow",
"Action": [
"s3:GetObject*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/aws/*",
"arn:aws:s3:::mc-a*-logs-*/encrypted/app/*"
]
},
{
"Sid": "AllowAccessToOtherObjects",
"Effect": "Allow",
"Action": [
"s3:DeleteObject*",
"s3:Get*",
"s3:List*",
"s3:PutObject*"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowCustomerToListTheLogBucketRoot",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"/"
]
}
}
},
{
"Sid": "AllowCustomerCWLConsole",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*"
]
},
{
"Sid": "AllowCustomerCWLAccessLogs",
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/*",
"arn:aws:logs:*:*:log-group:/infra/*",
"arn:aws:logs:*:*:log-group:/app/*",
"arn:aws:logs:*:*:log-group:RDSOSMetrics:*:*"
]
},
{
"Sid": "AWSManagedServicesFullAccess",
"Effect": "Allow",
"Action": [
"amscm:*",
"amsskms:*"
],
"Resource": [
"*"
]
},
{
"Sid": "ModifyAWSBillingPortal",
"Effect": "Allow",
"Action": [
"aws-portal:Modify*"
],
"Resource": [
"*"
]
},
{
"Sid": "DenyDeleteCWL",
"Effect": "Deny",
"Action": [
"logs:DeleteLogGroup",
"logs:DeleteLogStream"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*"
]
},
{
"Sid": "DenyMCCWL",
"Effect": "Deny",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/mc/*"
]
},
{
"Sid": "DenyS3MCNamespace",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/encrypted/mc/*",
"arn:aws:s3:::mc-a*-logs-*/mc/*",
"arn:aws:s3:::mc-a*-logs-*-audit/*",
"arn:aws:s3:::mc-a*-internal-*/*",
"arn:aws:s3:::mc-a*-internal-*"
]
},
{
"Sid": "ExplicitDenyS3CfnBucket",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::cf-templates-*"
]
},
{
"Sid": "DenyListBucketS3LogsMC",
"Action": [
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mc-a*-logs-*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"auditlog/*",
"encrypted/mc/*",
"mc/*"
]
}
}
},
{
"Sid": "DenyS3LogsDelete",
"Effect": "Deny",
"Action": [
"s3:Delete*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::mc-a*-logs-*/*"
]
},
{
"Sid": "DenyAccessToKmsKeysStartingWithMC",
"Effect": "Deny",
"Action": [
"kms:*"
],
"Resource": [
"arn:aws:kms::*:key/mc-*",
"arn:aws:kms::*:alias/mc-*"
]
},
{
"Sid": "DenyListingOfStacksStartingWithMC",
"Effect": "Deny",
"Action": [
"cloudformation:*"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/mc-*"
]
},
{
"Sid": "AllowCreateCWMetricsAndManageDashboards",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowCreateandDeleteCWDashboards",
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteDashboards",
"cloudwatch:PutDashboard"
],
"Resource": [
"*"
]
}
]
}
```
Customer Secrets Manager 共用政策
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsManagerListSecrets",
"Effect": "Allow",
"Action": "secretsmanager:listSecrets",
"Resource": "*"
},
{
"Sid": "AllowCustomerAdminAccessToSharedNameSpaces",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": [
"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
]
},
{
"Sid": "DenyCustomerGetSecretCustomerNamespace",
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
},
{
"Sid": "AllowCustomerReadOnlyAccessToAMSNameSpace",
"Effect": "Deny",
"NotAction": [
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
}
]
}
```
------
Customer Marketplace 訂閱政策
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowMarketPlaceSubscriptions",
"Effect": "Allow",
"Action": [
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe"
],
"Resource": [
"*"
]
}
]
}
```
------