本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS 访问 AppStream 2.0 资源所需的托管策略
要提供对 AppStream 2.0 的完全管理或只读访问权限,必须将以下 AWS 托管策略之一附加到需要这些权限的IAM用户或组。AWS 托管策略 是由 AWS创建和管理的独立策略。有关更多信息,请参阅《IAM用户指南》中的AWS 托管策略。
- AmazonAppStreamFullAccess
-
此托管策略提供对 AppStream 2.0 资源的完全管理访问权限。要管理 AppStream 2.0 资源并通过 AWS 命令行界面 (AWS CLI) 或 AWS 管理控制台执行API操作,您必须拥有此策略中定义的权限。 AWS SDK
如果您以IAM用户身份登录 AppStream 2.0 控制台,则必须将此策略附加到您的 AWS 账户。如果您通过控制台联合登录,则必须将此策略附加到用于联合身份验证的IAM角色。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "appstream:" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScheduledAction", "application-autoscaling:DeleteScheduledAction" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints" ], "Effect": "Allow", "Resource": "" }, { "Action": "iam:ListRoles", "Effect": "Allow", "Resource": "" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "arn:aws:iam:::role/service-role/ApplicationAutoScalingForAmazonAppStreamAccess", "Condition": { "StringLike": { "iam:PassedToService": "application-autoscaling.amazonaws.com" } } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam:::role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet (http://appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet)", "Condition": { "StringLike": { "iam:AWSServiceName": "appstream.application-autoscaling.amazonaws.com" } } } ] }
- AmazonAppStreamReadOnlyAccess
-
此托管策略提供对 AppStream 2.0 资源的只读访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "appstream:Get*", "appstream:List*", "appstream:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }
AppStream 2.0 控制台使用另外两个操作来提供 AWS CLI或无法提供的功能 AWS SDK。AmazonAppStreamFullAccess和AmazonAppStreamReadOnlyAccess策略都为这些操作提供权限。
操作 | 描述 | 访问级别 |
---|---|---|
GetImageBuilders |
授予权限以检索描述一个或多个指定映像生成器的列表(如果提供了映像生成器名称)。否则,将描述账户中的所有映像生成器。 | 读取 |
GetParametersForThemeAssetUpload |
授予权限以上传自定义品牌化的主题资产。有关更多信息,请参阅 将您的自定义品牌添加到 Amazon AppStream 2.0。 | 写入 |
- AmazonAppStreamPCAAccess
-
此托管策略提供对 AWS AWS 账户中 Certifice Manager 私有 CA 资源的完全管理权限,以进行基于证书的身份验证。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm-pca:IssueCertificate", "acm-pca:GetCertificate", "acm-pca:DescribeCertificateAuthority" ], "Resource": "arn:*:acm-pca:*:*:*", "Condition": { "StringLike": { "aws:ResourceTag/euc-private-ca": "*" } } } ] }
- AmazonAppStreamServiceAccess
-
此托管策略是 AppStream 2.0 服务角色的默认策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcEndpoints", "s3:ListAllMyBuckets", "ds:DescribeDirectories" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:PutEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::appstream2-36fb080bb8-*", "arn:aws:s3:::appstream-app-settings-*", "arn:aws:s3:::appstream-logs-*" ] } ] }
- ApplicationAutoScalingForAmazonAppStreamAccess
-
此托管策略支持 AppStream 2.0 版的应用程序自动缩放。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:UpdateFleet", "appstream:DescribeFleets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }
- AWSApplicationAutoscalingAppStreamFleetPolicy
-
此托管策略授予 Application Auto Scaling 访问 AppStream 2.0 和的权限 CloudWatch 。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:UpdateFleet", "appstream:DescribeFleets", "cloudwatch:PutMetricAlarm", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms" ], "Resource": [ "*" ] } ] }
AppStream AWS 托管策略的 2.0 更新
查看自该服务开始跟踪这些更改以来 AppStream 2.0 AWS 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订RSS阅该亚马逊 AppStream 2.0 的文档历史记录页面上的订阅源。
更改 | 描述 | 日期 |
---|---|---|
AppStream 2.0 开始跟踪更改 |
AppStream 2.0 开始跟踪其 AWS 托管策略的更改 |
2022 年 10 月 31 日 |