本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Quick Suite 的 IAM 政策範例
本節提供可與 Quick Suite 搭配使用的 IAM 政策範例。
Quick Suite 的 IAM 身分型政策
本節顯示與 Quick Suite 搭配使用的身分型政策範例。
Amazon Quick Suite IAM 主控台管理的 IAM 身分型政策
下列範例顯示 Amazon Quick Suite IAM 主控台管理動作所需的 IAM 許可。
{ "Version": "2012-10-17" , "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog" ], "Resource": [ "*" ] } ] }
Quick Suite 的 IAM 身分型政策:儀表板
下列範例所顯示的 IAM 政策允許為特定儀表板啟用儀表板共用和內嵌功能。
{ "Version": "2012-10-17" , "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89", "Effect": "Allow" } ] }
Quick Suite 的 IAM 身分型政策:命名空間
下列範例顯示允許 Amazon Quick Suite 管理員建立或刪除命名空間的 IAM 政策。
正在建立命名空間
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "ds:DescribeDirectories", "quicksight:CreateNamespace" ], "Resource": "*" } ] }
刪除命名空間
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:DescribeDirectories", "quicksight:DeleteNamespace" ], "Resource": "*" } ] }
Quick Suite 的 IAM 身分型政策:自訂許可
下列範例顯示允許 Amazon Quick Suite 管理員或開發人員管理自訂許可的 IAM 政策。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:*CustomPermissions" ], "Resource": "*" } ] }
下列範例顯示授予與上一範例中所示相同許可的另一種方法。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:CreateCustomPermissions", "quicksight:DescribeCustomPermissions", "quicksight:ListCustomPermissions", "quicksight:UpdateCustomPermissions", "quicksight:DeleteCustomPermissions" ], "Resource": "*" } ] }
Quick Suite 的 IAM 身分型政策:自訂電子郵件報告範本
下列範例顯示的政策允許在 Amazon Quick Suite 中檢視、更新和建立電子郵件報告範本,以及取得 Amazon Simple Email Service 身分的驗證屬性。此政策允許 Amazon Quick Suite 管理員建立和更新自訂電子郵件報告範本,並確認他們想要傳送電子郵件報告的任何自訂電子郵件地址是 SES 中的已驗證身分。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:DescribeAccountCustomization", "quicksight:CreateAccountCustomization", "quicksight:UpdateAccountCustomization", "quicksight:DescribeEmailCustomizationTemplate", "quicksight:CreateEmailCustomizationTemplate", "quicksight:UpdateEmailCustomizationTemplate", "ses:GetIdentityVerificationAttributes" ], "Resource": "*" } ] }
Quick Suite 的 IAM 身分型政策:使用 Amazon Quick Suite 受管使用者建立企業帳戶
下列範例顯示的政策允許 Amazon Quick Suite 管理員使用 Amazon Quick Suite 受管使用者建立 Enterprise Edition Amazon Quick Suite 帳戶。
{ "Version": "2012-10-17" , "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory" ], "Resource": [ "*" ] } ] }
Quick Suite 的 IAM 身分型政策:建立使用者
下列範例顯示僅允許建立 Amazon Quick Suite 使用者的政策。如果是 quicksight:CreateReader、quicksight:CreateUser 和 quicksight:CreateAdmin,您能將許可限制在 "Resource":
"arn:aws:quicksight::。對於本指南中敘述的所有其他許可,請使用 <YOUR_AWS_ACCOUNTID>:user/${aws:userid}""Resource":
"*"。您指定的資源會限制特定資源的許可範圍。
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}" } ] }
Quick Suite 的 IAM 身分型政策:建立和管理群組
下列範例顯示允許 Amazon Quick Suite 管理員和開發人員建立和管理群組的政策。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:ListGroups", "quicksight:CreateGroup", "quicksight:SearchGroups", "quicksight:ListGroupMemberships", "quicksight:CreateGroupMembership", "quicksight:DeleteGroupMembership", "quicksight:DescribeGroupMembership", "quicksight:ListUsers" ], "Resource": "*" } ] }
Quick Suite 的 IAM 身分型政策:Standard Edition 的所有存取
下列 Amazon Quick Suite Standard Edition 範例顯示允許訂閱和建立作者和讀者的政策。此範例明確拒絕取消訂閱 Amazon Quick Suite 的許可。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateUser", "quicksight:DescribeAccountSubscription", "quicksight:Subscribe" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
Quick Suite 的 IAM 身分型政策:使用 IAM Identity Center (Pro 角色) 進行 Enterprise Edition 的所有存取
下列 Amazon Quick Suite Enterprise Edition 範例顯示的政策允許 Amazon Quick Suite 使用者訂閱 Amazon Quick Suite、建立使用者,以及在與 IAM Identity Center 整合的 Amazon Quick Suite 帳戶中管理 Active Directory。
此政策也允許使用者訂閱 Amazon Quick Suite Pro 角色,以授予 Quick Suite Generative BI 功能中 Amazon Q 的存取權。如需 Amazon Quick Suite 中 Pro 角色的詳細資訊,請參閱開始使用生成式 BI。
