本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 安全性 AWS Config
云安全 AWS 是重中之重。作为 AWS 客户,您可以受益于专为满足大多数安全敏感型组织的要求而构建的数据中心和网络架构。
安全是双方共同承担 AWS 的责任。[责任共担模式](https://aws.amazon.com/compliance/shared-responsibility-model/)将其描述为云*的*安全性和云*中*的安全性:
+ **云安全** — AWS 负责保护在 AWS 云中运行 AWS 服务的基础架构。 AWS 还为您提供可以安全使用的服务。作为[AWS 合规计划合规计划合规计划合](https://aws.amazon.com/compliance/programs/)的一部分,第三方审计师定期测试和验证我们安全的有效性。要了解适用的合规计划 AWS Config,请参阅 “按合规计划划分的[范围AWS 服务” 中的 “按合规计划](https://aws.amazon.com/compliance/services-in-scope/)”。
+ **云端安全**-您的责任由您使用的 AWS 服务决定。您还需要对其他因素负责,包括您的数据的敏感性、您公司的要求以及适用的法律法规。
本文档可帮助您了解在使用时如何应用分担责任模型 AWS Config。以下主题向您介绍如何进行配置 AWS Config 以满足您的安全和合规性目标。
**Topics**
+ [中的数据保护 AWS Config](data-protection.md)
+ [适用于 Identity and Access Managem AWS Config](security-iam.md)
+ [中的事件响应 AWS Config](incident-response.md)
+ [合规性验证 AWS Config](config-compliance.md)
+ [韧性在 AWS Config](disaster-recovery-resiliency.md)
+ [中的基础设施安全 AWS Config](infrastructure-security.md)
+ [防止跨服务混淆代理](cross-service-confused-deputy-prevention.md)
+ [的安全最佳实践 AWS Config](security-best-practices.md)
# 中的数据保护 AWS Config
分 AWS [担责任模型](https://aws.amazon.com/compliance/shared-responsibility-model/)适用于中的数据保护。如本模型所述 AWS ,负责保护运行所有内容的全球基础架构 AWS 云。您负责维护对托管在此基础结构上的内容的控制。您还负责您所使用的 AWS 服务 的安全配置和管理任务。有关数据隐私的更多信息,请参阅[数据隐私常见问题](https://aws.amazon.com/compliance/data-privacy-faq/)。有关欧洲数据保护的信息,请参阅 *AWS Security Blog* 上的 [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) 博客文章。
出于数据保护目的,我们建议您保护 AWS 账户 凭证并使用 AWS IAM Identity Center 或 AWS Identity and Access Management (IAM) 设置个人用户。这样,每个用户只获得履行其工作职责所需的权限。还建议您通过以下方式保护数据:
+ 对每个账户使用多重身份验证(MFA)。
+ 用于 SSL/TLS 与 AWS 资源通信。我们要求使用 TLS 1.2,建议使用 TLS 1.3。
+ 使用设置 API 和用户活动日志 AWS CloudTrail。有关使用 CloudTrail 跟踪捕获 AWS 活动的信息,请参阅《*AWS CloudTrail 用户指南》*中的[使用跟 CloudTrail 踪](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html)。
+ 使用 AWS 加密解决方案以及其中的所有默认安全控件 AWS 服务。
+ 使用高级托管安全服务(例如 Amazon Macie),它有助于发现和保护存储在 Amazon S3 中的敏感数据。
+ 如果您在 AWS 通过命令行界面或 API 进行访问时需要经过 FIPS 140-3 验证的加密模块,请使用 FIPS 端点。有关可用的 FIPS 端点的更多信息,请参阅《美国联邦信息处理标准(FIPS)第 140-3 版》[https://aws.amazon.com/compliance/fips/](https://aws.amazon.com/compliance/fips/)。
强烈建议您切勿将机密信息或敏感信息(如您客户的电子邮件地址)放入标签或自由格式文本字段(如**名称**字段)。这包括您使用控制台、API 或以其他 AWS 服务 方式使用控制台 AWS CLI、API 或时 AWS SDKs。在用于名称的标签或自由格式文本字段中输入的任何数据都可能会用于计费或诊断日志。如果您向外部服务器提供 URL,强烈建议您不要在网址中包含凭证信息来验证对该服务器的请求。
## 静态数据加密
使用透明的服务器端加密,加密静态数据。这样可以帮助减少在保护敏感数据时涉及的操作负担和复杂性。通过静态加密,您可以构建符合加密合规性和法规要求的安全敏感型应用程序。
## 传输中的数据的加密
收集和访问的数据只能通过 AWS Config 受传输层安全 (TLS) 保护的通道进行。
# 适用于 Identity and Access Managem AWS Config
AWS Identity and Access Management (IAM) AWS 服务 可帮助管理员安全地控制对 AWS 资源的访问权限。IAM 管理员控制谁可以*进行身份验证*(登录)和*授权*(拥有权限)使用 AWS Config 资源。您可以使用 IAM AWS 服务 ,无需支付额外费用。
**Topics**
+ [受众](#security_iam_audience)
+ [使用身份进行身份验证](#security_iam_authentication)
+ [使用策略管理访问](#security_iam_access-manage)
+ [如何 AWS Config 与 IAM 配合使用](security_iam_service-with-iam.md)
+ [基于身份的策略示例](security_iam_id-based-policy-examples.md)
+ [AWS 托管策略](security-iam-awsmanpol.md)
+ [IAM 角色的权限](iamrole-permissions.md)
+ [更新 IAM 角色](update-iam-role.md)
+ [Amazon S3 存储桶的权限](s3-bucket-policy.md)
+ [KMS 密钥的权限](s3-kms-key-policy.md)
+ [Amazon SNS 主题的权限](sns-topic-policy.md)
+ [问题排查](security_iam_troubleshoot.md)
+ [使用服务相关角色](using-service-linked-roles.md)
## 受众
您的使用方式 AWS Identity and Access Management (IAM) 因您的角色而异:
+ **服务用户**:如果您无法访问功能,请从管理员处请求权限(请参阅[对 AWS Config 身份和访问进行故障排除](security_iam_troubleshoot.md))
+ **服务管理员**:确定用户访问权限并提交权限请求(请参阅[如何 AWS Config 与 IAM 配合使用](security_iam_service-with-iam.md))
+ **IAM 管理员**:编写用于管理访问权限的策略(请参阅[基于身份的策略示例 AWS Config](security_iam_id-based-policy-examples.md))
## 使用身份进行身份验证
身份验证是您 AWS 使用身份凭证登录的方式。您必须以 IAM 用户身份进行身份验证 AWS 账户根用户,或者通过担任 IAM 角色进行身份验证。
您可以使用来自身份源的证书 AWS IAM Identity Center (例如(IAM Identity Center)、单点登录身份验证或 Google/Facebook 证书,以联合身份登录。有关登录的更多信息,请参阅《AWS 登录 用户指南》**中的[如何登录您的 AWS 账户](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html)。
对于编程访问, AWS 提供 SDK 和 CLI 来对请求进行加密签名。有关更多信息,请参阅*《IAM 用户指南》*中的[适用于 API 请求的AWS 签名版本 4](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html)。
### AWS 账户 root 用户
创建时 AWS 账户,首先会有一个名为 AWS 账户 *root 用户的*登录身份,该身份可以完全访问所有资源 AWS 服务 和资源。我们强烈建议不要使用根用户进行日常任务。有关需要根用户凭证的任务,请参阅《IAM 用户指南》**中的[需要根用户凭证的任务](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks)。
### 联合身份
作为最佳实践,要求人类用户使用与身份提供商的联合身份验证才能 AWS 服务 使用临时证书进行访问。
*联合身份是指*来自您的企业目录、Web 身份提供商的用户 Directory Service ,或者 AWS 服务 使用来自身份源的凭据进行访问的用户。联合身份代入可提供临时凭证的角色。
要集中管理访问权限,建议使用。 AWS IAM Identity Center有关更多信息,请参阅《AWS IAM Identity Center 用户指南》**中的[什么是 IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。
### IAM 用户和群组
*[IAM 用户](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)*是对某个人员或应用程序具有特定权限的一个身份。建议使用临时凭证,而非具有长期凭证的 IAM 用户。有关更多信息,请参阅 *IAM 用户指南*[中的要求人类用户使用身份提供商的联合身份验证才能 AWS 使用临时证书进行访问](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp)。
[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html)指定一组 IAM 用户,便于更轻松地对大量用户进行权限管理。有关更多信息,请参阅*《IAM 用户指南》*中的 [IAM 用户使用案例](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html)。
### IAM 角色
*[IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)*是具有特定权限的身份,可提供临时凭证。您可以通过[从用户切换到 IAM 角色(控制台)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html)或调用 AWS CLI 或 AWS API 操作来代入角色。有关更多信息,请参阅《IAM 用户指南》**中的[担任角色的方法](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html)。
IAM 角色对于联合用户访问、临时 IAM 用户权限、跨账户访问、跨服务访问以及在 Amazon EC2 上运行的应用程序非常有用。有关更多信息,请参阅《IAM 用户指南》**中的 [IAM 中的跨账户资源访问](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html)。
## 使用策略管理访问
您可以 AWS 通过创建策略并将其附加到 AWS 身份或资源来控制中的访问权限。策略定义了与身份或资源关联时的权限。 AWS 在委托人提出请求时评估这些政策。大多数策略都以 JSON 文档的 AWS 形式存储在中。有关 JSON 策略文档的更多信息,请参阅*《IAM 用户指南》*中的 [JSON 策略概述](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json)。
管理员使用策略,通过定义哪个**主体**可以在什么**条件**下对哪些**资源**执行哪些**操作**来指定谁有权访问什么。
默认情况下,用户和角色没有权限。IAM 管理员创建 IAM 策略并将其添加到角色中,然后用户可以担任这些角色。IAM 策略定义权限,与执行操作所用的方法无关。
### 基于身份的策略
基于身份的策略是您附加到身份(用户、组或角色)的 JSON 权限策略文档。这些策略控制身份可以执行什么操作、对哪些资源执行以及在什么条件下执行。要了解如何创建基于身份的策略,请参阅《IAM 用户指南》**中的[使用客户管理型策略定义自定义 IAM 权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html)。
基于身份的策略可以是*内联策略*(直接嵌入到单个身份中)或*托管策略*(附加到多个身份的独立策略)。要了解如何在托管策略和内联策略之间进行选择,请参阅*《IAM 用户指南》*中的[在托管策略与内联策略之间进行选择](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html)。
### 基于资源的策略
基于资源的策略是附加到资源的 JSON 策略文档。示例包括 IAM *角色信任策略*和 Amazon S3 *存储桶策略*。在支持基于资源的策略的服务中,服务管理员可以使用它们来控制对特定资源的访问。您必须在基于资源的策略中[指定主体](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)。
基于资源的策略是位于该服务中的内联策略。您不能在基于资源的策略中使用 IAM 中的 AWS 托管策略。
### 其他策略类型
AWS 支持其他策略类型,这些策略类型可以设置更常见的策略类型授予的最大权限:
+ **权限边界** – 设置基于身份的策略可以授予 IAM 实体的最大权限。有关更多信息,请参阅《 IAM 用户指南》**中的 [IAM 实体的权限边界](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)。
+ **服务控制策略 (SCPs)**-在中指定组织或组织单位的最大权限 AWS Organizations。有关更多信息,请参阅《AWS Organizations 用户指南》**中的[服务控制策略](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)。
+ **资源控制策略 (RCPs)**-设置账户中资源的最大可用权限。有关更多信息,请参阅《*AWS Organizations 用户指南》*中的[资源控制策略 (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html)。
+ **会话策略** – 在为角色或联合用户创建临时会话时,作为参数传递的高级策略。有关更多信息,请参阅《IAM 用户指南》**中的[会话策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)。
### 多个策略类型
当多个类型的策略应用于一个请求时,生成的权限更加复杂和难以理解。要了解在涉及多种策略类型时如何 AWS 确定是否允许请求,请参阅 *IAM 用户指南*中的[策略评估逻辑](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html)。
# 如何 AWS Config 与 IAM 配合使用
在使用 IAM 管理访问权限之前 AWS Config,请先了解有哪些 IAM 功能可供使用 AWS Config。
**您可以搭配使用的 IAM 功能 AWS Config**
| IAM 功能 | AWS Config 支持 |
| --- | --- |
| [基于身份的策略](#security_iam_service-with-iam-id-based-policies) | 是 |
| [基于资源的策略](#security_iam_service-with-iam-resource-based-policies) | 否 |
| [策略操作](#security_iam_service-with-iam-id-based-policies-actions) | 是 |
| [策略资源](#security_iam_service-with-iam-id-based-policies-resources) | 是 |
| [策略条件键(特定于服务)](#security_iam_service-with-iam-id-based-policies-conditionkeys) | 是 |
| [ACLs](#security_iam_service-with-iam-acls) | 否 |
| [ABAC(策略中的标签)](#security_iam_service-with-iam-tags) | 是 |
| [临时凭证](#security_iam_service-with-iam-roles-tempcreds) | 是 |
| [转发访问会话(FAS)](#security_iam_service-with-iam-principal-permissions) | 是 |
| [服务角色](#security_iam_service-with-iam-roles-service) | 是 |
| [服务关联角色](#security_iam_service-with-iam-roles-service-linked) | 是 |
要全面了解 AWS Config 以及其他 AWS 服务如何与大多数 IAM 功能配合使用,请参阅 IAM *用户指南中的与 IAM* [配合使用的AWS 服务](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)。
## 基于身份的策略 AWS Config
**支持基于身份的策略:**是
基于身份的策略是可附加到身份(如 IAM 用户、用户组或角色)的 JSON 权限策略文档。这些策略控制用户和角色可在何种条件下对哪些资源执行哪些操作。要了解如何创建基于身份的策略,请参阅《IAM 用户指南》**中的[使用客户管理型策略定义自定义 IAM 权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html)。
通过使用 IAM 基于身份的策略,您可以指定允许或拒绝的操作和资源以及允许或拒绝操作的条件。要了解可在 JSON 策略中使用的所有元素,请参阅《IAM 用户指南》**中的 [IAM JSON 策略元素引用](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html)。
### 基于身份的策略示例 AWS Config
要查看 AWS Config 基于身份的策略的示例,请参阅。[基于身份的策略示例 AWS Config](security_iam_id-based-policy-examples.md)
## 内部基于资源的政策 AWS Config
**支持基于资源的策略:**否
基于资源的策略是附加到资源的 JSON 策略文档。基于资源的策略的示例包括 IAM *角色信任策略*和 Amazon S3 *存储桶策略*。在支持基于资源的策略的服务中,服务管理员可以使用它们来控制对特定资源的访问。对于在其中附加策略的资源,策略定义指定主体可以对该资源执行哪些操作以及在什么条件下执行。您必须在基于资源的策略中[指定主体](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)。委托人可以包括账户、用户、角色、联合用户或 AWS 服务。
要启用跨账户访问,您可以将整个账户或其他账户中的 IAM 实体指定为基于资源的策略中的主体。有关更多信息,请参阅《IAM 用户指南》**中的 [IAM 中的跨账户资源访问](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html)。
## 的政策行动 AWS Config
**支持策略操作:**是
管理员可以使用 AWS JSON 策略来指定谁有权访问什么。也就是说,哪个**主体**可以对什么**资源**执行**操作**,以及在什么**条件**下执行。
JSON 策略的 `Action` 元素描述可用于在策略中允许或拒绝访问的操作。在策略中包含操作以授予执行关联操作的权限。
要查看 AWS Config 操作列表,请参阅《*服务授权参考*》 AWS Config中[定义的操作](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions)。
正在执行的策略操作在操作前 AWS Config 使用以下前缀:
```
config
```
要在单个语句中指定多项操作,请使用逗号将它们隔开。
```
"Action": [
"config:action1",
"config:action2"
]
```
您也可以使用通配符(\$1)指定多个操作。例如,要指定以单词 `Describe` 开头的所有操作,包括以下操作:
```
"Action": "config:Describe*"
```
要查看 AWS Config 基于身份的策略的示例,请参阅。[基于身份的策略示例 AWS Config](security_iam_id-based-policy-examples.md)
## 的政策资源 AWS Config
**支持策略资源:**是
管理员可以使用 AWS JSON 策略来指定谁有权访问什么。也就是说,哪个**主体**可以对什么**资源**执行**操作**,以及在什么**条件**下执行。
`Resource` JSON 策略元素指定要向其应用操作的一个或多个对象。作为最佳实践,请使用其 [Amazon 资源名称(ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)指定资源。对于不支持资源级权限的操作,请使用通配符 (\$1) 指示语句应用于所有资源。
```
"Resource": "*"
```
要查看 AWS Config 资源类型及其列表 ARNs,请参阅《*服务授权参考*[》 AWS Config中定义的资源](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-resources-for-iam-policies)。要了解可以在哪些操作中指定每个资源的 ARN,请参阅 [AWS Config定义的操作](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions)。
要查看 AWS Config 基于身份的策略的示例,请参阅。[基于身份的策略示例 AWS Config](security_iam_id-based-policy-examples.md)
## 的策略条件密钥 AWS Config
**支持特定于服务的策略条件键:**是
管理员可以使用 AWS JSON 策略来指定谁有权访问什么。也就是说,哪个**主体**可以对什么**资源**执行**操作**,以及在什么**条件**下执行。
`Condition` 元素根据定义的条件指定语句何时执行。您可以创建使用[条件运算符](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)(例如,等于或小于)的条件表达式,以使策略中的条件与请求中的值相匹配。要查看所有 AWS 全局条件键,请参阅 *IAM 用户指南*中的[AWS 全局条件上下文密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。
要查看 AWS Config 条件键列表,请参阅《*服务授权参考*》 AWS Config中的[条件密钥](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-policy-keys)。要了解可以使用条件键的操作和资源,请参阅[由定义的操作 AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions)。
要查看 AWS Config 基于身份的策略的示例,请参阅。[基于身份的策略示例 AWS Config](security_iam_id-based-policy-examples.md)
## ACLs in AWS Config
**支持 ACLs:**否
访问控制列表 (ACLs) 控制哪些委托人(账户成员、用户或角色)有权访问资源。 ACLs 与基于资源的策略类似,尽管它们不使用 JSON 策略文档格式。
## ABAC with AWS Config
**支持 ABAC(策略中的标签):**是
基于属性的访问权限控制(ABAC)是一种授权策略,该策略基于称为标签的属性来定义权限。您可以将标签附加到 IAM 实体和 AWS 资源,然后设计 ABAC 策略以允许在委托人的标签与资源上的标签匹配时进行操作。
要基于标签控制访问,您需要使用 `aws:ResourceTag/key-name``aws:RequestTag/key-name` 或 `aws:TagKeys` 条件键在策略的[条件元素](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html)中提供标签信息。
如果某个服务对于每种资源类型都支持所有这三个条件键,则对于该服务,该值为**是**。如果某个服务仅对于部分资源类型支持所有这三个条件键,则该值为**部分**。
有关 ABAC 的更多信息,请参阅《IAM 用户指南》**中的[使用 ABAC 授权定义权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html)。要查看设置 ABAC 步骤的教程,请参阅《IAM 用户指南》**中的[使用基于属性的访问权限控制(ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)。
有关为 AWS Config 资源添加标签的更多信息,请参阅[标记您的 AWS Config 资源](tagging.md)。
