本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 的資源型政策範例 AWS Organizations
下列程式碼範例示範如何使用以資源為基礎的委派政策。如需詳細資訊,請參閱[的委派管理員 AWS Organizations](orgs_delegate_policies.md)。
**Topics**
+ [檢視組織、OU、帳戶和政策](#orgs_delegate_policies_example_view_accts_orgs)
+ [建立、讀取、更新和刪除政策](#orgs_delegate_policies_example_crud_policies)
+ [標記和取消標記政策](#orgs_delegate_policies_example_tag_untag_policies)
+ [將政策連接至單一 OU 或帳戶](#orgs_delegate_policies_example_attach_policies)
+ [管理組織備份政策的合併許可](#orgs_delegate_policies_example_consolidate_permissions)
## 範例:檢視組織、OU、帳戶和政策
在委派政策管理之前,您必須委派導覽組織結構的許可,並查看組織單位 (OU)、帳戶及其附加的政策。
此範例顯示如何將這些許可納入成員帳戶 *AccountId* 的以資源為基礎的委派政策中。
**重要**
儘管您可以使用此政策委派任何 Organizations 唯讀動作,但建議您只包含範例中所示的最低必要動作的許可。
此範例委派政策授予從 AWS API 或 以程式設計方式完成動作所需的許可 AWS CLI。若要使用此委派政策,請將 *AccountId* 的 AWS [預留位置文字](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)取代為您自己的資訊。然後,依照 [的委派管理員 AWS Organizations](orgs_delegate_policies.md)中的指示操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
------
## 範例:建立、讀取、更新和刪除政策
您可以建立資源型委派政策,允許管理帳戶委派任何政策類型的 `create`、`update`、 `read`和 `delete`動作。此範例示範如何將這些服務控制政策的動作委派給成員帳戶 *MemberAccountId*。範例中顯示的兩個資源分別授予客戶受管和 AWS 受管服務控制政策的存取權。
**重要**
此政策允許委派管理員對組織中任何帳戶建立的政策執行指定的動作,包括管理帳戶。
它不允許委派管理員連接或分離政策,因為它不包含執行 `organizations:AttachPolicy`和 `organizations:DetachPolicy`動作所需的許可。
此範例委派政策授予從 AWS API 或 以程式設計方式完成動作所需的許可 AWS CLI。將 *MemberAccountId*、 *ManagementAccountId* 和 *OrganizationId* 的 AWS 預留位置文字取代為您自己的資訊。然後,依照 [的委派管理員 AWS Organizations](orgs_delegate_policies.md)中的指示操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingDescribeListActionsWithoutCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "DelegatingPolicyActionsWithCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "SERVICE_CONTROL_POLICY"
}
}
},
{
"Sid": "DelegatingMinimalActionsForSCPs",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:CreatePolicy",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy"
],
"Resource": [
"arn:aws:organizations::111122223333:policy/o-OrganizationId/service_control_policy/*",
"arn:aws:organizations::aws:policy/service_control_policy/*"
]
}
]
}
```
------
## 範例:標籤和取消標籤政策
此範例示範如何建立資源型委派政策,允許委派管理員標記或取消標記備份政策。它授予從 AWS API 或 以程式設計方式完成動作所需的許可 AWS CLI。
若要使用此委派政策,請將 AWS *MemberAccountId*、 *ManagementAccountId* 和 *OrganizationId* 的預留位置文字取代為您自己的資訊。然後,依照 [的委派管理員 AWS Organizations](orgs_delegate_policies.md)中的指示操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActionsWithoutCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "DelegatingNecessaryDescribeListActionsWithCondition",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "DelegatingTaggingBackupPolicies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:TagResource",
"organizations:UntagResource"
],
"Resource": "arn:aws:organizations::111122223333:policy/o-OrganizationId/backup_policy/*"
}
]
}
```
------
## 範例:將政策連接至單一 OU 或帳戶
此範例示範如何建立以資源為基礎的委派政策,允許委派管理員從指定的組織單位 (OU) `attach`或指定的帳戶,或 `detach` Organizations 政策。在委派這些動作之前,您必須委派許可來導覽組織的結構,並查看其下的帳戶。如需詳細資訊,請參閱[範例:檢視組織、OU、帳戶和政策](#orgs_delegate_policies_example_view_accts_orgs)
**重要**
雖然此政策允許從指定的 OU 或帳戶連接或分離政策,但排除子 OUs和子 OUs 下的帳戶。
此政策可讓委派管理員對組織中任何帳戶 (包括管理帳戶) 建立的政策執行指定的動作。
此範例委派政策授予從 AWS API 或 以程式設計方式完成動作所需的許可 AWS CLI。若要使用此委派政策,請將 *MemberAccountId*、 *ManagementAccountId*、*OrganizationId* 和 *TargetAccountId* 的 AWS 預留位置文字取代為您自己的資訊。然後,依照 [的委派管理員 AWS Organizations](orgs_delegate_policies.md)中的指示操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "AttachDetachPoliciesSpecifiedAccountOU",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::111122223333:ou/o-OrganizationId/ou-OUId",
"arn:aws:organizations::111122223333:account/o-OrganizationId/TargetAccountId",
"arn:aws:organizations::111122223333:policy/o-OrganizationId/backup_policy/*"
]
}
]
}
```
------
若要將連接和分離政策委派給組織中的任何 OU 或帳戶,請將先前範例中的資源取代為下列資源:
```
"Resource": [
"arn:aws:organizations::ManagementAccountId:ou/o-OrganizationId/*",
"arn:aws:organizations::ManagementAccountId:account/o-OrganizationId/*",
"arn:aws:organizations::ManagementAccountId:policy/o-OrganizationId/backup_policy/*"
]
```
## 範例:用於管理組織備份政策的合併許可
此範例顯示如何建立以資源為基礎的委派政策,以允許管理帳戶委派在組織內管理備份政策所需的完整許可,包括 `create`、`read`、`update` 和 `delete` 動作,以及 `attach` 和 `detach` 政策動作。
**重要**
此政策可讓委派管理員對組織中任何帳戶 (包括管理帳戶) 建立的政策執行指定的動作。
此範例委派政策授予從 AWS API 或 以程式設計方式完成動作所需的許可 AWS CLI。若要使用此委派政策,請以您自己的資訊取代 *MemberAccountId*、*ManagementAccountId*、*OrganizationId* 和 *RootId* 的 AWS [預留位置文字](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)。然後,依照 [的委派管理員 AWS Organizations](orgs_delegate_policies.md)中的指示操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "DelegatingNecessaryDescribeListActionsForSpecificPolicyType",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "DelegatingAllActionsForBackupPolicies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy",
"organizations:EnablePolicyType",
"organizations:DisablePolicyType"
],
"Resource": [
"arn:aws:organizations::111122223333:root/o-OrganizationId/r-RootId",
"arn:aws:organizations::111122223333:ou/o-OrganizationId/*",
"arn:aws:organizations::111122223333:account/o-OrganizationId/*",
"arn:aws:organizations::111122223333:policy/o-OrganizationId/backup_policy/*"
],
"Condition": {
"StringLikeIfExists": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
}
]
}
```
------