此範例明確拒絕取消訂閱 Amazon Quick Suite 的許可。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "iam:CreateServiceLinkedRole", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization", "user-subscriptions:CreateClaim", "user-subscriptions:UpdateClaim", "sso-directory:DescribeUser", "sso:ListApplicationAssignments", "sso-directory:DescribeGroup", "organizations:ListAWSServiceAccessForOrganization", "identitystore:DescribeUser", "identitystore:DescribeGroup" ], "Resource": [ "*" ] } ] }
Quick Suite 的 IAM 身分型政策:使用 IAM Identity Center 進行 Enterprise Edition 的所有存取
下列 Amazon Quick Suite Enterprise Edition 範例顯示允許在與 IAM Identity Center 整合的 Amazon Quick Suite 帳戶中訂閱、建立使用者和管理 Active Directory 的政策。
此政策不會授予在 Amazon Quick Suite 中建立 Pro 角色的許可。若要建立授予 Amazon Quick Suite 中 Pro 角色訂閱許可的政策,請參閱 Amazon Quick Suite 的 IAM 身分型政策:使用 IAM Identity Center (Pro 角色) 的企業版所有存取權。
此範例明確拒絕取消訂閱 Amazon Quick Suite 的許可。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization" ], "Resource": [ "*" ] } ] }
Quick Suite 的 IAM 身分型政策:具備 Active Directory 之 Enterprise Edition 的所有存取權
下列 Amazon Quick Suite Enterprise Edition 範例顯示允許在使用 Active Directory 進行身分管理的 Amazon Quick Suite 帳戶中訂閱、建立使用者和管理 Active Directory 的政策。此範例明確拒絕取消訂閱 Amazon Quick Suite 的許可。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateAdmin", "quicksight:Subscribe", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
Quick Suite 的 IAM 身分型政策:作用中目錄群組
下列範例顯示允許 Amazon Quick Suite Enterprise Edition 帳戶的 Active Directory 群組管理的 IAM 政策。
{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }
Quick Suite 的 IAM 身分型政策:使用管理員資產管理主控台
下列範例所顯示的 IAM 政策允許存取管理員資產管理主控台。
{ "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:SearchGroups", "quicksight:SearchUsers", "quicksight:ListNamespaces", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeFolderPermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListFolders", "quicksight:SearchAnalyses", "quicksight:SearchDashboards", "quicksight:SearchFolders", "quicksight:SearchDatasets", "quicksight:SearchDatasources", "quicksight:UpdateAnalysisPermissions", "quicksight:UpdateDashboardPermissions", "quicksight:UpdateDataSetPermissions", "quicksight:UpdateDataSourcePermissions", "quicksight:UpdateFolderPermissions" ], "Resource": "*" } ] }
Quick Suite 的 IAM 身分型政策:使用管理員金鑰管理主控台
下列範例所顯示的 IAM 政策允許存取管理員金鑰管理主控台。
{ "Version":"2012-10-17" , "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration", "quicksight:UpdateKeyRegistration", "quicksight:ListKMSKeysForUser", "kms:CreateGrant", "kms:ListGrants", "kms:ListAliases" ], "Resource":"*" } ] }
從 Amazon Quick Suite 主控台存取客戶受管金鑰需要 "quicksight:ListKMSKeysForUser"和 "kms:ListAliases"許可。使用 Amazon Quick Suite 金鑰管理 API "kms:ListAliases" 不需要 "quicksight:ListKMSKeysForUser"和 。 APIs
若要指定希望使用者能夠存取的金鑰,請將您希望使用者存取的金鑰 ARN 新增至 UpdateKeyRegistration 條件,並使用 quicksight:KmsKeyArns 條件索引鍵。使用者僅能存取 UpdateKeyRegistration 中指定的金鑰。如需 Amazon Quick Suite 支援的條件金鑰的詳細資訊,請參閱 Amazon Quick Suite 的條件金鑰。
以下範例授予註冊到 Amazon Quick Suite 帳戶的所有 CMKs 的Describe許可,以及註冊到 Amazon Quick Suite 帳戶的特定 CMKs 的Update許可。
{ "Version":"2012-10-17" , "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*" }, { "Effect":"Allow", "Action":[ "quicksight:UpdateKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*", "Condition":{ "ForAllValues:StringEquals":{ "quicksight:KmsKeyArns":[ "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1", "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2", "..." ] } } }, { "Effect":"Allow", "Action":[ "kms:CreateGrant", "kms:ListGrants" ], "Resource":"arn:aws:kms:us-west-2:123456789012:key/*" } ] }
AWS 資源 Quick Suite:Enterprise Edition 中的範圍政策
下列 Amazon Quick Suite Enterprise Edition 範例顯示允許設定 AWS 資源預設存取權的政策,以及限定 AWS 資源許可的政策。
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "quicksight:*IAMPolicyAssignment*", "quicksight:AccountConfigurations" ], "Effect": "Allow", "Resource": "*" } ] }
