本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS 的托管策略 AWS Clean Rooms
AWS 托管策略是由创建和管理的独立策略 AWS。 AWS 托管策略旨在为许多常见用例提供权限,以便您可以开始为用户、组和角色分配权限。
请记住, AWS 托管策略可能不会为您的特定用例授予最低权限权限,因为它们可供所有 AWS 客户使用。我们建议通过定义特定于您的使用场景的客户托管式策略来进一步减少权限。
您无法更改 AWS 托管策略中定义的权限。如果 AWS 更新 AWS 托管策略中定义的权限,则更新会影响该策略所关联的所有委托人身份(用户、组和角色)。 AWS 当新服务启动或现有服务 AWS 服务 有新API操作可用时,最有可能更新 AWS 托管策略。
有关更多信息,请参阅《IAM用户指南》中的AWS 托管策略。
AWS 托管策略:AWSCleanRoomsReadOnlyAccess
你可以依附AWSCleanRoomsReadOnlyAccess于你的IAM校长。
该策略授予 AWSCleanRoomsReadOnlyAccess 协作中的资源和元数据的只读权限。
权限详细信息
该策略包含以下权限:
-
CleanRoomsRead- 允许主体对服务进行只读访问。 -
ConsoleDisplayTables— 允许委托人对在控制台上显示有关基础 AWS Glue 表的数据所需的 AWS Glue 元数据的只读访问权限。 -
ConsoleLogSummaryQueryLogs- 允许主体查看查询日志。 -
ConsoleLogSummaryObtainLogs- 允许主体检索日志结果。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsRead", "Effect": "Allow", "Action": [ "cleanrooms:BatchGet*", "cleanrooms:Get*", "cleanrooms:List*" ], "Resource": "*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "ConsoleLogSummaryQueryLogs", "Effect": "Allow", "Action": [ "logs:StartQuery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*" }, { "Sid": "ConsoleLogSummaryObtainLogs", "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": "*" } ] }
AWS 托管策略:AWSCleanRoomsFullAccess
你可以依附AWSCleanRoomsFullAccess于你的IAM校长。
此策略授予管理权限,允许对 AWS Clean Rooms 协作中的资源和元数据进行完全访问(读取、写入和更新)。此策略包括执行查询的权限。
权限详细信息
该策略包含以下权限:
-
CleanRoomsAccess— 授予对所有资源执行所有操作的完全访问权限 AWS Clean Rooms。 -
PassServiceRole— 仅授予将服务角色传递给具有” 的服务(PassedToService条件)的访问权限cleanrooms“以它的名字命名。 -
ListRolesToPickServiceRole— 允许委托人列出其所有角色以便在使用 AWS Clean Rooms时选择服务角色。 -
GetRoleAndListRolePoliciesToInspectServiceRole— 允许委托人查看中的服务角色和相应的策略。IAM -
ListPoliciesToInspectServiceRolePolicy— 允许委托人查看中的服务角色和相应的策略。IAM -
GetPolicyToInspectServiceRolePolicy— 允许委托人查看中的服务角色和相应的策略。IAM -
ConsoleDisplayTables— 允许委托人对在控制台上显示有关基础 AWS Glue 表的数据所需的 AWS Glue 元数据的只读访问权限。 -
ConsolePickQueryResultsBucketListAll- 允许主体从查询结果写入的所有可用 S3 存储桶的列表中选择一个 Amazon S3 存储桶。 -
SetQueryResultsBucket- 允许主体选择查询结果写入的 S3 存储桶。 -
ConsoleDisplayQueryResults- 允许主体向客户显示从 S3 存储桶读取的查询结果。 -
WriteQueryResults- 允许主体将查询结果写入客户拥有的 S3 存储桶。 -
EstablishLogDeliveries— 允许委托人将查询日志传送到客户的 Amazon Lo CloudWatch gs 日志组。 -
SetupLogGroupsDescribe— 允许委托人使用 Amazon Logs CloudWatch 日志组的创建流程。 -
SetupLogGroupsCreate— 允许委托人创建 Amazon CloudWatch 日志组。 -
SetupLogGroupsResourcePolicy— 允许委托人在 Amazon Logs CloudWatch 日志组上设置资源策略。 -
ConsoleLogSummaryQueryLogs- 允许主体查看查询日志。 -
ConsoleLogSummaryObtainLogs- 允许主体检索日志结果。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsAccess", "Effect": "Allow", "Action": [ "cleanrooms:*" ], "Resource": "*" }, { "Sid": "PassServiceRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*", "Condition": { "StringEquals": { "iam:PassedToService": "cleanrooms.amazonaws.com" } } }, { "Sid": "ListRolesToPickServiceRole", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "GetRoleAndListRolePoliciesToInspectServiceRole", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*" }, { "Sid": "ListPoliciesToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "GetPolicyToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource": "arn:aws:iam::*:policy/*cleanrooms*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "ConsolePickQueryResultsBucketListAll", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "SetQueryResultsBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketVersions" ], "Resource": "arn:aws:s3:::cleanrooms-queryresults*" }, { "Sid": "WriteQueryResults", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject" ], "Resource": "arn:aws:s3:::cleanrooms-queryresults*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "ConsoleDisplayQueryResults", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::cleanrooms-queryresults*" }, { "Sid": "EstablishLogDeliveries", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsDescribe", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsCreate", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsResourcePolicy", "Effect": "Allow", "Action": [ "logs:DescribeResourcePolicies", "logs:PutResourcePolicy" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "ConsoleLogSummaryQueryLogs", "Effect": "Allow", "Action": [ "logs:StartQuery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*" }, { "Sid": "ConsoleLogSummaryObtainLogs", "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": "*" } ] }
AWS 托管策略:AWSCleanRoomsFullAccessNoQuerying
你可以附着AWSCleanRoomsFullAccessNoQuerying在你的 IAM
principals.
此策略授予管理权限,允许对 AWS Clean Rooms 协作中的资源和元数据进行完全访问(读取、写入和更新)。此策略不包括执行查询的权限。
权限详细信息
该策略包含以下权限:
-
CleanRoomsAccess— 授予对所有资源执行所有操作的完全访问权限 AWS Clean Rooms,协作中查询除外。 -
CleanRoomsNoQuerying- 明确拒绝StartProtectedQuery和UpdateProtectedQuery,阻止查询。 -
PassServiceRole— 仅授予将服务角色传递给具有” 的服务(PassedToService条件)的访问权限cleanrooms“以它的名字命名。 -
ListRolesToPickServiceRole— 允许委托人列出其所有角色以便在使用 AWS Clean Rooms时选择服务角色。 -
GetRoleAndListRolePoliciesToInspectServiceRole— 允许委托人查看中的服务角色和相应的策略。IAM -
ListPoliciesToInspectServiceRolePolicy— 允许委托人查看中的服务角色和相应的策略。IAM -
GetPolicyToInspectServiceRolePolicy— 允许委托人查看中的服务角色和相应的策略。IAM -
ConsoleDisplayTables— 允许委托人对在控制台上显示有关基础 AWS Glue 表的数据所需的 AWS Glue 元数据的只读访问权限。 -
EstablishLogDeliveries— 允许委托人将查询日志传送到客户的 Amazon Lo CloudWatch gs 日志组。 -
SetupLogGroupsDescribe— 允许委托人使用 Amazon Logs CloudWatch 日志组的创建流程。 -
SetupLogGroupsCreate— 允许委托人创建 Amazon CloudWatch 日志组。 -
SetupLogGroupsResourcePolicy— 允许委托人在 Amazon Logs CloudWatch 日志组上设置资源策略。 -
ConsoleLogSummaryQueryLogs- 允许主体查看查询日志。 -
ConsoleLogSummaryObtainLogs- 允许主体检索日志结果。 -
cleanrooms— 管理服务中的协作、分析模板、配置表、成员资格和关联资源。 AWS Clean Rooms 执行各种操作,例如创建、更新、删除、列出和检索有关这些资源的信息。 -
iam— 将名称包含 “cleanrooms” 的服务角色传递给 AWS Clean Rooms 服务。列出角色、策略,并检查服务角色和与 AWS Clean Rooms 服务相关的策略。 -
glue— 从中检索有关数据库、表、分区和架构的信息。 AWS Glue这是 AWS Clean Rooms 服务显示底层数据源并与之交互所必需的。 -
logs— 管理日志传送、日志组和 CloudWatch 日志资源策略。查询和检索与 AWS Clean Rooms 服务相关的日志。这些权限对于在服务中进行监控、审计和故障排除是必需的。