## 将临时证书与 AWS Config
**支持临时凭证:**是
临时证书提供对 AWS 资源的短期访问权限,并且是在您使用联合身份或切换角色时自动创建的。 AWS 建议您动态生成临时证书,而不是使用长期访问密钥。有关更多信息,请参阅《IAM 用户指南》**中的 [IAM 中的临时安全凭证](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)和[使用 IAM 的。AWS 服务](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
## 转发访问会话 AWS Config
**支持转发访问会话(FAS):**是
转发访问会话 (FAS) 使用调用主体的权限 AWS 服务,再加上 AWS 服务 向下游服务发出请求的请求。有关发出 FAS 请求时的策略详情,请参阅[转发访问会话](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html)。
## 的服务角色 AWS Config
**支持服务角色:**是
服务角色是由一项服务担任、代表您执行操作的 [IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)。IAM 管理员可以在 IAM 中创建、修改和删除服务角色。有关更多信息,请参阅《IAM 用户指南》**中的[创建向 AWS 服务委派权限的角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)。
**警告**
更改服务角色的权限可能会破坏 AWS Config 的功能。只有在 AWS Config 提供操作指导时才编辑服务角色。
## 的服务相关角色 AWS Config
**支持服务关联角色:**是
服务相关角色是一种链接到的服务角色。 AWS 服务服务可以代入代表您执行操作的角色。服务相关角色出现在您的中 AWS 账户 ,并且归服务所有。IAM 管理员可以查看但不能编辑服务关联角色的权限。
有关创建或管理 AWS Config 服务相关角色的详细信息,请参阅[将服务相关角色用于 AWS Config](using-service-linked-roles.md)。
有关创建或管理服务相关角色的详细信息,请参阅[能够与 IAM 搭配使用的AWS 服务](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)。在表中查找**服务相关角色**列中包含 `Yes` 的表。选择**是**链接以查看该服务的服务相关角色文档。
# 基于身份的策略示例 AWS Config
默认情况下,用户和角色没有创建或修改 AWS Config 资源的权限。要授予用户对所需资源执行操作的权限,IAM 管理员可以创建 IAM 策略。
要了解如何使用这些示例 JSON 策略文档创建基于 IAM 身份的策略,请参阅《IAM 用户指南》**中的[创建 IAM 策略(控制台)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)。
有关由 AWS Config定义的操作和资源类型(包括每种资源类型的格式)的详细信息,请参阅《*服务授权参考*》 AWS Config中的[操作、资源和条件密钥](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html)。 ARNs
**Topics**
+ [策略最佳实践](#security_iam_service-with-iam-policy-best-practices)
+ [注册获取 AWS 账户](#sign-up-for-aws)
+ [创建具有管理访问权限的用户](#create-an-admin)
+ [使用控制台](#security_iam_id-based-policy-examples-console)
+ [允许用户查看他们自己的权限](#security_iam_id-based-policy-examples-view-own-permissions)
+ [只读访问权限 AWS Config](#read-only-config-permission)
+ [完全访问权限 AWS Config](#full-config-permission)
+ [控制对 AWS Config 规则的访问权限](#supported-resource-level-permissions)
+ [控制对聚合数据的访问](#resource-level-permission)
## 策略最佳实践
基于身份的策略决定了某人是否可以在您的账户中创建、访问或删除 AWS Config 资源。这些操作可能会使 AWS 账户产生成本。创建或编辑基于身份的策略时,请遵循以下指南和建议:
+ **开始使用 AWS 托管策略并转向最低权限权限** — 要开始向用户和工作负载授予权限,请使用为许多常见用例授予权限的*AWS 托管策略*。它们在你的版本中可用 AWS 账户。我们建议您通过定义针对您的用例的 AWS 客户托管策略来进一步减少权限。有关更多信息,请参阅《IAM 用户指南》**中的 [AWS 托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)或[工作职能的AWS 托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
+ **应用最低权限**:在使用 IAM 策略设置权限时,请仅授予执行任务所需的权限。为此,您可以定义在特定条件下可以对特定资源执行的操作,也称为*最低权限许可*。有关使用 IAM 应用权限的更多信息,请参阅《IAM 用户指南》**中的 [IAM 中的策略和权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)。
+ **使用 IAM 策略中的条件进一步限制访问权限**:您可以向策略添加条件来限制对操作和资源的访问。例如,您可以编写策略条件来指定必须使用 SSL 发送所有请求。如果服务操作是通过特定 AWS 服务的(例如)使用的,则也可以使用条件来授予对服务操作的访问权限 CloudFormation。有关更多信息,请参阅《IAM 用户指南》**中的 [IAM JSON 策略元素:条件](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html)。
+ **使用 IAM Access Analyzer 验证您的 IAM 策略,以确保权限的安全性和功能性**:IAM Access Analyzer 会验证新策略和现有策略,以确保策略符合 IAM 策略语言(JSON)和 IAM 最佳实践。IAM Access Analyzer 提供 100 多项策略检查和可操作的建议,以帮助您制定安全且功能性强的策略。有关更多信息,请参阅《IAM 用户指南》**中的[使用 IAM Access Analyzer 验证策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html)。
+ **需要多重身份验证 (MFA**)-如果 AWS 账户您的场景需要 IAM 用户或根用户,请启用 MFA 以提高安全性。若要在调用 API 操作时需要 MFA,请将 MFA 条件添加到您的策略中。有关更多信息,请参阅《IAM 用户指南》**中的[使用 MFA 保护 API 访问](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html)。
有关 IAM 中的最佳实操的更多信息,请参阅《IAM 用户指南》**中的 [IAM 中的安全最佳实践](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)。
## 注册获取 AWS 账户
如果您没有 AWS 账户,请完成以下步骤来创建一个。
**报名参加 AWS 账户**
1. 打开[https://portal.aws.amazon.com/billing/注册。](https://portal.aws.amazon.com/billing/signup)
1. 按照屏幕上的说明操作。
在注册时,将接到电话或收到短信,要求使用电话键盘输入一个验证码。
当您注册时 AWS 账户,就会创建*AWS 账户根用户*一个。根用户有权访问该账户中的所有 AWS 服务 和资源。作为最佳安全实践,请为用户分配管理访问权限,并且只使用根用户来执行[需要根用户访问权限的任务](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks)。
AWS 注册过程完成后会向您发送一封确认电子邮件。您可以随时前往 [https://aws.amazon.com/](https://aws.amazon.com/)并选择 “**我的账户”,查看您当前的账户活动并管理您的账户**。
## 创建具有管理访问权限的用户
注册后,请保护您的安全 AWS 账户 AWS 账户根用户 AWS IAM Identity Center,启用并创建管理用户,这样您就不会使用 root 用户执行日常任务。
**保护你的 AWS 账户根用户**
1. 选择 **Root 用户**并输入您的 AWS 账户 电子邮件地址,以账户所有者的身份登录。[AWS 管理控制台](https://console.aws.amazon.com/)在下一页上,输入您的密码。
要获取使用根用户登录方面的帮助,请参阅《AWS 登录 用户指南》**中的 [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial)。
1. 为您的根用户启用多重身份验证(MFA)。
有关说明,请参阅 I [A *M* 用户指南中的为 AWS 账户 根用户启用虚拟 MFA 设备(控制台)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html)。
**创建具有管理访问权限的用户**
1. 启用 IAM Identity Center。
有关说明,请参阅**《AWS IAM Identity Center 用户指南》中的[启用 AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html)。
1. 在 IAM Identity Center 中,为用户授予管理访问权限。
有关使用 IAM Identity Center 目录 作为身份源的教程,请参阅《[用户*指南》 IAM Identity Center 目录中的使用默认设置配置AWS IAM Identity Center 用户*访问权限](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html)。
**以具有管理访问权限的用户身份登录**
+ 要使用您的 IAM Identity Center 用户身份登录,请使用您在创建 IAM Identity Center 用户时发送到您的电子邮件地址的登录 URL。
有关使用 IAM Identity Center 用户[登录的帮助,请参阅*AWS 登录 用户指南*中的登录 AWS 访问门户](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html)。
**将访问权限分配给其他用户**
1. 在 IAM Identity Center 中,创建一个权限集,该权限集遵循应用最低权限的最佳做法。
有关说明,请参阅《AWS IAM Identity Center 用户指南》**中的 [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html)。
1. 将用户分配到一个组,然后为该组分配单点登录访问权限。
有关说明,请参阅《AWS IAM Identity Center 用户指南》**中的 [Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html)。
## 使用控制 AWS Config 台
要访问 AWS Config 控制台,您必须拥有一组最低权限。这些权限必须允许您列出和查看有关您的 AWS Config 资源的详细信息 AWS 账户。如果创建比必需的最低权限更为严格的基于身份的策略,对于附加了该策略的实体(用户或角色),控制台将无法按预期正常运行。
对于仅调用 AWS CLI 或 AWS API 的用户,您无需为其设置最低控制台权限。相反,只允许访问与其尝试执行的 API 操作相匹配的操作。
为确保用户和角色仍然可以使用 AWS Config 控制台,还要将 AWS Config `AWSConfigUserAccess` AWS 托管策略附加到实体。有关更多信息,请参阅《IAM 用户指南》**中的[为用户添加权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console)。
您必须向用户授予与之交互的权限 AWS Config。对于需要完全访问托管权限的用户 AWS Config,请使用对 AWS Config托管的[完全访问权限](https://docs.aws.amazon.com/config/latest/developerguide/security_iam_id-based-policy-examples.html#full-config-permission)策略。
要提供访问权限,请为您的用户、组或角色添加权限:
+ 中的用户和群组 AWS IAM Identity Center:
创建权限集合。按照《AWS IAM Identity Center 用户指南》**中[创建权限集](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html)的说明进行操作。
+ 通过身份提供者在 IAM 中托管的用户:
创建适用于身份联合验证的角色。按照《IAM 用户指南》**中[针对第三方身份提供者创建角色(联合身份验证)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html)的说明进行操作。
+ IAM 用户:
+ 创建您的用户可以担任的角色。按照《IAM 用户指南》**中[为 IAM 用户创建角色](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html)的说明进行操作。
+ (不推荐使用)将策略直接附加到用户或将用户添加到用户组。按照《IAM 用户指南》**中[向用户添加权限(控制台)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console)中的说明进行操作。
## 允许用户查看他们自己的权限
该示例说明了您如何创建策略,以允许 IAM 用户查看附加到其用户身份的内联和托管式策略。此策略包括在控制台上或使用 AWS CLI 或 AWS API 以编程方式完成此操作的权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## 只读访问权限 AWS Config
以下示例显示了一个 AWS 托管策略,`AWSConfigUserAccess`该策略授予对的只读访问权限 AWS Config。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:Get*",
"config:Describe*",
"config:Deliver*",
"config:List*",
"config:Select*",
"tag:GetResources",
"tag:GetTagKeys",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents"
],
"Resource": "*"
}
]
}
```
------
在这些策略语句中,`Effect` 元素指定是允许还是拒绝操作。`Action` 元素列出了允许用户执行的特定操作。`Resource`元素列出了允许用户对其执行这些操作的 AWS 资源。对于控制 AWS Config 操作访问权限的策略,`Resource`元素始终设置为`*`,通配符表示 “所有资源”。
`Action`元素中的值对应 APIs 于服务支持的值。操作前面有表示它们指的是 AWS Config 动作。`config:`您可以在 `*` 元素中使用 `Action` 通配符,如以下示例所示:
+ `"Action": ["config:*ConfigurationRecorder"]`
这允许所有以 “ConfigurationRecorder”(`StartConfigurationRecorder`,`StopConfigurationRecorder`)结尾的 AWS Config 操作。
+ `"Action": ["config:*"]`
这允许所有 AWS Config 操作,但不允许对其他 AWS 服务执行操作。
+ `"Action": ["*"]`
这允许所有 AWS 操作。此权限适用于担任您账户 AWS 管理员的用户。
只读策略不对用户授予执行、`StartConfigurationRecorder``StopConfigurationRecorder` 和 `DeleteConfigurationRecorder` 操作的权限。不允许使用此策略的用户启动配置记录器、停止配置记录器或删除配置记录器。有关 AWS Config 操作列表,请参阅 [AWS Config API 参考](https://docs.aws.amazon.com/config/latest/APIReference/)。
## 完全访问权限 AWS Config
以下示例显示了授予完全访问权限的策略 AWS Config。它授予用户执行所有 AWS Config 操作的权限。它还允许用户管理 Amazon S3 存储桶中的文件,以及管理与用户关联的账户中的 Amazon SNS 主题。
**重要**
此策略授予广泛的权限。在授予完全访问权限之前,请考虑从最低权限集开始,并根据需要授予其他权限。这样做比起一开始就授予过于宽松的权限而后再尝试收紧权限来说是更好的做法。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:AddPermission",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:ListPlatformApplications",
"sns:ListTopics",
"sns:SetTopicAttributes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketVersioning",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:CreateServiceLinkedRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"config.amazonaws.com",
"ssm.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"config:*",
"tag:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:DescribeAutomationExecutions",
"ssm:GetAutomationExecution",
"ssm:ListDocuments",
"ssm:StartAutomationExecution"
],
"Resource": "*"
}
]
}
```
------
## AWS Config 规则 API 操作支持的资源级权限
资源级权限是指能够指定允许用户对哪些资源执行操作。 AWS Config 支持某些 AWS Config 规则 API 操作的资源级权限。这意味着,对于某些 AWS Config 规则操作,您可以控制何时允许用户使用这些操作的条件。这些条件可以是必须满足的操作,也可以是允许用户使用的特定资源。
下表描述了当前支持资源级权限的 AWS Config 规则 API 操作。它还描述了每个操作支持的资源及其 ARNs对应的资源。指定 ARN 时,可以在路径中使用\$1 通配符;例如,当您无法或不想指定确切的资源时。 IDs
**重要**
如果此表中未列出 AWS Config 规则 API 操作,则该操作不支持资源级权限。如果 AWS Config 规则操作不支持资源级权限,则可以授予用户使用该操作的权限,但必须为策略语句的资源元素指定\$1。
****
| API 操作 | 资源 |
| --- | --- |
| DeleteConfigRule | Config 规则 arn: aws: config:: config-rule/config-rule *region:accountID* *ID* |
| DeleteEvaluationResults | Config 规则 arn: aws: config:: config-rule/config-rule *region:accountID* *ID* |
| DescribeComplianceByConfigRule | Config 规则 arn: aws: config:: config-rule/config-rule *region:accountID* *ID* |
| DescribeConfigRuleEvaluationStatus | Config 规则 arn: aws: config:: config-rule/config-rule *region:accountID* *ID* |
| GetComplianceDetailsByConfigRule | Config 规则 arn: aws: config:: config-rule/config-rule *region:accountID* *ID* |
| PutConfigRule | Config 规则 arn: aws: config:: config-rule/config-rule *region:accountID* *ID* |
| StartConfigRulesEvaluation | Config 规则 arn: aws: config:: config-rule/config-rule *region:accountID* *ID* |
| PutRemediationConfigurations | 修复配置 arn: aws: config:: 修正配置/ *region:accountId* *config rule name/remediation configuration id* |
| DescribeRemediationConfigurations | 修复配置 arn: aws: config:: 修正配置/ *region:accountId* *config rule name/remediation configuration id* |
| DeleteRemediationConfiguration | 修复配置 arn: aws: config:: 修正配置/ *region:accountId* *config rule name/remediation configuration id* |
| PutRemediationExceptions | 修复配置 arn: aws: config:: 修正配置/ *region:accountId* *config rule name/remediation configuration id* |
| DescribeRemediationExceptions | 修复配置 arn: aws: config:: 修正配置/ *region:accountId* *config rule name/remediation configuration id* |
| DeleteRemediationExceptions | 修复配置 arn: aws: config:: 修正配置/ *region:accountId* *config rule name/remediation configuration id* |
例如,您希望允许特定用户对特定规则进行的读访问,但拒绝特定用户对特定规则进行的写访问。
在第一个策略中,您可以允许 AWS Config 规则读取操作,例如`DescribeConfigRuleEvaluationStatus`对指定规则的读取操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"config:StartConfigRulesEvaluation",
"config:DescribeComplianceByConfigRule",
"config:DescribeConfigRuleEvaluationStatus",
"config:GetComplianceDetailsByConfigRule"
],
"Resource": [
"arn:aws:config:us-east-1:123456789012:config-rule/config-rule-ID",
"arn:aws:config:us-east-1:123456789012:config-rule/config-rule-ID"
]
}
]
}
```
------
在第二个策略中,您拒绝对特定 AWS Config 规则执行规则写入操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:DeleteEvaluationResults"
],
"Resource": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-ID"
}
]
}
```
------
使用资源级权限,您可以允许读取权限和拒绝写入权限,以便对 AWS Config 规则 API 操作执行特定操作。
## 支持多账户多区域数据聚合的资源级别权限
您可以使用资源级权限控制用户对多账户多区域数据聚合执行特定操作的能力。以下 AWS Config `Aggregator` APIs 支持资源级别权限:
+ [BatchGetAggregateResourceConfig](https://docs.aws.amazon.com/config/latest/APIReference/API_BatchGetAggregateResourceConfig.html)
+ [DeleteConfigurationAggregator](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteConfigurationAggregator.html)
+ [DescribeAggregateComplianceByConfigRules](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeAggregateComplianceByConfigRules.html)
