使用 Evidently 的 IAM policy - Amazon CloudWatch

使用 Evidently 的 IAM policy

重要

终止支持通知:2025 年 10 月 16 日,AWS 将停止对 CloudWatch Evidently 的支持。2025 年 10 月 16 日之后,您将无法再访问 Evidently 控制台或 Evidently 资源。

要完全管理 CloudWatch Evidently,您必须以具有以下权限的 IAM 用户或角色的身份登录:

  • AmazonCloudWatchEvidentlyFullAccess 策略

  • ResourceGroupsandTagEditorReadOnlyAccess 策略

此外,为能够创建在 Amazon S3 或 CloudWatch Logs 中存储评估事件的项目,您需要以下权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:DescribeResourcePolicies",
                "logs:PutResourcePolicy"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

CloudWatch RUM 集成的其他权限

此外,如果您打算管理与 Amazon CloudWatch RUM 集成的 Evidently 启动或实验,并使用 CloudWatch RUM 指标进行监控,您需要 AmazonCloudWatchRUMFullAccess 策略。要创建 IAM 角色以授予 CloudWatch RUM Web 客户端向 CloudWatch RUM 发送数据的权限,您需要以下权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:AttachRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/service-role/CloudWatchRUMEvidentlyRole-*",
                "arn:aws:iam::*:policy/service-role/CloudWatchRUMEvidentlyPolicy-*"
            ]
        }
    ]
}

对 Evidently 的只读访问权限

对于需要查看 Evidently 数据但不需要创建 Evidently 资源的其他用户,您可以授予 AmazonCloudWatchEvidentlyReadOnlyAccess 策略。