该政策还明确拒绝这些操作,cleanrooms:StartProtectedQuerycleanrooms:UpdateProtectedQuery并防止用户直接执行或更新受保护的查询,这应通过 AWS Clean Rooms
受控机制完成。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsAccess", "Effect": "Allow", "Action": [ "cleanrooms:BatchGetCollaborationAnalysisTemplate", "cleanrooms:BatchGetSchema", "cleanrooms:BatchGetSchemaAnalysisRule", "cleanrooms:CreateAnalysisTemplate", "cleanrooms:CreateCollaboration", "cleanrooms:CreateConfiguredTable", "cleanrooms:CreateConfiguredTableAnalysisRule", "cleanrooms:CreateConfiguredTableAssociation", "cleanrooms:CreateMembership", "cleanrooms:DeleteAnalysisTemplate", "cleanrooms:DeleteCollaboration", "cleanrooms:DeleteConfiguredTable", "cleanrooms:DeleteConfiguredTableAnalysisRule", "cleanrooms:DeleteConfiguredTableAssociation", "cleanrooms:DeleteMember", "cleanrooms:DeleteMembership", "cleanrooms:GetAnalysisTemplate", "cleanrooms:GetCollaboration", "cleanrooms:GetCollaborationAnalysisTemplate", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetConfiguredTableAssociation", "cleanrooms:GetMembership", "cleanrooms:GetProtectedQuery", "cleanrooms:GetSchema", "cleanrooms:GetSchemaAnalysisRule", "cleanrooms:ListAnalysisTemplates", "cleanrooms:ListCollaborationAnalysisTemplates", "cleanrooms:ListCollaborations", "cleanrooms:ListConfiguredTableAssociations", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMembers", "cleanrooms:ListMemberships", "cleanrooms:ListProtectedQueries", "cleanrooms:ListSchemas", "cleanrooms:UpdateAnalysisTemplate", "cleanrooms:UpdateCollaboration", "cleanrooms:UpdateConfiguredTable", "cleanrooms:UpdateConfiguredTableAnalysisRule", "cleanrooms:UpdateConfiguredTableAssociation", "cleanrooms:UpdateMembership", "cleanrooms:ListTagsForResource", "cleanrooms:UntagResource", "cleanrooms:TagResource" ], "Resource": "*" }, { "Sid": "CleanRoomsNoQuerying", "Effect": "Deny", "Action": [ "cleanrooms:StartProtectedQuery", "cleanrooms:UpdateProtectedQuery" ], "Resource": "*" }, { "Sid": "PassServiceRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*", "Condition": { "StringEquals": { "iam:PassedToService": "cleanrooms.amazonaws.com" } } }, { "Sid": "ListRolesToPickServiceRole", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "GetRoleAndListRolePoliciesToInspectServiceRole", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*" }, { "Sid": "ListPoliciesToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "GetPolicyToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource": "arn:aws:iam::*:policy/*cleanrooms*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "EstablishLogDeliveries", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsDescribe", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsCreate", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsResourcePolicy", "Effect": "Allow", "Action": [ "logs:DescribeResourcePolicies", "logs:PutResourcePolicy" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "ConsoleLogSummaryQueryLogs", "Effect": "Allow", "Action": [ "logs:StartQuery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*" }, { "Sid": "ConsoleLogSummaryObtainLogs", "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": "*" } ] }