+ [DescribeAggregateComplianceByConformancePacks](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeAggregateComplianceByConformancePacks.html)
+ [DescribeConfigurationAggregatorSourcesStatus](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeConfigurationAggregatorSourcesStatus.html)
+ [GetAggregateComplianceDetailsByConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateComplianceDetailsByConfigRule.html)
+ [GetAggregateConfigRuleComplianceSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateConfigRuleComplianceSummary.html)
+ [GetAggregateConformancePackComplianceSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateConformancePackComplianceSummary.html)
+ [GetAggregateDiscoveredResourceCounts](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateDiscoveredResourceCounts.html)
+ [GetAggregateResourceConfig](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateResourceConfig.html)
+ [ListAggregateDiscoveredResources](https://docs.aws.amazon.com/config/latest/APIReference/API_ListAggregateDiscoveredResources.html)
+ [PutConfigurationAggregator](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationAggregator.html)
+ [SelectAggregateResourceConfig](https://docs.aws.amazon.com/config/latest/APIReference/API_SelectAggregateResourceConfig.html)
例如,您可以通过创建两个聚合器 `AccessibleAggregator` 和,`InAccessibleAggregator`并附加允许访问 `AccessibleAggregator` 但拒绝访问 `InAccessibleAggregator` 的 IAM 策略来限制特定用户对资源数据的访问。
**适用于 IAM 的政策 AccessibleAggregator**
在此策略中,您允许访问您指定的 AWS Config Amazon 资源名称(ARN)支持的聚合器操作。在此示例中, AWS Config ARN 是。`arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConfigAllow",
"Effect": "Allow",
"Action": [
"config:BatchGetAggregateResourceConfig",
"config:DeleteConfigurationAggregator",
"config:DescribeAggregateComplianceByConfigRules",
"config:DescribeAggregateComplianceByConformancePacks",
"config:DescribeConfigurationAggregatorSourcesStatus",
"config:GetAggregateComplianceDetailsByConfigRule",
"config:GetAggregateConfigRuleComplianceSummary",
"config:GetAggregateConformancePackComplianceSummary",
"config:GetAggregateDiscoveredResourceCounts",
"config:GetAggregateResourceConfig",
"config:ListAggregateDiscoveredResources",
"config:PutConfigurationAggregator",
"config:SelectAggregateResourceConfig"
],
"Resource": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-mocpsqhs"
}
]
}
```
------
**适用于 IAM 的政策 InAccessibleAggregator**
在此策略中,您允许访问您指定的 AWS Config ARN 支持的聚合器操作。在此示例中, AWS Config ARN 是。`arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConfigDeny",
"Effect": "Deny",
"Action": [
"config:BatchGetAggregateResourceConfig",
"config:DeleteConfigurationAggregator",
"config:DescribeAggregateComplianceByConfigRules",
"config:DescribeAggregateComplianceByConformancePacks",
"config:DescribeConfigurationAggregatorSourcesStatus",
"config:GetAggregateComplianceDetailsByConfigRule",
"config:GetAggregateConfigRuleComplianceSummary",
"config:GetAggregateConformancePackComplianceSummary",
"config:GetAggregateDiscoveredResourceCounts",
"config:GetAggregateResourceConfig",
"config:ListAggregateDiscoveredResources",
"config:PutConfigurationAggregator",
"config:SelectAggregateResourceConfig"
],
"Resource": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-pokxzldx"
}
]
}
```
------
如果开发者组的用户尝试对您指定的 AWS Config ARN 执行任何此类操作,该用户将收到拒绝访问异常。
**检查用户访问权限**
要显示您创建的聚合器,请运行以下 AWS CLI 命令:
```
aws configservice describe-configuration-aggregators
```
命令成功完成后,您将能够看到与您的账户关联的所有聚合器的详细信息。在此示例中,这些聚合器是 `AccessibleAggregator` 和 `InAccessibleAggregator`:
```
{
"ConfigurationAggregators": [
{
"ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "AccessibleAggregator",
"AccountAggregationSources": [
{
"AllAwsRegions": true,
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3"
]
}
],
"LastUpdatedTime": 1517942461.455
},
{
"ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "InAccessibleAggregator",
"AccountAggregationSources": [
{
"AllAwsRegions": true,
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3"
]
}
],
"LastUpdatedTime": 1517942461.455
}
]
}
```
**注意**
为`account-aggregation-sources`此,输入要为其汇总数据的 AWS 帐户 IDs 的逗号分隔列表。将账户 IDs 用方括号括起来,并确保对引号进行转义(例如,`"[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"`)。
附加以下 IAM 策略以拒绝访问 `InAccessibleAggregator` 或您要拒绝访问的聚合器。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConfigDeny",
"Effect": "Deny",
"Action": [
"config:BatchGetAggregateResourceConfig",
"config:DeleteConfigurationAggregator",
"config:DescribeAggregateComplianceByConfigRules",
"config:DescribeAggregateComplianceByConformancePacks",
"config:DescribeConfigurationAggregatorSourcesStatus",
"config:GetAggregateComplianceDetailsByConfigRule",
"config:GetAggregateConfigRuleComplianceSummary",
"config:GetAggregateConformancePackComplianceSummary",
"config:GetAggregateDiscoveredResourceCounts",
"config:GetAggregateResourceConfig",
"config:ListAggregateDiscoveredResources",
"config:PutConfigurationAggregator",
"config:SelectAggregateResourceConfig"
],
"Resource": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-pokxzldx"
}
]
}
```
------
接下来,您可以确认 IAM 策略是否适用于限制对特定聚合器规则的访问:
```
aws configservice get-aggregate-compliance-details-by-config-rule --configuration-aggregator-name InAccessibleAggregator --config-rule-name rule name --account-id AccountID --aws-region AwsRegion
```
此命令应返回拒绝访问异常:
```
An error occurred (AccessDeniedException) when calling the GetAggregateComplianceDetailsByConfigRule operation: User: arn:aws:iam::AccountID:user/ is not
authorized to perform: config:GetAggregateComplianceDetailsByConfigRule on resource: arn:aws:config:AwsRegion-1:AccountID:config-aggregator/config-aggregator-pokxzldx
```
# AWS 的托管策略 AWS Config
AWS 托管策略是由创建和管理的独立策略 AWS。 AWS 托管策略旨在为许多常见用例提供权限,以便您可以开始为用户、组和角色分配权限。
请记住, AWS 托管策略可能不会为您的特定用例授予最低权限权限,因为它们可供所有 AWS 客户使用。我们建议通过定义特定于使用案例的[客户管理型策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies)来进一步减少权限。
您无法更改 AWS 托管策略中定义的权限。如果 AWS 更新 AWS 托管策略中定义的权限,则更新会影响该策略所关联的所有委托人身份(用户、组和角色)。 AWS 最有可能在启动新的 API 或现有服务可以使用新 AWS 服务 的 API 操作时更新 AWS 托管策略。
有关更多信息,请参阅《IAM 用户指南》**中的 [AWS 托管式策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
## AWS 托管策略:AWSConfigServiceRolePolicy
AWS Config 使用名**AWSServiceRoleForConfig**为的服务关联角色代表您呼叫其他 AWS 服务。使用 AWS 管理控制台 进行设置时 AWS Config, AWS Config 如果您选择使用 SLR 而不是您自己的 AWS Identity and Access Management (IAM) 服务角色,则会自动创建此 AWS Config SLR。
**AWSServiceRoleForConfig** SLR 包含托管策略。`AWSConfigServiceRolePolicy`此托管策略包含 AWS Config 资源的只读和只写权限,以及其他支持的服务中资源的只读权限。 AWS Config 该策略提供全面的访问权限,用于监控和记录整个 AWS 基础架构的配置更改,包括计算、存储、联网、安全、分析和机器学习服务等 100 AWS 多种服务的权限。
该策略包括以下服务类别的权限:
+ `access-analyzer`— 允许委托人分析访问模式并检索安全发现。
+ `account`— 允许委托人检索账户联系信息。
+ `acm`和 `acm-pca` — 允许委托人管理 SSL/TLS 证书和私有证书颁发机构。
+ `airflow`— 允许委托人监视托管的 Apache Airflow 环境。
+ `amplify`和 `amplifyuibuilder` — 允许委托人监视 Web 应用程序和用户界面组件。
+ `aoss`— 允许委托人监控 OpenSearch 无服务器集合和安全配置。
+ `app-integrations`— 允许委托人监视应用程序集成配置。
+ `appconfig`— 允许委托人监视应用程序配置部署。
+ `appflow`— 允许委托人监视应用程序之间的数据流配置。
+ `application-autoscaling`和 `application-signals` — 允许委托人监控自动缩放策略和应用程序性能指标。
+ `appmesh`— 允许委托人监控服务网格配置。
+ `apprunner`— 允许委托人监控容器化的 Web 应用程序和服务。
+ `appstream`— 允许委托人监视应用程序流配置。
+ `appsync`— 允许委托人监控 GraphQL API 配置。
+ `aps`— 允许委托人监视 Prometheus 的监控配置。
+ `apptest`— 允许校长监视应用程序测试配置。
+ `arc-zonal-shift`— 允许校长监控分区班配置的可用性。
+ `athena`— 允许委托人监视查询引擎配置和数据目录。
+ `auditmanager`— 允许校长监控审计和合规性评估。
+ `autoscaling`和 `autoscaling-plans` — 允许委托人监控自动缩放组和扩展计划。
+ `b2bi`— 允许委托人监视 business-to-business集成配置。
+ `backup`和 `backup-gateway` — 允许委托人监视备份策略和网关配置。
+ `batch`— 允许委托人监视批处理计算环境和作业队列。
+ `bcm-data-exports`— 允许委托人监控账单和成本管理数据的导出。
+ `bedrock`和 `bedrock-agentcore` — 允许委托人监控基础模型和 AI 代理配置。
+ `billingconductor`— 允许委托人监控账单组配置。
+ `budgets`— 允许委托人监控预算配置和操作。
+ `cassandra`— 允许委托人查询托管 Cassandra 数据库配置。
+ `ce`— 允许委托人监控成本和使用情况报告配置。
+ `cleanrooms`和 `cleanrooms-ml` — 允许校长监控数据协作和机器学习配置。
+ `cloud9`— 允许委托人监控云开发环境配置。
+ `cloudformation`— 允许委托人将基础架构作为代码堆栈配置进行监视。
+ `cloudfront`— 允许委托人监控内容分发网络配置。
+ `cloudtrail`— 允许委托人监控 API 日志记录和审计跟踪配置。
+ `cloudwatch`— 允许委托人监控指标、警报和仪表板配置。
+ `codeartifact`— 允许委托人监视软件包存储库配置。
+ `codebuild`— 允许委托人监视生成项目配置。
+ `codecommit`— 允许委托人监视源代码存储库配置。
+ `codeconnections`— 允许委托人监视第三方源连接。
+ `codedeploy`— 允许委托人监视应用程序部署配置。
+ `codeguru-profiler`和 `codeguru-reviewer` — 允许委托人监视代码分析和性能分析配置。
+ `codepipeline`— 允许委托人监控持续集成和部署管道配置。
+ `codestar-connections`— 允许委托人监视开发者工具的连接。
+ `cognito-identity`和 `cognito-idp` — 允许委托人监控身份和用户池配置。
+ `comprehend`— 允许委托人监视自然语言处理配置。
+ `config`— 允许委托人管理配置记录和合规性监控。
+ `connect`— 允许校长监控联络中心配置。
有关支持的资源类型的更多信息,请参阅[支持的资源类型 AWS Config](resource-config-reference.md)和[将服务相关角色用于 AWS Config](using-service-linked-roles.md)。
要查看有关策略(包括 JSON 策略文档的最新版本)的更多信息,请参阅《AWS 托管式策略参考指南》**中的 [AWSConfigServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigServiceRolePolicy.html)。
**推荐:使用服务相关角色**
除非您有特定的使用案例,否则建议您使用服务相关角色。服务相关角色可添加 AWS Config 按预期运行所需的所有必要权限。某些功能(例如服务相关配置记录器)要求您使用服务相关角色。
## AWS 托管策略:AWS\$1ConfigRole
要记录您的 AWS 资源配置, AWS Config 需要 IAM 权限才能获取有关您的资源的配置详细信息。如果要为 AWS Config创建 IAM 角色,可以使用管理型策略 `AWS_ConfigRole` 并将其附加到 IAM 角色。
每次 AWS Config 添加对 AWS 资源类型的支持时,此 IAM 策略都会更新。这意味着,只要 **AWS\$1ConfiGrole** 角色附加了此托管策略,它 AWS Config 将继续拥有记录所支持资源类型的配置数据所需的权限。该策略提供全面的访问权限,用于监控和记录整个 AWS 基础架构的配置更改,包括计算、存储、联网、安全、分析和机器学习服务等 100 AWS 多种服务的权限。有关更多信息,请参阅[支持的资源类型 AWS Config](resource-config-reference.md)和[分配给的 IAM 角色的权限 AWS Config](iamrole-permissions.md)。
要查看有关该策略的更多详细信息,包括最新版本的 JSON 策略文档,请参阅《*AWS 托管策略*参考指南》中的 [AWS\$1ConfiGrole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS_ConfigRole.html)。
## AWS 托管策略:AWSConfigUserAccess
此 IAM 政策提供使用权限 AWS Config,包括按资源标签搜索和读取所有标签。这不提供配置权限 AWS Config,而配置权限需要管理权限。
查看策略:[AWSConfigUserAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigUserAccess.html)。
## AWS 托管策略:ConfigConformsServiceRolePolicy
要部署和管理一致性包, AWS Config 需要 IAM 权限和其他 AWS 服务的特定权限。它们允许您部署和管理具有完整功能的一致性包,并且每次都会更新,为一致性包 AWS Config 添加新功能。有关合规包的更多信息,请参阅[合规包](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html)。
查看策略:[ConfigConformsServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ConfigConformsServiceRolePolicy.html)。
## AWS 托管策略:AWSConfigRulesExecutionRole
要部署 AWS 自定义 Lambda 规则, AWS Config 需要 IAM 权限和其他 AWS 服务的特定权限。它们允许 AWS Lambda 函数访问定期发送到 Amazon S3 的 AWS Config AWS Config API 和配置快照。评估 AWS 自定义 Lambda 规则的配置更改的函数需要此访问权限,并且每次 AWS Config 添加新功能时都会更新。有关 AWS 自定义 Lambda 规则的更多信息,请参阅[创建自定义 AWS Config Lambda](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_lambda-functions.html) 规则。有关配置快照的更多信息,请参阅[概念 \$1 配置快照](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-snapshot)。有关传输配置快照的更多信息,请参阅[管理传输通道](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html)。
查看策略:[AWSConfigRulesExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigRulesExecutionRole.html)。
## AWS 托管策略:AWSConfigMultiAccountSetupPolicy
要在组织中的成员账户中集中部署、更新和删除 AWS Config 规则和合规包 AWS Organizations, AWS Config 需要 IAM 权限和其他 AWS 服务的特定权限。每次 AWS Config 为多账户设置添加新功能时,都会更新此托管策略。有关更多信息,请参阅[管理组织中所有账户的 AWS Config 规则和管理组织](https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html)[中所有账户的合规包](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html)。
查看策略:[AWSConfigMultiAccountSetupPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigMultiAccountSetupPolicy.html)。
## AWS 托管策略:AWSConfigRoleForOrganizations
AWS Config 要允许只读调用 AWS Organizations APIs, AWS Config 需要 IAM 权限和其他 AWS 服务的特定权限。每次 AWS Config 为多账户设置添加新功能时,都会更新此托管策略。有关更多信息,请参阅[管理组织中所有账户的 AWS Config 规则和管理组织](https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html)[中所有账户的合规包](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html)。
查看策略:[AWSConfigRoleForOrganizations](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigRoleForOrganizations.html)。
## AWS 托管策略:AWSConfigRemediationServiceRolePolicy
AWS Config 要允许代表您修复`NON_COMPLIANT`资源, AWS Config 需要 IAM 权限和其他 AWS 服务的特定权限。每次 AWS Config 添加新的补救功能时,都会更新此托管策略。有关修复的更多信息,请参阅使用规则[修复不合规的 AWS Config 资源](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html)。有关启动可能的 AWS Config 评估结果的条件的更多信息,请参阅[概念 \$1 AWS Config 规则](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#aws-config-rules)。
查看策略:[AWSConfigRemediationServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigRemediationServiceRolePolicy.html)。
## AWS Config AWS 托管策略的更新
查看 AWS Config 自该服务开始跟踪这些更改以来 AWS 托管策略更新的详细信息。要获得有关此页面更改的自动提醒,请订阅 “ AWS Config [文档历史记录](https://docs.aws.amazon.com/config/latest/developerguide/DocumentHistory.html)” 页面上的 RSS feed。
| 更改 | 描述 | 日期 |
| --- | --- | --- |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 新增权限:应用程序自动缩放:DescribeScheduledActions、appsync:、cloudformation:、cloudformation: GetApiAssociation、cloudformation: DescribeStacks、cloudformation: GetStackPolicy、cloudformation: GetTemplate、cloudformation: GetKeyGroup、cloudformation: GetMonitoringSubscription、cloudformation: ListKeyGroups ListEvaluationFormVersions、cloudformation: DescribeReportDefinitions、cloudformation: ListTagsForResource、cloudformation: GetDomainUnit、cloudformation:、cloudformation: GetEnvironmentAction、cloudformation: GetEnvironmentBlueprintConfiguration、cloud区域:GetEnvironmentProfile,datazone: GetGroupProfile GetSubscriptionTarget GetUserProfile ListDomainUnitsForParent ListEntityOwners ListEnvironmentActionsListEnvironmentBlueprintConfigurations,datazone:、datazone: ListEnvironmentProfiles、datazone:、datazone: ListPolicyGrants、datazone:、docdb-elastic: ListProjectMemberships、docdb-elastic: ListSubscriptionTargets、docdb-elastic:、ec2: SearchGroupProfiles、fis:、fauddetector: SearchUserProfiles、fis:、frauddetector: GetCluster、guardduty:、guardduty: ListClusters、guardduty:、guardduty: ListTagsForResource、guardduty:、guardduty: GetRouteServerAssociations、guardduty: GetRouteServerPropagations、iottwetwetewetet: ise:ListTagsForResource,iotfleetwise:,iotsitewise:GetListElements,iotsitewise:GetListsMetadata,SearchTransitGatewayRoutesGetThreatEntitySetGetTrustedEntitySetListThreatEntitySetsListTrustedEntitySetsGetCampaignListCampaignsDescribeComputationModelDescribeDatasetiotsitewise: ListComputationModels、iotsitewise:、iotWireless: ListDatasets、kendra:、logs:、logs: GetWirelessDeviceImportTask、logs:、logs: ListWirelessDeviceImportTasks、mediaconnect: ListDataSources、medialive: DescribeQueryDefinitions、medialive: GetIntegration、medialive: ListIntegrations、medialive:、medialive: ListRouterOutputs、medialive:、medialive: DescribeMultiplex、medialive: DescribeSdiSource、medialive: GetCloudWatchAlarmTemplate、medialive:、medialive: GetCloudWatchAlarmTemplateGroup、networkmanager: GetEventBridgeRuleTemplate、medialive: GetEventBridgeRuleTemplateGroup、networkmanager: ListCloudWatchAlarmTemplateGroups、medi:,网络管理器:ListCloudWatchAlarmTemplatesListEventBridgeRuleTemplateGroupsListEventBridgeRuleTemplatesListSdiSourcesListSignalMapsGetConnectAttachmentGetCoreNetworkGetCoreNetworkPolicy、networkmanager: GetDirectConnectGatewayAttachment、networkmanager: GetSiteToSiteVpnAttachment、networkmanager: ListAttachments、networkmanager:、networkmanager: ListCoreNetworks GetEventRule、networkmanager: ListEventRules、networkmanager: ListManagedNotificationChannelAssociations、networkmanager: ListNotificationHubs、networkmanager: ListOrganizationalUnits、networkmanager: GetApplication、networkmanager:、networkmanager: GetRoute、networkmanager:、networkmanager: ListRoutes、networkmanager:、networkmanager: GetDefaultView、通知:、通知:、通知:GetOutpostResolverListOutpostResolversDescribeOrganizationConfigurationGetAggregatorGetAutomationRuleGetConfigurationPolicyAssociationsecurityhub: GetFindingAggregator、securityhub: ListAggregators V2、securityhub:、securityhub:、sems-ListAutomationRules voice:、sms-voice: ListConfigurationPolicyAssociations、sms-voice:、sms-voice: ListFindingAggregators、works-voice: DescribeConfigurationSets、works-voice:、works-voice: DescribeKeywords、works-voice: DescribeProtectConfigurations、works-voice:、works-voice: GetProtectConfigurationCountryRuleSet、works-voice ListPoolOriginationIdentities ListTagsForResource GetTrustStore GetTrustStoreCertificate GetUserAccessLoggingSettings ListTagsForResource | 此策略现在支持在多个 AWS 服务中记录配置更改的额外权限。 | 2026 年 2 月 17 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 新增权限:应用程序自动缩放:DescribeScheduledActions、appsync:、cloudformation:、cloudformation: GetApiAssociation、cloudformation: DescribeStacks、cloudformation: GetStackPolicy、cloudformation: GetTemplate、cloudformation: GetKeyGroup、cloudformation: GetMonitoringSubscription、cloudformation: ListKeyGroups ListEvaluationFormVersions、cloudformation: DescribeReportDefinitions、cloudformation: ListTagsForResource、cloudformation: GetDomainUnit、cloudformation:、cloudformation: GetEnvironmentAction、cloudformation: GetEnvironmentBlueprintConfiguration、cloud区域:GetEnvironmentProfile,datazone: GetGroupProfile GetSubscriptionTarget GetUserProfile ListDomainUnitsForParent ListEntityOwners ListEnvironmentActionsListEnvironmentBlueprintConfigurations,datazone:、datazone: ListEnvironmentProfiles、datazone:、datazone: ListPolicyGrants、datazone:、docdb-elastic: ListProjectMemberships、docdb-elastic: ListSubscriptionTargets、docdb-elastic:、ec2: SearchGroupProfiles、fis:、fauddetector: SearchUserProfiles、fis:、frauddetector: GetCluster、guardduty:、guardduty: ListClusters、guardduty:、guardduty: ListTagsForResource、guardduty:、guardduty: GetRouteServerAssociations、guardduty: GetRouteServerPropagations、iottwetwetewetet: ise:ListTagsForResource,iotfleetwise:,iotsitewise:GetListElements,iotsitewise:GetListsMetadata,SearchTransitGatewayRoutesGetThreatEntitySetGetTrustedEntitySetListThreatEntitySetsListTrustedEntitySetsGetCampaignListCampaignsDescribeComputationModelDescribeDatasetiotsitewise: ListComputationModels、iotsitewise:、iotWireless: ListDatasets、kendra:、logs:、logs: GetWirelessDeviceImportTask、logs:、logs: ListWirelessDeviceImportTasks、mediaconnect: ListDataSources、medialive: DescribeQueryDefinitions、medialive: GetIntegration、medialive: ListIntegrations、medialive:、medialive: ListRouterOutputs、medialive:、medialive: DescribeMultiplex、medialive: DescribeSdiSource、medialive: GetCloudWatchAlarmTemplate、medialive:、medialive: GetCloudWatchAlarmTemplateGroup、networkmanager: GetEventBridgeRuleTemplate、medialive: GetEventBridgeRuleTemplateGroup、networkmanager: ListCloudWatchAlarmTemplateGroups、medi:,网络管理器:ListCloudWatchAlarmTemplatesListEventBridgeRuleTemplateGroupsListEventBridgeRuleTemplatesListSdiSourcesListSignalMapsGetConnectAttachmentGetCoreNetworkGetCoreNetworkPolicy、networkmanager: GetDirectConnectGatewayAttachment、networkmanager: GetSiteToSiteVpnAttachment、networkmanager: ListAttachments、networkmanager:、networkmanager: ListCoreNetworks GetEventRule、networkmanager: ListEventRules、networkmanager: ListManagedNotificationChannelAssociations、networkmanager: ListNotificationHubs、networkmanager: ListOrganizationalUnits、networkmanager: GetApplication、networkmanager:、networkmanager: GetRoute、networkmanager:、networkmanager: ListRoutes、networkmanager:、networkmanager: GetDefaultView、通知:、通知:、通知:GetOutpostResolverListOutpostResolversDescribeOrganizationConfigurationGetAggregatorGetAutomationRuleGetConfigurationPolicyAssociationsecurityhub: GetFindingAggregator、securityhub: ListAggregators V2、securityhub:、securityhub:、sems-ListAutomationRules voice:、sms-voice: ListConfigurationPolicyAssociations、sms-voice:、sms-voice: ListFindingAggregators、works-voice: DescribeConfigurationSets、works-voice:、works-voice: DescribeKeywords、works-voice: DescribeProtectConfigurations、works-voice:、works-voice: GetProtectConfigurationCountryRuleSet、works-voice ListPoolOriginationIdentities ListTagsForResource GetTrustStore GetTrustStoreCertificate GetUserAccessLoggingSettings ListTagsForResource | 此策略现在支持在多个 AWS 服务中记录配置更改的额外权限。 | 2026 年 2 月 17 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 更新了托管策略,具有在 100 多种 AWS 服务(包括计算、存储、联网、安全、分析和机器学习服务)中记录 AWS 资源配置的全面权限。 | 现在,该策略提供了有关服务权限的增强文档,并支持对所有 AWS Config 支持配置记录的 AWS 服务进行全面监控。 | 2026 年 1 月 27 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 更新了托管策略,具有在 100 多种 AWS 服务(包括计算、存储、联网、安全、分析和机器学习服务)中记录 AWS 资源配置的全面权限。 | 现在,该策略提供了有关服务权限的增强文档,并支持对所有 AWS Config 支持配置记录的 AWS 服务进行全面监控。 | 2026 年 1 月 27 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 添加 “s3tables:ListTagsForResource”、“s3tables:”、“s3tables:GetTableBucketMetricsConfiguration” GetTableBucketStorageClass | 此策略现在支持 S3Tables 的额外权限。 | 2026 年 1 月 9 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 添加 “s3tables:ListTagsForResource”、“s3tables:”、“s3tables:GetTableBucketMetricsConfiguration” GetTableBucketStorageClass | 此策略现在支持 S3Tables 的额外权限。 | 2026 年 1 月 9 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 添加 “lightsail:GetActiveNames” “lightsail:GetOperations” “s3:” GetBucketAbac | 该政策现在支持亚马逊 Lightsail 和亚马逊简单存储服务 (Amazon S3) Service 的额外权限。 | 2025 年 11 月 20 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 添加 “lightsail:GetActiveNames” “lightsail:GetOperations” “s3:” GetBucketAbac | 该政策现在支持亚马逊 Lightsail 和亚马逊简单存储服务 (Amazon S3) Service 的额外权限。 | 2025 年 11 月 20 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 更新了托管策略,具有在 100 多种 AWS 服务(包括计算、存储、联网、安全、分析和机器学习服务)中记录 AWS 资源配置的全面权限。 | 现在,该策略提供了有关服务权限的增强文档,并支持对所有 AWS Config 支持配置记录的 AWS 服务进行全面监控。 | 2025 年 11 月 11 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 更新了托管策略,具有跨多种服务记录 AWS 资源配置的全面权限 AWS Identity and Access Management,包括亚马逊弹性计算云、亚马逊简单存储服务 AWS Lambda、Amazon Relational Database Service 等。 | 此策略现在支持额外权限,以便在所有支持的 AWS 服务中进行全面的 AWS 资源配置记录和监控。 | 2025 年 11 月 10 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 添加 “放大:” “放大:GetDomainAssociation” “放大:” “appsync:ListDomainAssociations” “appsync:ListTagsForResource” “bedrock:GetSourceApiAssociation” “bedrock:ListSourceApiAssociations” “bedrock:GetFlow” “bedrock:ListAgentCollaborators” “cloudFormation:ListFlows” “codeartifact:ListPrompts” “codeartifact:GetResourcePolicy” “codeartifact:DescribePackageGroup” “codepipeline:ListAllowedRepositoriesForGroup” “codepipeline:ListPackageGroups” “codepipeline:ListActionTypes” “connect:ListTagsForResource” “截止日期:ListWebhooks” “ec2:” “ec2:DescribeTrafficDistributionGroup” “ec2:DescribePublisherListTrafficDistributionGroupsListFarmsGetTransitGatewayRouteTablePropagationsSearchLocalGatewayRoutesSearchTransitGatewayMulticastGroups” “实体分辨率:” “实体分辨率:GetMatchingWorkflow” “iotsitewise:” “iotsitewise:ListMatchingWorkflows” “iotsitewise:” “iotsitewise:ListAssetModelCompositeModels” “iotsitewise:ListAssetModelProperties” “ivs:” “lambda:” “lambda:” “lambda:ListAssetProperties” “pipes:” “pipes:ListAssociatedAssets” “quicksight:” “quicksight:ListPublicKeys” “redshift-serverless:GetProvisionedConcurrencyConfig” “redshift:GetRuntimeManagementConfig” “redshift:ListFunctionEventInvokeConfigs” “redshift:” “redshift:ListFunctionUrlConfigs”:” “rolesanywhere:DescribePipe” “rolesanywhere:ListPipes” “sagemaker:DescribeRefreshSchedule” “sagemaker:” “sagemaker:ListRefreshSchedules” “sagemaker:” ListSnapshotCopyConfigurations GetResourcePolicy GetCrl ListCrls DescribeApp DescribeUserProfileListApps” “sagemaker:ListModelPackages” “sagemaker:” “securitymanager:ListUserProfiles” “securitylake:GetResourcePolicy” “servicecatalog:ListSubscribers” “servicecatalog:ListTagsForResource” “ssemcatalog:DescribeServiceAction” “ssm:” ssm:“ssm:ListApplications” “ssm:” “ssm:ListAssociatedResources” “ssm:” “ssm:ListProtectionGroups” “ssm:ListTagsForResource”:” “ssm:” “ssm:GetReplicationSet” “wafv2:” “bedrock-agentcore:ListReplicationSetsDescribeAssociation” “bedrock-agentcore:DescribePatchBaselines” “bedrock-agentcore:GetDefaultPatchBaseline” “bedrock GetPatchBaseline GetResourcePolicies ListAssociations ListResourceDataSync ListLoggingConfigurations ListCodeInterpreters GetCodeInterpreter-agentcore:” “bedrock-agentcore:ListBrowsers” “bedrock-agentcore:” “bedrock-agentcore:GetBrowser” “bedrock-agentcore:” “bedrock-agentcore:” “bedrock-agentcore:ListAgentRuntimes” GetAgentRuntime ListAgentRuntimeEndpoints GetAgentRuntimeEndpoint | 该政策现在支持、、Amazon Bedrock AWS Amplify、、 AWS AppSync、、、、Amazon Connect AWS CloudTrail CloudFormation、、 AWS CodeArtifact、 AWS CodePipeline、Amazon EC2、、 AWS Deadline Cloud、、Amazon IVS AWS Entity Resolution 数据匹配服务、 AWS IoT SiteWise、亚马逊、Amazon Quick、 AWS Lambda Ama EventBridge zon Redshift、Serverless、、 AWS Identity and Access Management Roles Anywhere、、亚马逊 EC2 Systems Manager AWS Secrets Manager、、、 SageMaker Amazon AWS Shield EC2 Systems Manager 和。 