使用控制台批量迁移您的策略 - AWS 账单
先决条件确认您的迁移

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用控制台批量迁移您的策略

注意

以下 AWS Identity and Access Management (IAM) 操作已于 2023 年 7 月结束标准支持:

  • aws-portal 命名空间

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

如果您正在使用 AWS Organizations,则可以使用批量策略迁移器脚本或批量策略迁移器从您的付款人账户更新政策。您还可以使用旧到精细操作映射参考来验证需要添加的 IAM 操作。

如果您在 2023 年 3 月 6 日上午 11:00(太平洋夏令时)当天或之后 AWS Organizations 创建,或参与其中,则细粒度操作已在您的组织中生效。 AWS 账户

本节介绍如何使用 AWS Billing and Cost Management 控制台将旧策略从组织账户或标准账户批量迁移到精细操作。您可以使用控制台通过两种方式完成旧策略的迁移:

使用亚马逊云科技推荐的迁移流程

这是一个简化的单一操作流程,您可以将旧版操作迁移到 AWS映射的精细操作。有关更多信息,请参阅 使用建议的操作批量迁移旧版策略

使用自定义迁移流程

此过程允许您在批量迁移 AWS 之前查看和更改建议的操作,以及自定义要迁移组织中的哪些帐户。有关更多信息,请参阅 自定义批量迁移旧版策略的操作

使用控制台进行批量迁移的先决条件

这两个迁移选项都需要您在控制台中征得您的同意,这样 AWS 才能为您分配的传统 IAM 操作推荐细粒度的操作。为此,您需要以 IAM 委托人身份登录您的 AWS 账户,并执行以下 IAM 操作才能继续更新政策。

Management account
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced",
"aws-portal:UpdateConsoleActionSetEnforced",
"purchase-orders:UpdateConsoleActionSetEnforced",
"iam:GetAccountAuthorizationDetails",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"scheduler:GetSchedule", 
"scheduler:DeleteSchedule",
"scheduler:CreateSchedule",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackSets",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:ListStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:CreateStack",
"cloudformation:UpdateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:DescribeStacks",
"ec2:DescribeRegions",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"iam:GenerateOrganizationsAccessReport",
"iam:GetOrganizationsAccessReport",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"sts:AssumeRole",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:GetInlinePolicyForPermissionSet",
"sso:DescribePermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
Member account or standard account
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced", // Not needed for member account
"aws-portal:UpdateConsoleActionSetEnforced", // Not needed for member account
"purchase-orders:UpdateConsoleActionSetEnforced", // Not needed for member account
"iam:GetAccountAuthorizationDetails",
"ec2:DescribeRegions",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl", 
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
主题

确认您的迁移

您可以使用迁移工具查看是否还有需要迁移的 AWS Organizations 账户。

确认是否所有账户均已迁移

  1. 登录到 AWS Management Console

  2. 在页面顶部的搜索栏中,输入Bulk Policy Migrator

  3. 管理新的 IAM 操作页面上,选择迁移账户选项卡。

如果表中未显示任何剩余账户,则所有账户均已成功迁移。