AWS 托管策略:AWSCleanRoomsMLReadOnlyAccess
你可以依附AWSCleanRoomsMLReadOnlyAccess于你的IAM校长。
该策略授予 AWSCleanRoomsMLReadOnlyAccess 协作中的资源和元数据的只读权限。
该策略包含以下权限:
-
CleanRoomsConsoleNavigation— 授予查看 AWS Clean Rooms 控制台屏幕的权限。 -
CleanRoomsMLRead— 允许委托人以只读方式访问 Clean Rooms 机器学习服务。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsConsoleNavigation", "Effect": "Allow", "Action": [ "cleanrooms:GetCollaboration", "cleanrooms:GetConfiguredAudienceModelAssociation", "cleanrooms:GetMembership", "cleanrooms:ListAnalysisTemplates", "cleanrooms:ListCollaborationAnalysisTemplates", "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", "cleanrooms:ListCollaborations", "cleanrooms:ListConfiguredTableAssociations", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMembers", "cleanrooms:ListMemberships", "cleanrooms:ListProtectedQueries", "cleanrooms:ListSchemas", "cleanrooms:ListTagsForResource" ], "Resource": "*" }, { "Sid": "CleanRoomsMLRead", "Effect": "Allow", "Action": [ "cleanrooms-ml:Get*", "cleanrooms-ml:List*" ], "Resource": "*" } ] }
AWS 托管策略:AWSCleanRoomsMLFullAccess
你可以依附AWSCleanRoomsMLFullAcces于你的IAM校长。此策略授予管理权限,允许对 Clean Rooms ML 所需的资源和元数据进行完全访问权限(读取、写入和更新)。
权限详细信息
该策略包含以下权限:
-
CleanRoomsMLFullAccess— 授予对所有 Clean Rooms 机器学习操作的访问权限。 -
PassServiceRole— 仅授予将服务角色传递给具有” 的服务(PassedToService条件)的访问权限cleanrooms-ml“以它的名字命名。 -
CleanRoomsConsoleNavigation— 授予查看 AWS Clean Rooms 控制台屏幕的权限。 -
CollaborationMembershipCheck— 当您在协作中启动受众生成(相似区段)工作时,Clean Rooms ML 服务会调用ListMembers以检查协作是否有效,来电者是否为活跃成员,配置的受众模型所有者是否为活跃成员。此权限始终是必需的;只有控制台用户才需要控制台导航SID。 -
AssociateModels— 允许负责人将 Clean Rooms 机器学习模型与您的协作关联起来。 -
TagAssociations- 允许主体将标签添加到相似模型和协作之间的关联中。 -
ListRolesToPickServiceRole— 允许委托人列出其所有角色以便在使用 AWS Clean Rooms时选择服务角色。 -
GetRoleAndListRolePoliciesToInspectServiceRole— 允许委托人查看中的服务角色和相应的策略。IAM -
ListPoliciesToInspectServiceRolePolicy— 允许委托人查看中的服务角色和相应的策略。IAM -
GetPolicyToInspectServiceRolePolicy— 允许委托人查看中的服务角色和相应的策略。IAM -
ConsoleDisplayTables— 允许委托人对在控制台上显示有关基础 AWS Glue 表的数据所需的 AWS Glue 元数据的只读访问权限。 -
ConsolePickOutputBucket- 允许主体为配置的受众模型输出选择 Amazon S3 存储桶。 -
ConsolePickS3Location- 允许主体为配置的受众模型输出选择存储桶中的位置。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsMLFullAccess", "Effect": "Allow", "Action": [ "cleanrooms-ml:*" ], "Resource": "*" }, { "Sid": "PassServiceRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/cleanrooms-ml*" ], "Condition": { "StringEquals": { "iam:PassedToService": "cleanrooms-ml.amazonaws.com" } } }, { "Sid": "CleanRoomsConsoleNavigation", "Effect": "Allow", "Action": [ "cleanrooms:GetCollaboration", "cleanrooms:GetConfiguredAudienceModelAssociation", "cleanrooms:GetMembership", "cleanrooms:ListAnalysisTemplates", "cleanrooms:ListCollaborationAnalysisTemplates", "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", "cleanrooms:ListCollaborations", "cleanrooms:ListConfiguredTableAssociations", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMembers", "cleanrooms:ListMemberships", "cleanrooms:ListProtectedQueries", "cleanrooms:ListSchemas", "cleanrooms:ListTagsForResource" ], "Resource": "*" }, { "Sid": "CollaborationMembershipCheck", "Effect": "Allow", "Action": [ "cleanrooms:ListMembers" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["cleanrooms-ml.amazonaws.com"] } } }, { "Sid": "AssociateModels", "Effect": "Allow", "Action": [ "cleanrooms:CreateConfiguredAudienceModelAssociation" ], "Resource": "*" }, { "Sid": "TagAssociations", "Effect": "Allow", "Action": [ "cleanrooms:TagResource" ], "Resource": "arn:aws:cleanrooms:*:*:membership/*/configuredaudiencemodelassociation/*" }, { "Sid": "ListRolesToPickServiceRole", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "GetRoleAndListRolePoliciesToInspectServiceRole", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/service-role/cleanrooms-ml*", "arn:aws:iam::*:role/role/cleanrooms-ml*" ] }, { "Sid": "ListPoliciesToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "GetPolicyToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource": "arn:aws:iam::*:policy/*cleanroomsml*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "ConsolePickOutputBucket", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ConsolePickS3Location", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*cleanrooms-ml*" } ] }
AWS Clean RoomsAWS 托管策略的更新
查看 AWS Clean Rooms 自该服务开始跟踪这些更改以来 AWS 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 “ AWS Clean Rooms 文档历史记录” 页面上的订阅RSS源。
| 更改 | 描述 | 日期 |
|---|---|---|
| AWSCleanRoomsFullAccessNoQuerying – 对现有策略的更新 | 增加了 cleanrooms:BatchGetSchemaAnalysisRule 到 CleanRoomsAccess. | 2024年5月13日 |
| AWSCleanRoomsFullAccess - 对现有策略的更新 | 更新了中的对账单编号 AWSCleanRoomsFullAccess from ConsolePickQueryResultsBucket 到 SetQueryResultsBucket 在此策略中可以更好地表示权限,因为无论使用控制台还是不使用控制台,都需要这些权限来设置查询结果存储桶。 | 2024 年 3 月 21 日 |
|
增加了 AWSCleanRoomsMLReadOnlyAccess 以及 AWSCleanRoomsMLFullAccess 以支持 AWS Clean Rooms ML。 |
2023 年 11 月 29 日 | |
| AWSCleanRoomsFullAccessNoQuerying - 对现有策略的更新 | 增加了 cleanrooms:CreateAnalysisTemplate, cleanrooms:GetAnalysisTemplate, cleanrooms:UpdateAnalysisTemplate, cleanrooms:DeleteAnalysisTemplate, cleanrooms:ListAnalysisTemplates, cleanrooms:GetCollaborationAnalysisTemplate, cleanrooms:BatchGetCollaborationAnalysisTemplate,以及 cleanrooms:ListCollaborationAnalysisTemplates 到 CleanRoomsAccess 以启用新的分析模板功能。 | 2023 年 7 月 31 日 |
| AWSCleanRoomsFullAccessNoQuerying - 对现有策略的更新 | 增加了 cleanrooms:ListTagsForResource, cleanrooms:UntagResource,以及 cleanrooms:TagResource 到 CleanRoomsAccess 以启用资源标记。 | 2023 年 3 月 21 日 |
|
AWS Clean Rooms 已开始跟踪更改 |
AWS Clean Rooms 开始跟踪其 AWS 托管策略的更改。 |
2023 年 1 月 12 日 |