AWS Service Catalog AWS WAFV2 | 2025 年 10 月 1 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 添加 “放大:” “放大:GetDomainAssociation” “放大:” “appsync:ListDomainAssociations” “appsync:ListTagsForResource” “bedrock:GetSourceApiAssociation” “bedrock:ListSourceApiAssociations” “bedrock:GetFlow” “bedrock:ListAgentCollaborators” “cloudFormation:ListFlows” “codeartifact:ListPrompts” “codeartifact:GetResourcePolicy” “codeartifact:DescribePackageGroup” “codepipeline:ListAllowedRepositoriesForGroup” “codepipeline:ListPackageGroups” “codepipeline:ListActionTypes” “connect:ListTagsForResource” “截止日期:ListWebhooks” “ec2:” “ec2:DescribeTrafficDistributionGroup” “ec2:DescribePublisherListTrafficDistributionGroupsListFarmsGetTransitGatewayRouteTablePropagationsSearchLocalGatewayRoutesSearchTransitGatewayMulticastGroups” “实体分辨率:” “实体分辨率:GetMatchingWorkflow” “iotsitewise:” “iotsitewise:ListMatchingWorkflows” “iotsitewise:” “iotsitewise:ListAssetModelCompositeModels” “iotsitewise:ListAssetModelProperties” “ivs:” “lambda:” “lambda:” “lambda:ListAssetProperties” “pipes:” “pipes:ListAssociatedAssets” “quicksight:” “quicksight:ListPublicKeys” “redshift-serverless:GetProvisionedConcurrencyConfig” “redshift:GetRuntimeManagementConfig” “redshift:ListFunctionEventInvokeConfigs” “redshift:” “redshift:ListFunctionUrlConfigs”:” “rolesanywhere:DescribePipe” “rolesanywhere:ListPipes” “sagemaker:DescribeRefreshSchedule” “sagemaker:” “sagemaker:ListRefreshSchedules” “sagemaker:” “ListSnapshotCopyConfigurationsGetResourcePolicyGetCrlListCrlsDescribeAppDescribeUserProfileListApps” “sagemaker:ListModelPackages” “sagemaker:” “securitymanager:ListUserProfiles” “securitylake:GetResourcePolicy” “servicecatalog:ListSubscribers” “servicecatalog:ListTagsForResource” “ssemcatalog:DescribeServiceAction” “ssm:” ssm:“ssm:ListApplications” “ssm:” “ssm:ListAssociatedResources” “ssm:” “ssm:ListProtectionGroups” “ssm:ListTagsForResource”:” “ssm:” “ssm:GetReplicationSet” “wafv2:” “bedrock-agentcore:ListReplicationSetsDescribeAssociation” “bedrock-agentcore:DescribePatchBaselines” “bedrock-agentcore:GetDefaultPatchBaseline” “bedrock GetPatchBaseline GetResourcePolicies ListAssociations ListResourceDataSync ListLoggingConfigurations ListCodeInterpreters GetCodeInterpreter-agentcore:” “bedrock-agentcore:ListBrowsers” “bedrock-agentcore:” “bedrock-agentcore:GetBrowser” “bedrock-agentcore:” “bedrock-agentcore:” “bedrock-agentcore:ListAgentRuntimes” GetAgentRuntime ListAgentRuntimeEndpoints GetAgentRuntimeEndpoint | 该政策现在支持、、Amazon Bedrock AWS Amplify、、 AWS AppSync、、、、Amazon Connect AWS CloudTrail CloudFormation、、 AWS CodeArtifact、 AWS CodePipeline、Amazon EC2、、 AWS Deadline Cloud、、Amazon IVS AWS Entity Resolution 数据匹配服务、 AWS IoT SiteWise、亚马逊、Amazon Quick、 AWS Lambda Ama EventBridge zon Redshift、Serverless、、 AWS Identity and Access Management Roles Anywhere、、亚马逊 EC2 Systems Manager AWS Secrets Manager、、、 SageMaker Amazon AWS Shield EC2 Systems Manager 和。 AWS Service Catalog AWS WAFV2 | 2025 年 10 月 1 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 添加”arc-zonal-shift: GetAutoshiftObserverNotificationStatus “、“基石:”、“cloudtrail:”、GetModelInvocationLoggingConfiguration “codeartifact:”、GetEventConfiguration “codeartifaction:”、“截止日期:”、DescribeDomain “截止日期:”、“截止日期:”、GetDomainPermissionsPolicy “dms:”、“dms:”、GetFleet “glue:”、GetQueueFleetAssociation “kafkaconnect:”、ListFleets “kafkaconnect:”、ListQueueFleetAssociations “kafkaconnect:”、ListTagsForResource “kafkaconnect:DescribeDataMigrations”、“kafkaconnect:”、“kafkaconnect:”、ListMigrationProjects “kafkaconnect:”、GetDataCatalogEncryptionSettings “kafect:”、“kafkaconnect:DescribeCustomPlugin”、“kafkaconnect:DescribeWorkerConfiguration”、“lakeformation:”、“medialive:”、“medialive:ListCustomPlugins”、“medialive:”、“m ListTagsForResource ListWorkerConfigurations DescribeLakeFormationIdentityCenterConfiguration DescribeMultiplexProgramListMultiplexPrograms“,” mediapackagev2:”、“mediapackagev2:GetChannelGroup”、“rds:”、“rolesanywhere:ListChannelGroups”、“rolesanywhere:”、DescribeEngineDefaultParameters “anywhere:”、“rolesanywhere:GetProfile”、“s3:”、“securitylake:GetTrustAnchor”、“securitylake:ListProfiles”、“securitylake:”、“securitylake:ListTagsForResource”、“anywhere:ListTrustAnchors”、“securitylake:GetAccessGrant”、“securitylake:ListAccessGrants”、“securitylake:“、DescribeSecret “servicecatalog:”、“servicecatalog:”、ListDataLakeExceptions “servicecatalog:ListDataLakes”、“servicecatalog:ListLogSources”、“ses:”、“ses:”、“ses:GetAttributeGroup“、” ListAttributeGroups ListServiceActions ListServiceActionsForProvisioningArtifact GetTrafficPolicy ListTagsForResourceses:ListTrafficPolicies“、“xray:”、“xray:GetGroup”、“xray:GetGroups”、“xray:”、“xray:GetSamplingRules”、“xray:”、ListResourcePolicies “xray:” ListTagsForResource | 该政策现在支持亚马逊贝德罗克 AWS ARC - Zonal Shift、、、、、、、、 AWS CloudTrail、 AWS CodeArtifact、、 AWS Deadline Cloud、 AWS Database Migration Service、 AWS Glue AWS Identity and Access Management、Amazon Managed Streaming AWS Lake Formation、、、 CloudWatch Amazon AWS Elemental MediaLive Logs AWS Elemental MediaPackage、、、、亚马逊关系数据库服务、亚马逊简单存储服务 AWS Secrets Manager、、亚马逊安全湖 AWS Service Catalog、、亚马逊简单电子邮件服务和。 AWS X-Ray | 2025 年 7 月 28 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 添加 “arc-zonal-shift:”、GetAutoshiftObserverNotificationStatus “基石:”、“cloudtrail:GetModelInvocationLoggingConfiguration”、“codeartifact:GetEventConfiguration”、“codeartifact:DescribeDomain”、“截止日期:”、“截止日期:GetDomainPermissionsPolicy”、“截止日期:”、“dms:GetFleet”、“dms:”、“glue:GetQueueFleetAssociation”、“iam:ListFleets”、“kafkaconnect:ListQueueFleetAssociations”、“kafkaconnect:ListTagsForResource”、“kafkaconnect:DescribeDataMigrations”、“kafkaconnect:ListMigrationProjects”、“kafkaconnect:GetDataCatalogEncryptionSettings”、“kafkaconnect:ListPolicies”,“kafconnect:”、“kafkaconnect:DescribeCustomPlugin”、“kafkaconnect:DescribeWorkerConfiguration”、“lakeformation:”、“logs:”、“logs:ListCustomPlugins”、“logs:”、“logs:ListTagsForResource”、“medialive:ListWorkerConfigurationsDescribeLakeFormationIdentityCenterConfigurationDescribeIndexPoliciesListTagsForResourceDescribeMultiplexProgram“,” medialive:ListMultiplexPrograms”、“mediapackagev2:”、“mediapackagev2:GetChannelGroup”、“rds:”、“rolesanywhere:”、“rolesanywhere:ListChannelGroups”、“rolesanywhere:DescribeEngineDefaultParameters”、“rolesanywhere:”、“rolesanywhere:”、GetProfile “rolesanywhere:GetTrustAnchor”、“rolesanywhere:”、“rolesanywhere:”、ListProfiles “rolesanywhere:ListTagsForResource”、“rolesanywhere:”、ListTrustAnchors “rolesanywhere:”、““、GetAccessGrant “securitylake:ListAccessGrants”、“servicecatalog:”、“servicecatalog:DescribeSecret”、“servicecatalog:ListDataLakeExceptions”、“servicecatalog:”、ListDataLakes “servicecatalog:”、“ses:ListLogSourcesGetAttributeGroupListAttributeGroupsListServiceActionsListServiceActionsForProvisioningArtifactGetTrafficPolicy“、“ses:”、“ses:ListTagsForResource”、“xray:”、“xray:ListTrafficPolicies”、“xray:”、“xray:GetGroup”、“xray:”、“xray:”、GetGroups “arn: aws: apigateway:: /accountGetSamplingRules”、“arn: aws:: /usageplans/”、ListResourcePolicies “arn: aws:: ListTagsForResource /usageplans”、“arn: aws: apigateway:: /usageplans/”。 | 该政策现在支持对亚马逊 Bedrock AWS ARC - Zonal Shift、、、、、、 AWS CloudTrail、、 AWS CodeArtifact、 AWS Deadline Cloud、 AWS Database Migration Service AWS Glue AWS Identity and Access Management、Amazon Managed Streaming AWS Lake Formation、、、 CloudWatch Amazon L AWS Elemental MediaLive ogs AWS Elemental MediaPackage、、、、、亚马逊关系数据库服务、亚马逊简单存储服务 AWS Secrets Manager、、亚马逊安全湖 AWS Service Catalog、亚马逊简单电子邮件 AWS X-Ray服务和亚马逊 API Gateway 的额外权限。 | 2025 年 7 月 28 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 添加 “backup-gateway:”、GetHypervisor “backup-gateway:”、“、”:ListHypervisors“、”、“bedrockbcm-data-exports:”、GetExport “bedrockbcm-data-exports:”、ListExports “bedrockbcm-data-exports:”、ListTagsForResource “bedrock:”、GetAgent “bedrock:”、“bedrock:”、GetAgentActionGroup “bedrock:”、“bedrock:”、GetAgentKnowledgeBase “bedrock:”、GetDataSource “bedrock:”、“bedrock:”、GetFlowAlias “bedrock:”、GetFlowVersion “bedrock:”、“bedrock:ListAgentActionGroups”、“bedrock:”、“bedrock:ListAgentKnowledgeBases”,“cloudformation:ListDataSources”,“cloudformation:ListFlowAliases”,“cloudformation:ListFlowVersions”,“cloudformati BatchDescribeTypeConfigurations DescribeStackInstance DescribeStackSet ListStackInstancescloudformation:”、ListStackSets “cloudfront:”、GetPublicKey “cloudfront:GetRealtimeLogConfig”、“cloudfront:ListPublicKeys”、“实体分辨率:”、ListRealtimeLogConfigs “实体分辨率:”、“实体分辨率:”、“实体分辨率:GetIdMappingWorkflow”、“iotdeviceAdvisor:GetSchemaMapping”、“iotdeviceAdvisor:”、ListIdMappingWorkflows “iotdeviceAdvisor:”、ListSchemaMappings “lambda:ListTagsForResource”、“lambda:”,“” mediapackagev2:GetSuiteDefinition“,” mediapackagev2:ListSuiteDefinitions“,” networkmanager:GetEventSourceMapping“,” networkmanager:ListEventSourceMappings“,”:“,” GetChannel ListChannels GetTransitGatewayPeering ListPeerings pca-connector-ad GetDirectoryRegistrationpca-connector-ad: ListDirectoryRegistrations “,”: “、“rdspca-connector-ad: ListTagsForResource Describe G DBShard roups”、“rds:”、“redshift:DescribeIntegrations”、“s3tables:”、“s3tables:”、DescribeIntegrations “s3tables:”、“s3tables:”、GetTableBucket “ssm-quicksetup:”、GetTableBucketEncryption “ssm-quicksetup:”,GetTableBucketMaintenanceConfiguration“ssm-quicksetup:” ListTableBuckets GetConfigurationManager ListConfigurationManagers | 该策略现在支持对、、Amazon Bedrock AWS Backup gateway AWS 账单与成本管理、、、Amazon、 AWS CloudFormation、、 CloudFront、、、 AWS Entity Resolution 数据匹配服务、、 AWS IoT Core Device Advisor AWS Lambda AWS Network Manager AWS 私有证书颁发机构、Amazon Redshift、Amazon S3 Tables 等的额外权限。 AWS Systems Manager 快速设置功能 | 2025 年 6 月 18 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 添加 “backup-gateway:”、GetHypervisor “backup-gateway:”、“、”:ListHypervisors“、”、“bedrockbcm-data-exports:”、GetExport “bedrockbcm-data-exports:”、ListExports “bedrockbcm-data-exports:”、ListTagsForResource “bedrock:”、GetAgent “bedrock:”、“bedrock:”、GetAgentActionGroup “bedrock:”、“bedrock:”、GetAgentKnowledgeBase “bedrock:”、GetDataSource “bedrock:”、“bedrock:”、GetFlowAlias “bedrock:”、GetFlowVersion “bedrock:”、“bedrock:ListAgentActionGroups”、“bedrock:”、“bedrock:ListAgentKnowledgeBases”,“cloudformation:ListDataSources”,“cloudformation:ListFlowAliases”,“cloudformation:ListFlowVersions”,“cloudformati BatchDescribeTypeConfigurations DescribeStackInstance DescribeStackSet ListStackInstancescloudformation:”、ListStackSets “cloudfront:”、GetPublicKey “cloudfront:”、GetRealtimeLogConfig “cloudfront:”、ListPublicKeys “实体分辨率:ListRealtimeLogConfigs”、“实体分辨率:”、“实体分辨率:GetIdMappingWorkflow”、“实体分辨率:”、GetSchemaMapping “iotdeviceAdvisor:”、ListIdMappingWorkflows “iotdeviceAdvisor:ListSchemaMappings”、“iotdeviceAdvisor:ListTagsForResource”、“lambda:”、“lambda:GetSuiteDefinition”,“” networkmanager:ListSuiteDefinitions“,”,“networkmanager:”,GetEventSourceMapping”:“,”:“,”:ListEventSourceMappings“,” rds:GetTransitGatewayPeeringListPeeringspca-connector-adGetDirectoryRegistrationpca-connector-adListDirectoryRegistrationspca-connector-adListTagsForResource描述DBShard群组”、“rds:”、“redshift:”、DescribeIntegrations “s3tables:”、“s3tables:”、DescribeIntegrations “s3tables:”、GetTableBucket “s3tables:”、“s3tables:”、GetTableBucketEncryption “ssm-quicksetup:GetTableBucketMaintenanceConfiguration”,“ssm-quicksetup:”,“ssm-quicks ListTableBuckets etup:” GetConfigurationManager ListConfigurationManagers | 该策略现在支持对、、Amazon Bedrock AWS Backup gateway AWS 账单与成本管理、、、Amazon、 AWS CloudFormation、、 CloudFront、、、 AWS Entity Resolution 数据匹配服务、、 AWS IoT Core Device Advisor AWS Lambda AWS Network Manager AWS 私有证书颁发机构、Amazon Redshift、Amazon S3 Tables 等的额外权限。 AWS Systems Manager 快速设置功能 | 2025 年 6 月 18 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "bedrock:GetGuardrail", "bedrock:GetInferenceProfile", "bedrock:GetKnowledgeBase", "bedrock:ListGuardrails", "bedrock:ListInferenceProfiles", "bedrock:ListKnowledgeBases", "bedrock:ListTagsForResource" | 此策略现在支持为 Amazon Bedrock 授予更多权限。 | 2025 年 5 月 27 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "bedrock:GetGuardrail", "bedrock:GetInferenceProfile", "bedrock:GetKnowledgeBase", "bedrock:ListGuardrails", "bedrock:ListInferenceProfiles", "bedrock:ListKnowledgeBases", "bedrock:ListTagsForResource" | 此策略现在支持为 Amazon Bedrock 授予更多权限。 | 2025 年 5 月 27 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "b2bi:GetPartnership", "b2bi:GetProfile", "b2bi:ListPartnerships", "b2bi:ListProfiles", "bedrock:ListAgents", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetMembership", "cleanrooms:GetPrivacyBudgetTemplate", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMemberships", "cleanrooms:ListPrivacyBudgetTemplates", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListTagsForResource", "directconnect:DescribeConnections", "dms:DescribeReplicationConfigs", "logs:DescribeAccountPolicies", "logs:DescribeResourcePolicies", "macie2:ListAutomatedDiscoveryAccounts", "managedblockchain:GetAccessor", "managedblockchain:ListAccessors", "qbusiness:GetApplication", "qbusiness:ListApplications", "qbusiness:ListTagsForResource", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfiles", "route53profiles:ListTagsForResource", "s3:GetAccessGrantsInstance", "s3:GetAccessGrantsLocation", "s3:ListAccessGrantsInstances", "s3:ListAccessGrantsLocations", "sagemaker:DescribeCluster", "sagemaker:DescribeMlflowTrackingServer", "sagemaker:DescribeStudioLifecycleConfig", "sagemaker:ListClusters", "sagemaker:ListMlflowTrackingServers", "sagemaker:ListStudioLifecycleConfigs", "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards", "ssm-contacts:GetContact", "ssm-contacts:GetContactChannel", "ssm-contacts:ListContactChannels", "ssm-contacts:ListContacts", "ssm-incidents:GetResponsePlan", "ssm-incidents:ListResponsePlans", "ssm-incidents:ListTagsForResource", "ssm:DescribeInstanceInformation" | 该政策现在支持对亚马逊 Bedrock AWS B2B Data Interchange、、、、、 AWS Database Migration Service (AWS DMS)、Amazon L CloudWatch ogs AWS Clean Rooms AWS CodeConnections AWS Direct Connect、Amazon Macie、Amazon Managed Blockchain、Amazon Q Business、Route 53 Profiles、亚马逊简单存储服务 (Amazon S3)、Amazon A SageMaker I AWS Security Hub CSPM、 AWS Systems Manager Incident Manager以及联系人等的额外权限。 AWS Systems Manager Incident Manager AWS Systems Manager | 2025 年 4 月 8 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "b2bi:GetPartnership", "b2bi:GetProfile", "b2bi:ListPartnerships", "b2bi:ListProfiles", "bedrock:ListAgents", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetMembership", "cleanrooms:GetPrivacyBudgetTemplate", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMemberships", "cleanrooms:ListPrivacyBudgetTemplates", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListTagsForResource", "directconnect:DescribeConnections", "dms:DescribeReplicationConfigs", "logs:DescribeAccountPolicies", "logs:DescribeResourcePolicies", "macie2:ListAutomatedDiscoveryAccounts", "managedblockchain:GetAccessor", "managedblockchain:ListAccessors", "qbusiness:GetApplication", "qbusiness:ListApplications", "qbusiness:ListTagsForResource", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfiles", "route53profiles:ListTagsForResource", "s3:GetAccessGrantsInstance", "s3:GetAccessGrantsLocation", "s3:ListAccessGrantsInstances", "s3:ListAccessGrantsLocations", "sagemaker:DescribeCluster", "sagemaker:DescribeMlflowTrackingServer", "sagemaker:DescribeStudioLifecycleConfig", "sagemaker:ListClusters", "sagemaker:ListMlflowTrackingServers", "sagemaker:ListStudioLifecycleConfigs", "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards", "ssm-contacts:GetContact", "ssm-contacts:GetContactChannel", "ssm-contacts:ListContactChannels", "ssm-contacts:ListContacts", "ssm-incidents:GetResponsePlan", "ssm-incidents:ListResponsePlans", "ssm-incidents:ListTagsForResource", "ssm:DescribeInstanceInformation" | 该政策现在支持对亚马逊 Bedrock AWS B2B Data Interchange、、、、、 AWS Database Migration Service (AWS DMS)、Amazon L CloudWatch ogs AWS Clean Rooms AWS CodeConnections AWS Direct Connect、Amazon Macie、Amazon Managed Blockchain、Amazon Q Business、Route 53 Profiles、亚马逊简单存储服务 (Amazon S3)、Amazon A SageMaker I AWS Security Hub CSPM、 AWS Systems Manager Incident Manager以及联系人等的额外权限。 AWS Systems Manager Incident Manager AWS Systems Manager此策略现在还支持通过包含资源模式“`arn:aws:apigateway:::/domainnames/`”来访问所有 Amazon API Gateway 域名的权限。 | 2025 年 4 月 8 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "ec2:GetAllowedImagesSettings" | 此策略现在支持为 Amazon Elastic Compute Cloud(Amazon EC2)授予更多权限。 | 2025 年 3 月 4 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "ec2:GetAllowedImagesSettings" | 此策略现在支持为 Amazon Elastic Compute Cloud(Amazon EC2)授予更多权限。 | 2025 年 3 月 4 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "cleanrooms-ml:GetTrainingDataset", "cleanrooms-ml:ListTrainingDatasets", "comprehend:DescribeFlywheel", "comprehend:ListFlywheels", "comprehend:ListTagsForResource", "ec2:GetSnapshotBlockPublicAccessState", "omics:GetAnnotationStore", "omics:GetRunGroup", "omics:GetSequenceStore", "omics:GetVariantStore", "omics:ListAnnotationStores", "omics:ListRunGroups", "omics:ListSequenceStores", "omics:ListTagsForResource", "omics:ListVariantStores", "s3express:GetEncryptionConfiguration", "s3express:GetLifecycleConfiguration", "ses:GetDedicatedIpPool", "ses:GetDedicatedIps", and "ses:ListDedicatedIpPools" | 该政策现在支持对亚马逊 Comprehend AWS Clean Rooms、亚马逊弹性计算云 (Amazon AWS HealthOmics EC2)、亚马逊简单存储服务 (Amazon S3) Simple Service 和亚马逊简单电子邮件服务 (Amazon SES) Simple Service (Amazon SES) 的额外权限。 | 2025 年 1 月 16 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "cleanrooms-ml:GetTrainingDataset", "cleanrooms-ml:ListTrainingDatasets", "comprehend:DescribeFlywheel", "comprehend:ListFlywheels", "comprehend:ListTagsForResource", "ec2:GetSnapshotBlockPublicAccessState", "omics:GetAnnotationStore", "omics:GetRunGroup", "omics:GetSequenceStore", "omics:GetVariantStore", "omics:ListAnnotationStores", "omics:ListRunGroups", "omics:ListSequenceStores", "omics:ListTagsForResource", "omics:ListVariantStores", "s3express:GetEncryptionConfiguration", "s3express:GetLifecycleConfiguration", "ses:GetDedicatedIpPool", "ses:GetDedicatedIps", and "ses:ListDedicatedIpPools" | 该政策现在支持对亚马逊 Comprehend AWS Clean Rooms、亚马逊弹性计算云 (Amazon AWS HealthOmics EC2)、亚马逊简单存储服务 (Amazon S3) Simple Service 和亚马逊简单电子邮件服务 (Amazon SES) Simple Service (Amazon SES) 的额外权限。 | 2025 年 1 月 16 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "organizations:ListAWSServiceAccessForOrganization" | 此策略现在支持为 AWS Organizations授予更多权限。 | 2024 年 12 月 18 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "app-integrations:GetApplication", "app-integrations:ListApplications", "app-integrations:ListTagsForResource", "appconfig:GetExtension", "appconfig:ListExtensions", "cloudtrail:GetInsightSelectors", "connect:DescribeQueue", "connect:DescribeRoutingProfile", "connect:DescribeSecurityProfile", "connect:ListQueueQuickConnects", "connect:ListQueues", "connect:ListRoutingProfileQueues", "connect:ListRoutingProfiles", "connect:ListSecurityProfileApplications", "connect:ListSecurityProfilePermissions", "connect:ListSecurityProfiles", "datazone:GetDomain", "datazone:ListDomains", "devops-guru:ListNotificationChannels", "glue:GetRegistry", "glue:ListRegistries", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership" "identitystore:ListGroupMemberships", "identitystore:ListGroups", "iot:DescribeThingGroup", "iot:DescribeThingType", "iot:ListThingGroups", "iot:ListThingTypes", "iotfleetwise:GetDecoderManifest", "iotfleetwise:GetFleet", "iotfleetwise:GetModelManifest", "iotfleetwise:GetSignalCatalog", "iotfleetwise:GetVehicle", "iotfleetwise:ListDecoderManifestNetworkInterfaces", "iotfleetwise:ListDecoderManifests", "iotfleetwise:ListDecoderManifestSignals", "iotfleetwise:ListFleets", "iotfleetwise:ListModelManifestNodes", "iotfleetwise:ListModelManifests", "iotfleetwise:ListSignalCatalogNodes", "iotfleetwise:ListSignalCatalogs", "iotfleetwise:ListTagsForResource", "iotfleetwise:ListVehicles", "iotwireless:GetDestination", "iotwireless:GetDeviceProfile", "iotwireless:GetWirelessGateway", "iotwireless:ListDestinations", "iotwireless:ListDeviceProfiles", "iotwireless:ListWirelessGateways", "ivschat:GetLoggingConfiguration", "ivschat:GetRoom" "ivschat:ListLoggingConfigurations", "ivschat:ListRooms", "ivschat:ListTagsForResource", "logs:GetLogAnomalyDetector", "logs:ListLogAnomalyDetectors", "oam:GetSink" "oam:GetSinkPolicy", "oam:ListSinks", "payment-cryptography:GetAlias", "payment-cryptography:GetKey", "payment-cryptography:ListAliases", "payment-cryptography:ListKeys", "payment-cryptography:ListTagsForResource", "rds:DescribeDBProxyTargetGroups", "rds:DescribeDBProxyTargets", "rekognition:DescribeProjects", "s3:GetStorageLensGroup", "s3:ListStorageLensGroups", "s3:ListTagsForResource", "scheduler:GetScheduleGroup", "scheduler:ListScheduleGroups", "scheduler:ListTagsForResource", "ssm:GetServiceSetting", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:GetService", "vpc-lattice:GetServiceNetwork", "vpc-lattice:GetTargetGroup", "vpc-lattice:ListAccessLogSubscriptions", "vpc-lattice:ListServiceNetworks", "vpc-lattice:ListServices", "vpc-lattice:ListTagsForResource", "vpc-lattice:ListTargetGroups", and "vpc-lattice:ListTargets" | 该政策现在支持、、Amazon Connect AWS AppConfig AWS CloudTrail、Amazon、Amazon DevOps Guru DataZone、、Identity Store AWS Glue、、、、 AWS IoT AWS IoT FleetWise AWS IoT Wireless、亚马逊互动视频服务 (Amazon IVS)、亚马逊 CloudWatch 日志、亚马逊可观察性访问管理器、、亚马逊关系 AWS Payment Cryptography数据库服务 (Amazon RDS)、 CloudWatch Amazon Rekognition、亚马逊简单存储服务 (Amazon S3) 的额外权限 Service S3S、Amazon Scheduler 和 Amazon VPC Lattice。 EventBridge AWS Systems Manager | 2024 年 11 月 7 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "app-integrations:GetApplication", "app-integrations:ListApplications", "app-integrations:ListTagsForResource", "appconfig:GetExtension", "appconfig:ListExtensions", "cloudtrail:GetInsightSelectors", "connect:DescribeQueue", "connect:DescribeRoutingProfile", "connect:DescribeSecurityProfile", "connect:ListQueueQuickConnects", "connect:ListQueues", "connect:ListRoutingProfileQueues", "connect:ListRoutingProfiles", "connect:ListSecurityProfileApplications", "connect:ListSecurityProfilePermissions", "connect:ListSecurityProfiles", "datazone:GetDomain", "datazone:ListDomains", "devops-guru:ListNotificationChannels", "glue:GetRegistry", "glue:ListRegistries", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership" "identitystore:ListGroupMemberships", "identitystore:ListGroups", "iot:DescribeThingGroup", "iot:DescribeThingType", "iot:ListThingGroups", "iot:ListThingTypes", "iotfleetwise:GetDecoderManifest", "iotfleetwise:GetFleet", "iotfleetwise:GetModelManifest", "iotfleetwise:GetSignalCatalog", "iotfleetwise:GetVehicle", "iotfleetwise:ListDecoderManifestNetworkInterfaces", "iotfleetwise:ListDecoderManifests", "iotfleetwise:ListDecoderManifestSignals", "iotfleetwise:ListFleets", "iotfleetwise:ListModelManifestNodes", "iotfleetwise:ListModelManifests", "iotfleetwise:ListSignalCatalogNodes", "iotfleetwise:ListSignalCatalogs", "iotfleetwise:ListTagsForResource", "iotfleetwise:ListVehicles", "iotwireless:GetDestination", "iotwireless:GetDeviceProfile", "iotwireless:GetWirelessGateway", "iotwireless:ListDestinations", "iotwireless:ListDeviceProfiles", "iotwireless:ListWirelessGateways", "ivschat:GetLoggingConfiguration", "ivschat:GetRoom" "ivschat:ListLoggingConfigurations", "ivschat:ListRooms", "ivschat:ListTagsForResource", "logs:GetLogAnomalyDetector", "logs:ListLogAnomalyDetectors", "oam:GetSink" "oam:GetSinkPolicy", "oam:ListSinks", "payment-cryptography:GetAlias", "payment-cryptography:GetKey", "payment-cryptography:ListAliases", "payment-cryptography:ListKeys", "payment-cryptography:ListTagsForResource", "rds:DescribeDBProxyTargetGroups", "rds:DescribeDBProxyTargets", "rekognition:DescribeProjects", "s3:GetStorageLensGroup", "s3:ListStorageLensGroups", "s3:ListTagsForResource", "scheduler:GetScheduleGroup", "scheduler:ListScheduleGroups", "scheduler:ListTagsForResource", "ssm:GetServiceSetting", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:GetService", "vpc-lattice:GetServiceNetwork", "vpc-lattice:GetTargetGroup", "vpc-lattice:ListAccessLogSubscriptions", "vpc-lattice:ListServiceNetworks", "vpc-lattice:ListServices", "vpc-lattice:ListTagsForResource", "vpc-lattice:ListTargetGroups", and "vpc-lattice:ListTargets" | 该政策现在支持、、Amazon Connect AWS AppConfig AWS CloudTrail、Amazon、Amazon DevOps Guru DataZone、、Identity Store AWS Glue、、、、 AWS IoT AWS IoT FleetWise AWS IoT Wireless、亚马逊互动视频服务 (Amazon IVS)、亚马逊 CloudWatch 日志、亚马逊可观察性访问管理器、、亚马逊关系 AWS Payment Cryptography数据库服务 (Amazon RDS)、 CloudWatch Amazon Rekognition、亚马逊简单存储服务 (Amazon S3) 的额外权限 Service S3S、Amazon Scheduler 和 Amazon VPC Lattice。 