AWS 的托管策略 AWS Trusted Advisor - AWS Support
AWSTrustedAdvisorPriorityFullAccess AWSTrustedAdvisorPriorityReadOnlyAccess AWSTrustedAdvisorServiceRolePolicy AWSTrustedAdvisorReportingServiceRolePolicy 策略更新

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS 的托管策略 AWS Trusted Advisor

Trusted Advisor 具有以下 AWS 托管策略。

AWS 托管策略:AWSTrustedAdvisorPriorityFullAccess

这些区域有:AWSTrustedAdvisorPriorityFullAccess策略授予对 “ Trusted Advisor 优先级” 的完全访问权限。此策略还允许用户添加为可信服务, AWS Organizations 并允许用户 Trusted Advisor 为 P Trusted Advisor riority 指定委派管理员帐户。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的账户和组织。

  • 描述 Trusted Advisor 优先级中已识别的风险。这些权限允许您下载和更新风险状态。

  • 描述您的 Trusted Advisor 优先电子邮件通知配置。这些权限允许您配置电子邮件通知,并为委派管理员禁用这些通知。

  • 进行设置, Trusted Advisor 以便您的账户可以启用 AWS Organizations。

在第二条语句中,此策略包含 organizations 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 列出您允许使用 Organizations 的。 AWS 服务

在第三条语句中,此策略包含 organizations 的以下权限:

  • 列出 Trusted Advisor 优先级的委派管理员。

  • 启用和禁用 Organizations 的受信任访问。

在第四条语句中,此策略包含 iam 的以下权限:

  • 创建 AWSServiceRoleForTrustedAdvisorReporting 服务相关角色。

在第五条语句中,此策略包含 organizations 的以下权限:

  • 允许您注册和注销 Trusted Advisor Priority 的委派管理员。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityFullAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:UpdateRiskStatus",
				"trustedadvisor:DescribeNotificationConfigurations",
				"trustedadvisor:UpdateNotificationConfigurations",
				"trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin",
				"trustedadvisor:SetOrganizationAccess"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators",
				"organizations:EnableAWSServiceAccess",
				"organizations:DisableAWSServiceAccess"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AllowCreateServiceLinkedRole",
			"Effect": "Allow",
			"Action": "iam:CreateServiceLinkedRole",
			"Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AllowRegisterDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:RegisterDelegatedAdministrator",
				"organizations:DeregisterDelegatedAdministrator"
			],
			"Resource": "arn:aws:organizations::*:*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS 托管策略:AWSTrustedAdvisorPriorityReadOnlyAccess

这些区域有:AWSTrustedAdvisorPriorityReadOnlyAccess策略向 P Trusted Advisor riority 授予只读权限,包括查看委派的管理员帐户的权限。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 描述从 P Trusted Advisor riority 中识别出的风险并允许您下载它们。

  • 描述 Trusted Advisor 优先电子邮件通知的配置。

在第二条和第三条语句中,此策略包含 organizations 的以下权限:

  • 使用 Organizations 描述您的组织。

  • 列出您允许使用 Organizations 的。 AWS 服务

  • 列出 Trusted Advisor 优先级的委派管理员

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:DescribeNotificationConfigurations"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS 托管策略:AWSTrustedAdvisorServiceRolePolicy

此策略附加到 AWSServiceRoleForTrustedAdvisor 服务相关角色。此角色允许服务相关角色为您执行操作。你无法附上 AWSTrustedAdvisorServiceRolePolicy给你的 AWS Identity and Access Management (IAM) 实体。有关更多信息,请参阅 将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色访问 AWS 服务。这些权限允许通过检查 Trusted Advisor 来评估您的账户。

