本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
IAM Identity Center 的身分型政策範例
本主題提供您可以建立的 IAM 政策範例,以授予使用者和角色管理 IAM Identity Center 的許可。
本主題中的各節涵蓋下列內容:
自訂政策範例
本節提供需要自訂 IAM 政策的常見使用案例範例。這些範例政策是身分型政策,不會指定主體元素。這是因為使用身分型政策時,您不會指定取得許可的委託人。反之,您可以將政策連接至委託人。當您將身分型許可政策連接至 IAM 角色時,角色信任政策中識別的委託人會取得許可。您可以在 IAM 中建立身分型政策,並將其連接到使用者、群組和/或角色。當您在 IAM Identity Center 中建立許可集時,您也可以將這些政策套用至 IAM Identity Center 使用者。
範例 1:允許使用者檢視 IAM Identity Center
下列許可政策會將唯讀許可授予使用者,讓他們可以檢視 IAM Identity Center 中設定的所有設定和目錄資訊。
此政策僅供參考。在生產環境中,我們建議您使用 IAM Identity Center 的 ViewOnlyAccess AWS 受管政策。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"iam:ListPolicies",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListRoots",
"organizations:ListAccountsForParent",
"organizations:ListDelegatedAdministrators",
"organizations:ListOrganizationalUnitsForParent",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso-directory:DescribeDirectory",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups"
],
"Resource": "*"
}
]
}
範例 2:允許使用者在 IAM Identity Center AWS 帳戶 中管理對 的許可
下列許可政策會授予許可,以允許使用者為您的 建立、管理和部署許可集 AWS 帳戶。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:ProvisionPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:UpdatePermissionSet"
],
"Resource": "*"
},
{
"Sid": "IAMListPermissions",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Sid": "AccessToSSOProvisionedRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
}
]
}
列出的其他許可"Sid": "IAMListPermissions"、 和 "Sid": "AccessToSSOProvisionedRoles"區段只需要讓使用者在 AWS Organizations 管理帳戶中建立指派。在某些情況下,您可能還需要將 iam:UpdateSAMLProvider 新增至這些區段。
範例 3:允許使用者在 IAM Identity Center 中管理應用程式
下列許可政策授予許可,允許使用者在 IAM Identity Center 中檢視和設定應用程式,包括來自 IAM Identity Center 目錄中的預先整合 SaaS 應用程式。
自 2020 年 10 月起,許多這些操作只能透過 AWS 主控台使用。此範例政策包含「讀取」動作,例如清單、取得和搜尋,這些動作與此案例的主控台無錯誤操作相關。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AssociateProfile",
"sso:CreateApplicationInstance",
"sso:ImportApplicationInstanceServiceProviderMetadata",
"sso:DeleteApplicationInstance",
"sso:DeleteProfile",
"sso:DisassociateProfile",
"sso:GetApplicationTemplate",
"sso:UpdateApplicationInstanceServiceProviderConfiguration",
"sso:UpdateApplicationInstanceDisplayData",
"sso:DeleteManagedApplicationInstance",
"sso:UpdateApplicationInstanceStatus",
"sso:GetManagedApplicationInstance",
"sso:UpdateManagedApplicationInstanceStatus",
"sso:CreateManagedApplicationInstance",
"sso:UpdateApplicationInstanceSecurityConfiguration",
"sso:UpdateApplicationInstanceResponseConfiguration",
"sso:GetApplicationInstance",
"sso:CreateApplicationInstanceCertificate",
"sso:UpdateApplicationInstanceResponseSchemaConfiguration",
"sso:UpdateApplicationInstanceActiveCertificate",
"sso:DeleteApplicationInstanceCertificate",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationTemplates",
"sso:ListApplications",
"sso:ListApplicationInstances",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:ListProfileAssociations",
"sso:ListInstances",
"sso:GetProfile",
"sso:GetSSOStatus",
"sso:GetSsoConfiguration",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeUsers",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
範例 4:允許使用者管理 Identity Center 目錄中的使用者和群組
下列許可政策授予許可,允許使用者在 IAM Identity Center 中建立、檢視、修改和刪除使用者和群組。
在某些情況下,對 IAM Identity Center 中的使用者和群組的直接修改會受到限制。例如,當 Active Directory 或啟用自動佈建的外部身分提供者被選取為身分來源時。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:ListGroupsForUser",
"sso-directory:DisableUser",
"sso-directory:EnableUser",
"sso-directory:SearchGroups",
"sso-directory:DeleteGroup",
"sso-directory:AddMemberToGroup",
"sso-directory:DescribeDirectory",
"sso-directory:UpdateUser",
"sso-directory:ListMembersInGroup",
"sso-directory:CreateUser",
"sso-directory:DescribeGroups",
"sso-directory:SearchUsers",
"sso:ListDirectoryAssociations",
"sso-directory:RemoveMemberFromGroup",
"sso-directory:DeleteUser",
"sso-directory:DescribeUsers",
"sso-directory:UpdateGroup",
"sso-directory:CreateGroup"
],
"Resource": "*"
}
]
}
使用 IAM Identity Center 主控台所需的許可
若要讓使用者在沒有錯誤的情況下使用 IAM Identity Center 主控台,則需要額外的許可。如果已建立比最低必要許可更嚴格的 IAM 政策,則主控台將無法對具有該政策的使用者如預期般運作。下列範例列出在 IAM Identity Center 主控台中確保無錯誤操作可能需要的一組許可。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribePermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"sso:DescribePermissionsPolicies",
"sso:DescribeRegisteredRegions",
"sso:GetApplicationInstance",
"sso:GetApplicationTemplate",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetManagedApplicationInstance",
"sso:GetMfaDeviceManagementForDirectory",
"sso:GetPermissionSet",
"sso:GetPermissionsPolicy",
"sso:GetProfile",
"sso:GetSharedSsoConfiguration",
"sso:GetSsoConfiguration",
"sso:GetSSOStatus",
"sso:GetTrust",
"sso:ListAccountAssignmentCreationStatus",
"sso:ListAccountAssignmentDeletionStatus",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationInstances",
"sso:ListApplications",
"sso:ListApplicationTemplates",
"sso:ListDirectoryAssociations",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetProvisioningStatus",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListProfileAssociations",
"sso:ListProfiles",
"sso:ListTagsForResource",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeGroups",
"sso-directory:DescribeUsers",
"sso-directory:ListGroupsForUser",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
