本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon QuickSight 的 IAM 政策範例
本章節會提供可與 Amazon QuickSight 搭配使用的 IAM 政策範例。
Amazon QuickSight 的 IAM 身分型政策
本章節會說明可與 Amazon QuickSight 搭配使用的身分型政策範例。
QuickSight IAM 主控台管理的 IAM 身分型政策
下列範例所顯示的 IAM 許可為執行 QuickSight IAM 主控台管理動作所需的。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的 IAM 身分型政策:儀表板
下列範例所顯示的 IAM 政策允許為特定儀表板啟用儀表板共用和內嵌功能。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89",
"Effect": "Allow"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:命名空間
下列範例所顯示的 IAM 政策允許 QuickSight 管理員建立或刪除命名空間。
正在建立命名空間
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"ds:DescribeDirectories",
"quicksight:CreateNamespace"
],
"Resource": "*"
}
]
}
刪除命名空間
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:DescribeDirectories",
"quicksight:DeleteNamespace"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:自訂許可
下列範例所顯示的 IAM 政策允許 QuickSight 管理員或開發人員管理自訂許可。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:*CustomPermissions"
],
"Resource": "*"
}
]
}
下列範例顯示授予與上一範例中所示相同許可的另一種方法。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:CreateCustomPermissions",
"quicksight:DescribeCustomPermissions",
"quicksight:ListCustomPermissions",
"quicksight:UpdateCustomPermissions",
"quicksight:DeleteCustomPermissions"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:自訂電子郵件報告範本
下列範例所顯示的政策允許在 QuickSight 中檢視、更新和建立電子郵件報告範本,以及取得 Amazon Simple Email Service 身分的驗證屬性。此政策可讓 QuickSight 管理員建立和更新自訂電子郵件報告範本,並確認他們想要傳送電子郵件報告的任何自訂電子郵件地址都是 SES 中的已驗證身分。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:DescribeAccountCustomization",
"quicksight:CreateAccountCustomization",
"quicksight:UpdateAccountCustomization",
"quicksight:DescribeEmailCustomizationTemplate",
"quicksight:CreateEmailCustomizationTemplate",
"quicksight:UpdateEmailCustomizationTemplate",
"ses:GetIdentityVerificationAttributes"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:使用 QuickSight 受管使用者建立企業帳戶
下列範例顯示的政策允許 QuickSight 管理員使用 QuickSight 受管使用者建立企業版 QuickSight 帳戶。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的 IAM 身分型政策:建立使用者
下列範例所顯示的政策僅允許建立 Amazon QuickSight 使用者。如果是 quicksight:CreateReader、quicksight:CreateUser 和 quicksight:CreateAdmin,您能將許可限制在 "Resource":
"arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}"。對於本指南中敘述的所有其他許可,請使用 "Resource":
"*"。您指定的資源會限制特定資源的許可範圍。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"quicksight:CreateUser"
],
"Effect": "Allow",
"Resource": "arn:aws:quicksight:*:accountId:user/${aws:userid}"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:建立和管理群組
下列範例所顯示的政策允許 QuickSight 管理員或開發人員建立和管理群組。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:ListGroups",
"quicksight:CreateGroup",
"quicksight:SearchGroups",
"quicksight:ListGroupMemberships",
"quicksight:CreateGroupMembership",
"quicksight:DeleteGroupMembership",
"quicksight:DescribeGroupMembership",
"quicksight:ListUsers"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:標準版的所有存取權
Amazon QuickSight 標準版的下列範例顯示了一項政策,即允許訂閱及建立作者和讀者。本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateUser",
"quicksight:DescribeAccountSubscription",
"quicksight:Subscribe"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:使用 IAM Identity Center 的企業版所有存取權 (專業角色)
下列 Amazon QuickSight 企業版範例顯示的政策允許 QuickSight 使用者訂閱 QuickSight、建立使用者,以及在與 IAM Identity Center 整合的 QuickSight 帳戶中管理 Active Directory。
此政策也允許使用者訂閱 QuickSight Pro 角色,以授予對 QuickSight Generative BI 功能中 Amazon Q 的存取權。如需 Amazon QuickSight 中 Pro 角色的詳細資訊,請參閱 開始使用 Generative BI。
本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"iam:CreateServiceLinkedRole",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization",