权限详细信息

该策略包含以下权限。

  • accessanalyzer— 描述 AWS Identity and Access Management Access Analyzer 资源

  • Auto Scaling— 描述 Amazon A EC2 uto Scaling 账户配额和资源

  • cloudformation— 描述 AWS CloudFormation (CloudFormation) 账户配额和堆栈

  • cloudfront— 描述亚马逊的 CloudFront 分布

  • cloudtrail— 描述 AWS CloudTrail (CloudTrail) 路径

  • dynamodb – 描述 Amazon DynamoDB 账户配额和资源

  • dynamodbaccelerator— 描述 DynamoDB 加速器资源

  • ec2— 描述亚马逊弹性计算云 (AmazonEC2) 账户配额和资源

  • elasticloadbalancing— 描述 Elastic Load Balancing (ELB) 账户配额和资源

  • iam— 获取IAM资源,例如证书、密码策略和证书

  • networkfirewall— 描述 AWS Network Firewall 资源

  • kinesis – 描述 Amazon Kinesis (Kinesis) 账户配额

  • rds— 描述亚马逊关系数据库服务 (AmazonRDS) 资源

  • redshift – 描述 Amazon Redshift 资源

  • route53 – 描述 Amazon Route 53 账户配额和资源

  • s3 – 描述 Amazon Simple Storage Service (Amazon S3) 资源

  • ses— 获取亚马逊简单电子邮件服务 (AmazonSES) 发送配额

  • sqs— 列出亚马逊简单队列服务 (AmazonSQS) 队列

  • cloudwatch— 获取 Amazon CloudWatch 事件(CloudWatch 事件)指标统计数据

  • ce – 获取 Cost Explorer 服务 (Cost Explorer) 建议

  • route53resolver— 获取 Amazon Route 53 Resolver 解析器端点和资源

  • kafka – 获取 Amazon Managed Streaming for Apache Kafka 资源

  • ecs— 获取 Amazon ECS 资源

  • outposts— 获取 AWS Outposts 资源

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid" : "TrustedAdvisorServiceRolePermissions",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:ListAnalyzers"
                "autoscaling:DescribeAccountLimits",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "ce:GetReservationPurchaseRecommendation",
                "ce:GetSavingsPlansPurchaseRecommendation",
                "cloudformation:DescribeAccountLimits",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudfront:ListDistributions",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:GetEventSelectors",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "dax:DescribeClusters",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:DescribeAddresses",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeImages",
                "ec2:DescribeNatGateways",
                "ec2:DescribeVolumes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:GetManagedPrefixListEntries",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTaskDefinitions"
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "iam:ListSAMLProviders",
                "kinesis:DescribeLimits",
                "kafka:DescribeClusterV2",
                "kafka:ListClustersV2",
                "kafka:ListNodes",
                "network-firewall:ListFirewalls",
                "network-firewall:DescribeFirewall",
                "outposts:GetOutpost",
                "outposts:ListAssets",
                "outposts:ListOutposts",
                "rds:DescribeAccountAttributes",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEvents",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "redshift:DescribeClusters",
                "redshift:DescribeReservedNodeOfferings",
                "redshift:DescribeReservedNodes",
                "route53:GetAccountLimit",
                "route53:GetHealthCheck",
                "route53:GetHostedZone",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:ListResolverEndpointIpAddresses",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "ses:GetSendQuota",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

AWS 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy

此策略附加到AWSServiceRoleForTrustedAdvisorReporting服务相关角色,该角色 Trusted Advisor 允许对组织视图功能执行操作。你无法附上 AWSTrustedAdvisorReportingServiceRolePolicy给你的IAM实体。有关更多信息,请参阅 将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色执行 AWS Organizations 操作。

权限详细信息

该策略包含以下权限。

  • organizations – 描述您的组织并列出服务访问权限、账户、父级、子级和组织单位

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListDelegatedAdministrators",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribeAccount"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

对 AWS 托管式策略的Trusted Advisor 更新

查看有关这些服务开始跟踪这些更改之前 AWS Support 和之 Trusted Advisor 后的 AWS 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订RSS阅该文档历史记录页面上的订阅源。

下表描述了自 2021 年 8 月 10 日以来 Trusted Advisor 托管策略的重要更新。

Trusted Advisor
更改 描述 日期

AWSTrustedAdvisorServiceRolePolicy

更新现有政策。

Trusted Advisor 添加了新的操作来授予elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeRules权限。

 2024年10月30日

AWSTrustedAdvisorServiceRolePolicy

更新现有政策。

Trusted Advisor 添加了新的操作来授予access-analyzer:ListAnalyzerscloudwatch:ListMetricsdax:DescribeClustersec2:DescribeNatGatewaysec2:DescribeRouteTablesec2:DescribeVpcEndpointsec2:GetManagedPrefixListEntrieselasticloadbalancing:DescribeTargetHealthiam:ListSAMLProviderskafka:DescribeClusterV2network-firewall:ListFirewallsnetwork-firewall:DescribeFirewallsqs:GetQueueAttributes权限。

 2024 年 6 月 11 日

AWSTrustedAdvisorServiceRolePolicy

更新现有政策。

Trusted Advisor 添加了新的操作来授予cloudtrail:GetTrailcloudtrail:ListTrailscloudtrail:GetEventSelectorsoutposts:GetOutpostoutposts:ListAssetsoutposts:ListOutposts权限。

 2024 年 1 月 18 日

AWSTrustedAdvisorPriorityFullAccess

更新现有政策。

Trusted Advisor 更新了AWSTrustedAdvisorPriorityFullAccess AWS 托管策略以包含声明IDs。

 2023 年 12 月 6 日

AWSTrustedAdvisorPriorityReadOnlyAccess

更新现有政策。

Trusted Advisor 更新了AWSTrustedAdvisorPriorityReadOnlyAccess AWS 托管策略以包含声明IDs。

 2023 年 12 月 6 日

AWSTrustedAdvisorServiceRolePolicy – 更新到现有策略

Trusted Advisor 添加了新的操作来授予ec2:DescribeRegionss3:GetLifecycleConfigurationecs:DescribeTaskDefinitionecs:ListTaskDefinitions权限。

 2023 年 11 月 9 日

AWSTrustedAdvisorServiceRolePolicy – 更新到现有策略

Trusted Advisor 在加入新的弹性检查中kafka:ListNodes添加了新的IAM操作route53resolver:ListResolverEndpointsroute53resolver:ListResolverEndpointIpAddressesec2:DescribeSubnets、、kafka:ListClustersV2和。

 2023 年 9 月 14 日

AWSTrustedAdvisorReportingServiceRolePolicy

附加到 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting服务相关角色的托管策略的 V2

将 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting服务相关角色的 AWS 托管策略升级到 V2。V2 将再添加一个动作 IAM organizations:ListDelegatedAdministrators

2023 年 2 月 28 日

AWSTrustedAdvisorPriorityFullAccessAWSTrustedAdvisorPriorityReadOnlyAccess

的新 AWS 托管策略 Trusted Advisor

Trusted Advisor 添加了两个新的托管策略,您可以使用它们来控制对 Priority 的 Trusted Advisor 访问权限。

2022 年 8 月 17 日

AWSTrustedAdvisorServiceRolePolicy – 更新到现有策略

Trusted Advisor 添加了新的操作来授予DescribeTargetGroupsGetAccountPublicAccessBlock权限。

Auto Scaling 组运行状况检查需要 DescribeTargetGroup 权限,以检索附加到 Auto Scaling 组的非经典负载均衡器。

Amazon S3 存储桶权限检查需要 GetAccountPublicAccessBlock 权限以检索 AWS 账户的阻止公有访问设置。

 2021 年 8 月 10 日

已发布的更改日志

Trusted Advisor 开始跟踪其 AWS 托管策略的更改。

 2021 年 8 月 10 日