"user-subscriptions:CreateClaim",
"user-subscriptions:UpdateClaim",
"sso-directory:DescribeUser",
"sso:ListApplicationAssignments",
"sso-directory:DescribeGroup",
"organizations:ListAWSServiceAccessForOrganization",
"identitystore:DescribeUser",
"identitystore:DescribeGroup"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的 IAM 身分型政策:企業版的所有存取權 (使用 IAM Identity Center)
Amazon QuickSight 企業版的下列範例顯示了一項政策,即允許在與 IAM Identity Center 整合的 QuickSight 帳戶中訂閱、建立使用者和管理 Active Directory。
此政策不會授予在 QuickSight 中建立 Pro 角色的許可。若要建立授予 QuickSight 中 Pro 角色訂閱許可的政策,請參閱 Amazon QuickSight 的 IAM 身分型政策:使用 IAM Identity Center 的企業版所有存取權 (專業角色)。
本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的 IAM 身分型政策:企業版的所有存取權 (使用 Active Directory)
Amazon QuickSight 企業版的下列範例顯示了一項政策,即允許在使用 Active Directory 進行身分管理的 QuickSight 帳戶中訂閱、建立使用者和管理 Active Directory。本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateAdmin",
"quicksight:Subscribe",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:Active Directory 群組
下列範例所顯示的 IAM 政策允許 Amazon QuickSight 企業版帳戶管理 Active Directory 群組。
- JSON
-
-
{
"Statement": [
{
"Action": [
"ds:DescribeTrusts",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
Amazon QuickSight 的 IAM 身分型政策:使用管理員資產管理主控台
下列範例所顯示的 IAM 政策允許存取管理員資產管理主控台。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:SearchGroups",
"quicksight:SearchUsers",
"quicksight:ListNamespaces",
"quicksight:DescribeAnalysisPermissions",
"quicksight:DescribeDashboardPermissions",
"quicksight:DescribeDataSetPermissions",
"quicksight:DescribeDataSourcePermissions",
"quicksight:DescribeFolderPermissions",
"quicksight:ListAnalyses",
"quicksight:ListDashboards",
"quicksight:ListDataSets",
"quicksight:ListDataSources",
"quicksight:ListFolders",
"quicksight:SearchAnalyses",
"quicksight:SearchDashboards",
"quicksight:SearchFolders",
"quicksight:SearchDatasets",
"quicksight:SearchDatasources",
"quicksight:UpdateAnalysisPermissions",
"quicksight:UpdateDashboardPermissions",
"quicksight:UpdateDataSetPermissions",
"quicksight:UpdateDataSourcePermissions",
"quicksight:UpdateFolderPermissions"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的 IAM 身分型政策:使用管理員金鑰管理主控台
下列範例所顯示的 IAM 政策允許存取管理員金鑰管理主控台。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration",
"quicksight:UpdateKeyRegistration",
"quicksight:ListKMSKeysForUser",
"kms:CreateGrant",
"kms:ListGrants",
"kms:ListAliases"
],
"Resource":"*"
}
]
}
從 QuickSight 主控台存取客戶受管金鑰需要 "quicksight:ListKMSKeysForUser"和 "kms:ListAliases"許可。使用 QuickSight 金鑰管理 API "kms:ListAliases" 不需要 "quicksight:ListKMSKeysForUser"和 。 APIs
若要指定您希望使用者能夠存取的金鑰,請新增您希望使用者使用 UpdateKeyRegistration 條件quicksight:KmsKeyArns金鑰存取條件的金鑰 ARNs。使用者只能存取 中指定的金鑰UpdateKeyRegistration。如需 QuickSight 支援的條件金鑰的詳細資訊,請參閱 Amazon QuickSight 的條件金鑰。
以下範例會授予註冊至 QuickSight 帳戶之所有 CMKs 的Describe許可,以及註冊至 QuickSight 帳戶的特定 CMKs 的Update許可。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*"
},
{
"Effect":"Allow",
"Action":[
"quicksight:UpdateKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*",
"Condition":{
"ForAllValues:StringEquals":{
"quicksight:KmsKeyArns":[
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1",
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2",
"..."
]
}
}
},
{
"Effect":"Allow",
"Action":[
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource":"arn:aws:kms:us-west-2:123456789012:key/*"
}
]
}
AWS 資源 Amazon QuickSight:Enterprise Edition 中的範圍政策
下列 Amazon QuickSight 企業版範例顯示允許設定 AWS 資源預設存取權的政策,以及限定 資源許可 AWS 的政策。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"quicksight:*IAMPolicyAssignment*",
"quicksight:AccountConfigurations"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