EventBridge AWS Systems Manager | 2024 年 11 月 7 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "aoss:BatchGetCollection," "aoss:BatchGetLifecyclePolicy," "aoss:BatchGetVpcEndpoint," "aoss:GetAccessPolicy," "aoss:GetSecurityConfig," "aoss:GetSecurityPolicy," "aoss:ListAccessPolicies," "aoss:ListCollections," "aoss:ListLifecyclePolicies," "aoss:ListSecurityConfigs," "aoss:ListSecurityPolicies," "aoss:ListVpcEndpoints," "appstream:DescribeAppBlockBuilders," "backup:GetRestoreTestingPlan," "backup:GetRestoreTestingSelection", "backup:ListRestoreTestingPlans," "backup:ListRestoreTestingSelections," "cloudTrail:GetChannel, "cloudTrail:ListChannels," "glue:GetTrigger," "glue:ListTriggers, "imagebuilder:GetLifecyclePolicy," "imagebuilder:ListLifecyclePolicies," "iot:DescribeBillingGroup," "iot:ListBillingGroups," "ivs:GetEncoderConfiguration," "ivs:GetPlaybackRestrictionPolicy," "ivs:GetStage," "ivs:GetStorageConfiguration," "ivs:ListEncoderConfigurations," "ivs:ListPlaybackRestrictionPolicies," "ivs:ListStages," "ivs:ListStorageConfigurations," "mediaconnect:DescribeBridge", "mediaconnect:DescribeGatewa," "mediaconnect:ListBridges," "mediaconnect:ListGateways", "mediatailor:DescribeChannel," "mediatailor:DescribeLiveSource," "mediatailor:DescribeSourceLocation," "mediatailor:DescribeVodSource", "mediatailor:ListChannels," "mediatailor:ListLiveSources", "mediatailor:ListSourceLocations," "mediatailor:ListVodSources," "omics:GetWorkflow," "omics:ListWorkflows," "scheduler:GetSchedule," and "scheduler:ListSchedules" | 该政策现在支持亚马逊 OpenSearch 服务 Severless、、、、、、EC2 Image Builder AppStream、 AWS Backup AWS CloudTrail AWS Glue、Amazon Interactive Video Service (Amazon IVS)、、、 AWS Elemental MediaConnect AWS Elemental MediaTailor、 AWS HealthOmics和 Amazon Scheduler 的额外权限。 AWS IoT EventBridge | 2024 年 9 月 16 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "aoss:BatchGetCollection," "aoss:BatchGetLifecyclePolicy," "aoss:BatchGetVpcEndpoint," "aoss:GetAccessPolicy," "aoss:GetSecurityConfig," "aoss:GetSecurityPolicy," "aoss:ListAccessPolicies," "aoss:ListCollections," "aoss:ListLifecyclePolicies," "aoss:ListSecurityConfigs," "aoss:ListSecurityPolicies," "aoss:ListVpcEndpoints," "appstream:DescribeAppBlockBuilders," "backup:GetRestoreTestingPlan," "backup:GetRestoreTestingSelection", "backup:ListRestoreTestingPlans," "backup:ListRestoreTestingSelections," "cloudTrail:GetChannel, "cloudTrail:ListChannels," "glue:GetTrigger," "glue:ListTriggers, "imagebuilder:GetLifecyclePolicy," "imagebuilder:ListLifecyclePolicies," "iot:DescribeBillingGroup," "iot:ListBillingGroups," "ivs:GetEncoderConfiguration," "ivs:GetPlaybackRestrictionPolicy," "ivs:GetStage," "ivs:GetStorageConfiguration," "ivs:ListEncoderConfigurations," "ivs:ListPlaybackRestrictionPolicies," "ivs:ListStages," "ivs:ListStorageConfigurations," "mediaconnect:DescribeBridge", "mediaconnect:DescribeGatewa," "mediaconnect:ListBridges," "mediaconnect:ListGateways", "mediatailor:DescribeChannel," "mediatailor:DescribeLiveSource," "mediatailor:DescribeSourceLocation," "mediatailor:DescribeVodSource", "mediatailor:ListChannels," "mediatailor:ListLiveSources", "mediatailor:ListSourceLocations," "mediatailor:ListVodSources," "omics:GetWorkflow," "omics:ListWorkflows," "scheduler:GetSchedule," and "scheduler:ListSchedules" | 该政策现在支持亚马逊 OpenSearch 服务 Severless、、、、、、EC2 Image Builder AppStream、 AWS Backup AWS CloudTrail AWS Glue、Amazon Interactive Video Service (Amazon IVS)、、、 AWS Elemental MediaConnect AWS Elemental MediaTailor、 AWS HealthOmics和 Amazon Scheduler 的额外权限。 AWS IoT EventBridge | 2024 年 9 月 16 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "elasticfilesystem:DescribeTags," "redshift:DescribeTags," and "ssm-sap:ListTagsForResource" | 该政策现在支持亚马逊弹性文件系统(亚马逊 EFS)、亚马逊 Redshift 和的额外权限。 适用于 SAP 的 AWS Systems Manager | 2024 年 6 月 17 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "elasticfilesystem:DescribeTags," "redshift:DescribeTags," and "ssm-sap:ListTagsForResource" | 该政策现在支持亚马逊弹性文件系统(亚马逊 EFS)、亚马逊 Redshift 和的额外权限。 适用于 SAP 的 AWS Systems Manager | 2024 年 6 月 17 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "aps:DescribeAlertManagerDefinition," "cloudwatch:DescribeAlarmsForMetric," "cognito-identity:DescribeIdentityPool, "cognito-identity:GetPrincipalTagAttributeMap," "elasticache:DescribeCacheSecurityGroups," "elasticache:DescribeUserGroups," "elasticache:DescribeUsers," "elasticache:DescribeGlobalReplicationGroups," "fsx:DescribeDataRepositoryAssociations," "glue:GetDatabase," "glue:GetDatabases," "iam:ListUsers," "lambda:GetLayerVersion," "lambda:ListLayers," "lambda:ListLayerVersions," "ram:GetPermission," "ram:ListPermissionAssociations," "ram:ListPermissions," "ram:ListPermissionVersions," "redshift-serverless:GetNamespace," "redshift-serverless:GetWorkgroup," "redshift-serverless:ListNamespaces," "redshift-serverless:ListTagsForResource," "redshift-serverless:ListWorkgroups," "sagemaker:DescribeInferenceExperiment," "sagemaker:ListInferenceExperiments," and "sns:GetSMSSandboxAccountStatus" | 该政策现在支持亚马逊托管服务 Prometheus、亚马逊、亚马逊 Cognito、亚马逊、亚马逊、(IAM) CloudWatch、、、、Amazon Redshift Serverless、Amazon AI 和 ElastiCache亚马逊简单通知服务 ( FSxAmaz AWS Glue on AWS Identity and Access Management SNS) Simple Notificati AWS RAM on Serverless AWS Lambda、Amazon AI 和亚马逊简单通知服务 ( SageMaker Amazon SNS) 的额外权限。 | 2024 年 2 月 22 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "aps:DescribeAlertManagerDefinition," "cloudwatch:DescribeAlarmsForMetric," "cognito-identity:DescribeIdentityPool, "cognito-identity:GetPrincipalTagAttributeMap," "elasticache:DescribeCacheSecurityGroups," "elasticache:DescribeUserGroups," "elasticache:DescribeUsers," "elasticache:DescribeGlobalReplicationGroups," "fsx:DescribeDataRepositoryAssociations," "glue:GetDatabase," "glue:GetDatabases," "iam:ListUsers," "lambda:GetLayerVersion," "lambda:ListLayers," "lambda:ListLayerVersions," "ram:GetPermission," "ram:ListPermissionAssociations," "ram:ListPermissions," "ram:ListPermissionVersions," "redshift-serverless:GetNamespace," "redshift-serverless:GetWorkgroup," "redshift-serverless:ListNamespaces," "redshift-serverless:ListTagsForResource," "redshift-serverless:ListWorkgroups," "sagemaker:DescribeInferenceExperiment," "sagemaker:ListInferenceExperiments," and "sns:GetSMSSandboxAccountStatus" | 该政策现在支持亚马逊托管服务 Prometheus、亚马逊、亚马逊 Cognito、亚马逊、亚马逊、(IAM) CloudWatch、、、、Amazon Redshift Serverless、Amazon AI 和 ElastiCache亚马逊简单通知服务 ( FSxAmaz AWS Glue on AWS Identity and Access Management SNS) Simple Notificati AWS RAM on Serverless AWS Lambda、Amazon AI 和亚马逊简单通知服务 ( SageMaker Amazon SNS) 的额外权限。 | 2024 年 2 月 22 日 |
| [AWSConfigUserAccess](#security-iam-awsmanpol-AWSConfigUserAccess)— AWS Config 开始跟踪此 AWS 托管策略的更改 | 此政策提供使用权限 AWS Config,包括按资源标签搜索和读取所有标签。这不提供配置权限 AWS Config,而配置权限需要管理权限。 | 2024 年 2 月 22 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "appconfig:GetExtensionAssociation," "appconfig:ListExtensionAssociations," "aps:DescribeLoggingConfiguration," "dms:DescribeReplicationTaskAssessmentRuns," "iam:GetOpenIDConnectProvider," "iam:ListOpenIDConnectProviders," "kafka:DescribeVpcConnection," "kafka:GetClusterPolicy," "kafka:ListVpcConnections," "logs:DescribeMetricFilters," "organizations:ListDelegatedAdministrators," "s3:GetBucketPolicyStatus," "s3express:GetBucketPolicy," and "s3express:ListAllMyDirectoryBuckets" | 该政策现在支持适用于 Prometheus 的亚马逊托管服务 AWS AppConfig、AWS DMS()、() IAM AWS Database Migration Service 、适用于 Apache Kafka 的亚马逊托管流媒体(亚马逊 MSK AWS Identity and Access Management)、亚马逊 AWS Organizations日志和亚马逊简单存储服务 (Amazon S3) Simple Storage Service 的额外权限。 CloudWatch | 2023 年 12 月 5 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "appconfig:GetExtensionAssociation," "appconfig:ListExtensionAssociations," "aps:DescribeLoggingConfiguration," "dms:DescribeReplicationTaskAssessmentRuns," "iam:GetOpenIDConnectProvider," "iam:ListOpenIDConnectProviders," "kafka:DescribeVpcConnection," "kafka:GetClusterPolicy," "kafka:ListVpcConnections," "logs:DescribeMetricFilters," "organizations:ListDelegatedAdministrators," "s3:GetBucketPolicyStatus," "s3express:GetBucketPolicy," and "s3express:ListAllMyDirectoryBuckets" | 该政策现在支持适用于 Prometheus 的亚马逊托管服务 AWS AppConfig、AWS DMS()、() IAM AWS Database Migration Service 、适用于 Apache Kafka 的亚马逊托管流媒体(亚马逊 MSK AWS Identity and Access Management)、亚马逊 AWS Organizations日志和亚马逊简单存储服务 (Amazon S3) Simple Storage Service 的额外权限。 CloudWatch | 2023 年 12 月 5 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "backup:DescribeProtectedResource," "cognito-identity:GetIdentityPoolRoles," "cognito-identity:ListIdentityPools," "cognito-identity:ListTagsForResource," "cognito-idp:DescribeIdentityProvider," "cognito-idp:DescribeResourceServer," "cognito-idp:DescribeUserPool," "cognito-idp:DescribeUserPoolClient," "cognito-idp:DescribeUserPoolDomain," "cognito-idp:GetGroup," "cognito-idp:GetUserPoolMfaConfig," "cognito-idp:ListGroups," "cognito-idp:ListIdentityProviders," "cognito-idp:ListResourceServers," "cognito-idp:ListUserPoolClients," "cognito-idp:ListUserPools," "cognito-idp:ListTagsForResource," "connect:DescribeEvaluationForm," "connect:DescribeInstanceStorageConfig," "connect:DescribePrompt," "connect:DescribeRule," "connect:DescribeUser," "connect:GetTaskTemplate," "connect:ListApprovedOrigins," "connect:ListEvaluationForms," "connect:ListInstanceStorageConfigs," "connect:ListIntegrationAssociations," "connect:ListPrompts," "connect:ListRules," "connect:ListSecurityKeys," "connect:ListTagsForResource," "connect:ListTaskTemplates," "connect:ListUsers," "emr-containers:DescribeVirtualCluster," "emr-containers:ListVirtualClusters," "emr-serverless:GetApplication," "emr-serverless:ListApplications," "groundstation:GetDataflowEndpointGroup," "groundstation:ListDataflowEndpointGroups," "m2:GetEnvironment," "m2:ListEnvironments," "m2:ListTagsForResource," "memorydb:DescribeAcls," "memorydb:DescribeClusters," "memorydb:DescribeParameterGroups," "memorydb:DescribeParameters," "memorydb:DescribeSubnetGroups," "organizations:ListRoots," "quicksight:DescribeAccountSubscription," "quicksight:DescribeDataSetRefreshProperties," "rds:DescribeEngineDefaultClusterParameters," "redshift:DescribeEndpointAccess," "redshift:DescribeEndpointAuthorization," "route53:GetChange," "route53:ListCidrBlocks," "route53:ListCidrLocations," "serviceCatalog:DescribePortfolioShares," "transfer:DescribeProfile," and "transfer:ListProfiles" | 该政策现在支持亚马逊 Cognito、Amazon Connect、亚马逊 EMR、、、Amazon MemoryDB、 AWS Ground Station、 AWS Mainframe Modernization Amazon Quick、亚马逊关系数据库服务(亚马逊 RDS) AWS Organizations、亚马逊 Redshift、亚马逊 Rodshift、Amazon Route 53 和。 AWS Service Catalog AWS Transfer Family | 2023 年 11 月 17 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "Sid": "AWSConfigServiceRolePolicyStatementID," "Sid": "AWSConfigSLRLogStatementID," "Sid": "AWSConfigSLRLogEventStatementID," and "Sid": "AWSConfigSLRApiGatewayStatementID" | 此策略现在为 `AWSConfigServiceRolePolicyStatementID``AWSConfigSLRLogStatementID`、`AWSConfigSLRLogEventStatementID` 和 `AWSConfigSLRApiGatewayStatementID` 添加了安全标识符(SID)。 | 2023 年 11 月 17 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "backup:DescribeProtectedResource," "cognito-identity:GetIdentityPoolRoles," "cognito-identity:ListIdentityPools," "cognito-identity:ListTagsForResource," "cognito-idp:DescribeIdentityProvider," "cognito-idp:DescribeResourceServer," "cognito-idp:DescribeUserPool," "cognito-idp:DescribeUserPoolClient," "cognito-idp:DescribeUserPoolDomain," "cognito-idp:GetGroup," "cognito-idp:GetUserPoolMfaConfig," "cognito-idp:ListGroups," "cognito-idp:ListIdentityProviders," "cognito-idp:ListResourceServers," "cognito-idp:ListUserPoolClients," "cognito-idp:ListUserPools," "cognito-idp:ListTagsForResource," "connect:DescribeEvaluationForm," "connect:DescribeInstanceStorageConfig," "connect:DescribePrompt," "connect:DescribeRule," "connect:DescribeUser," "connect:GetTaskTemplate," "connect:ListApprovedOrigins," "connect:ListEvaluationForms," "connect:ListInstanceStorageConfigs," "connect:ListIntegrationAssociations," "connect:ListPrompts," "connect:ListRules," "connect:ListSecurityKeys," "connect:ListTagsForResource," "connect:ListTaskTemplates," "connect:ListUsers," "emr-containers:DescribeVirtualCluster," "emr-containers:ListVirtualClusters," "emr-serverless:GetApplication," "emr-serverless:ListApplications," "groundstation:GetDataflowEndpointGroup," "groundstation:ListDataflowEndpointGroups," "m2:GetEnvironment," "m2:ListEnvironments," "m2:ListTagsForResource," "memorydb:DescribeAcls," "memorydb:DescribeClusters," "memorydb:DescribeParameterGroups," "memorydb:DescribeParameters," "memorydb:DescribeSubnetGroups," "organizations:ListRoots," "quicksight:DescribeAccountSubscription," "quicksight:DescribeDataSetRefreshProperties," "rds:DescribeEngineDefaultClusterParameters," "redshift:DescribeEndpointAccess," "redshift:DescribeEndpointAuthorization," "route53:GetChange," "route53:ListCidrBlocks," "route53:ListCidrLocations," "serviceCatalog:DescribePortfolioShares," "transfer:DescribeProfile," and "transfer:ListProfiles" | 该政策现在支持亚马逊 Cognito、Amazon Connect、亚马逊 EMR、、、Amazon MemoryDB、 AWS Ground Station、 AWS Mainframe Modernization Amazon Quick、亚马逊关系数据库服务(亚马逊 RDS) AWS Organizations、亚马逊 Redshift、亚马逊 Rodshift、Amazon Route 53 和。 AWS Service Catalog AWS Transfer Family | 2023 年 11 月 17 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "Sid": "AWSConfigServiceRolePolicyStatementID," "Sid": "AWSConfigSLRLogStatementID," "Sid": "AWSConfigSLRLogEventStatementID," and "Sid": "AWSConfigSLRApiGatewayStatementID" | 此策略现在为 `AWSConfigServiceRolePolicyStatementID``AWSConfigSLRLogStatementID`、`AWSConfigSLRLogEventStatementID` 和 `AWSConfigSLRApiGatewayStatementID` 添加了安全标识符(SID)。 | 2023 年 11 月 17 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "acm-pca:GetCertificateAuthorityCertificate," "appmesh:DescribeMesh," "appmesh:ListGatewayRoutes," "connect:DescribeInstance," "connect:DescribeQuickConnect," "connect:ListQuickConnects," "ecs:DescribeCapacityProviders," "evidently:GetSegment," "evidently:ListSegments," "grafana:DescribeWorkspace," "grafana:DescribeWorkspaceAuthentication," "grafana:DescribeWorkspaceConfiguration," "grafana:DescribeWorkspaceConfiguration," "guardduty:GetMemberDetectors," "inspector2:BatchGetAccountStatus," "inspector2:GetDelegatedAdminAccount," "inspector2:ListMembers," "iot:DescribeCACertificate," "iot:ListCACertificates," "iot:ListTagsForResource," "iottwinmaker:GetSyncJob," "iottwinmaker:ListSyncJobs," "kafka:ListTagsForResource," "kafkaconnect:DescribeConnector," "kafkaconnect:ListConnectors," "lambda:GetCodeSigningConfig," "lambda:ListCodeSigningConfigs," "lambda:ListTags," "networkmanager:GetConnectPeer," "organizations:DescribeOrganization," "organizations:ListTargetsForPolicy," "sagemaker:DescribeDataQualityJob," "sagemaker:DescribeModelExplainabilityJob," "sagemaker:ListDataQualityJob," and "sagemaker:ExplainabilityJob" | 该政策现在支持、、Amazon Connect AWS 私有 CA AWS App Mesh、亚马逊弹性容器服务 (Amazon ECS)、Amazon Evicently、Ama CloudWatch zon Managed Grafana、亚马逊、Amazon Insp AWS IoT TwinMaker ector、 GuardDuty、、、Amazon Kafka Managed Streaming( AWS IoT亚马逊 MSK)、、、和亚马逊人工智能的额外权限。 AWS Lambda AWS Network Manager AWS Organizations SageMaker | 2023 年 10 月 4 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "acm-pca:GetCertificateAuthorityCertificate," "appmesh:DescribeMesh," "appmesh:ListGatewayRoutes," "connect:DescribeInstance," "connect:DescribeQuickConnect," "connect:ListQuickConnects," "ecs:DescribeCapacityProviders," "evidently:GetSegment," "evidently:ListSegments," "grafana:DescribeWorkspace," "grafana:DescribeWorkspaceAuthentication," "grafana:DescribeWorkspaceConfiguration," "grafana:DescribeWorkspaceConfiguration," "guardduty:GetMemberDetectors," "inspector2:BatchGetAccountStatus," "inspector2:GetDelegatedAdminAccount," "inspector2:ListMembers," "iot:DescribeCACertificate," "iot:ListCACertificates," "iot:ListTagsForResource," "iottwinmaker:GetSyncJob," "iottwinmaker:ListSyncJobs," "kafka:ListTagsForResource," "kafkaconnect:DescribeConnector," "kafkaconnect:ListConnectors," "lambda:GetCodeSigningConfig," "lambda:ListCodeSigningConfigs," "lambda:ListTags," "networkmanager:GetConnectPeer," "organizations:DescribeOrganization," "organizations:ListTargetsForPolicy," "sagemaker:DescribeDataQualityJob," "sagemaker:DescribeModelExplainabilityJob," "sagemaker:ListDataQualityJob," and "sagemaker:ExplainabilityJob" | 该政策现在支持、、Amazon Connect AWS 私有 CA AWS App Mesh、亚马逊弹性容器服务 (Amazon ECS)、Amazon Evicently、Ama CloudWatch zon Managed Grafana、亚马逊、Amazon Insp AWS IoT TwinMaker ector、 GuardDuty、、、Amazon Kafka Managed Streaming( AWS IoT亚马逊 MSK)、、、和亚马逊人工智能的额外权限。 AWS Lambda AWS Network Manager AWS Organizations SageMaker | 2023 年 10 月 4 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 移除 "ssm:GetParameter" | 此策略现在会移除 AWS Systems Manager (Systems Manager)的权限。 | 2023 年 9 月 6 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "appmesh:DescribeGatewayRoute","appstream:DescribeStacks", "aps:ListTagsForResource", "cloudfront:GetFunction", "cloudfront:GetOriginAccessControl", "cloudfront:ListFunctions", "cloudfront:ListOriginAccessControls", "codeartifact:ListPackages", "codeartifact:ListPackageVersions", "codebuild:BatchGetReportGroups", "codebuild:ListReportGroups", "connect:ListInstanceAttributes", "connect:ListInstances", "glue:GetPartition", "glue:GetPartitions", "guardduty:GetAdministratorAccount", "iam:ListInstanceProfileTags", "inspector2:ListFilters", "iot:DescribeJobTemplate", "iot:DescribeProvisioningTemplate", "iot:ListJobTemplates", "iot:ListProvisioningTemplates", "iottwinmaker:GetComponentType", "iottwinmaker:ListComponentTypes", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "kafka:ListScramSecrets", "macie2:ListTagsForResource", "mediaconnect:ListTagsForResource", "networkmanager:GetConnectPeer", "networkmanager:ListConnectPeers", "organizations:DescribeEffectivePolicy", "organizations:DescribeResourcePolicy", "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListTagsForResource", "route53:ListCidrCollections", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", and "sns:GetDataProtectionPolicy" | 该政策现在支持、、亚马逊、、、Amazon Connect AWS App Mesh AWS CloudFormation、、亚马逊 CloudFront AWS CodeArtifact AWS CodeBuild、 AWS Identity and Access Management (IAM) AWS Glue、Amazon Inspector GuardDuty、、、、Amazon Inspector AWS IoT、 AWS IoT TwinMaker、、 AWS IoT Wireless、、Amazon Macie、、、、、Amazon Route 53、亚马逊简单存储服务 (Amazon S3) AWS Elemental MediaConnect AWS Network Manager AWS Organizations AWS 资源探索器、亚马逊简单存储服务 (Amazon S3) 和亚马逊简单通知服务 (Amazon SNS) 的额外权限) Simple Service Amazon。 | 2023 年 7 月 28 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "appmesh:DescribeGatewayRoute", "appstream:DescribeStacks", "aps:ListTagsForResource", "cloudfront:GetFunction", "cloudfront:GetOriginAccessControl", "cloudfront:ListFunctions", "cloudfront:ListOriginAccessControls", "codeartifact:ListPackages", "codeartifact:ListPackageVersions", "codebuild:BatchGetReportGroups", "codebuild:ListReportGroups", "connect:ListInstanceAttributes", "connect:ListInstances", "glue:GetPartition", "glue:GetPartitions", "guardduty:GetAdministratorAccount", "iam:ListInstanceProfileTags", "inspector2:ListFilters", "iot:DescribeJobTemplate", "iot:DescribeProvisioningTemplate", "iot:ListJobTemplates", "iot:ListProvisioningTemplates", "iottwinmaker:GetComponentType", "iottwinmaker:ListComponentTypes", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "kafka:ListScramSecrets", "macie2:ListTagsForResource", "mediaconnect:ListTagsForResource", "networkmanager:GetConnectPeer", "networkmanager:ListConnectPeers", "organizations:DescribeEffectivePolicy", "organizations:DescribeResourcePolicy", "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListTagsForResource", "route53:ListCidrCollections", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "sns:GetDataProtectionPolicy", "ssm:DescribeParameters", "ssm:GetParameter", and "ssm:ListTagsForResource" | 该政策现在支持亚马逊 WorkSpaces 应用程序 AWS App Mesh、、亚马逊、、、、、Amazon Connect CloudFront AWS CodeArtifact、 AWS CodeBuild、亚马逊、 AWS Glue AWS Identity and Access Management (IAM) GuardDuty、Amazon Inspector、、 AWS IoT、 AWS IoT TwinMaker、 AWS IoT Wireless、Amazon Macie、、、、、、Amazon Route 53 AWS Elemental MediaConnect AWS Network Manager AWS Organizations、 AWS 资源探索器亚马逊简单存储服务 (Amazon S3)、亚马逊简单通知服务的额外权限(亚马逊 SNS)Service 和亚马逊 EC2 Systems Manager (SSM)。 AWS CloudFormation | 2023 年 7 月 28 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 "amplify:GetBranch", "amplify:ListBranches", "app-integrations:GetEventIntegration", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", "appmesh:DescribeRoute", "appmesh:ListRoutes", "aps:ListRuleGroupsNamespaces", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "batch:DescribeSchedulingPolicies", "batch:ListSchedulingPolicies", "cloudformation:ListTypes", "cloudtrail:ListTrails", "codeartifact:ListDomains", "codeguru-profiler:DescribeProfilingGroup", "codeguru-profiler:GetNotificationConfiguration", "codeguru-profiler:GetPolicy", "codeguru-profiler:ListProfilingGroups", "ds:DescribeDomainControllers", “dynamodb:DescribeTableReplicaAutoScaling" "dynamodb:DescribeTimeToLive", "ec2:DescribeTrafficMirrorFilters", "evidently:GetLaunch", "evidently:ListLaunches", "forecast:DescribeDatasetGroup", "forecast:ListDatasetGroups", "greengrass:DescribeComponent", "greengrass:GetComponent", "greengrass:ListComponents", "greengrass:ListComponentVersions", "groundstation:GetMissionProfile", "groundstation:ListMissionProfiles", "iam:ListGroups", "iam:ListRoles", "kafka:DescribeConfiguration", "kafka:DescribeConfigurationRevision", "kafka:ListConfigurations", "lightsail:GetRelationalDatabases" "logs:ListTagsLogGroup", "mediaconnect:DescribeFlow", "mediaconnect:ListFlows", "mediatailor:GetPlaybackConfiguration", "mediatailor:ListPlaybackConfigurations", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetEmailTemplate", "mobiletargeting:GetEventStream", "mobiletargeting:ListTemplates", "networkmanager:GetCustomerGatewayAssociations", "networkmanager:GetLinkAssociations", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", "personalize:DescribeSolution", "personalize:ListDatasetGroups", "personalize:ListDatasetImportJobs", "personalize:ListDatasets", "personalize:ListSchemas", "personalize:ListSolutions", "personalize:ListTagsForResource", "quicksight:ListTemplates", "refactor-spaces:GetEnvironment", "refactor-spaces:GetService", "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", "s3:GetAccessPointPolicyStatusForObjectLambda", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeFeatureGroup", "sagemaker:ListDeviceFleets", "sagemaker:ListFeatureGroups", "sagemaker:ListModels", and "transfer:ListTagsForResource" | 该政策现在支持 Amazon Connect、Amazon Connect AWS Amplify、Prometheus 的亚马逊托管服务 AWS App Mesh、亚马逊 Athena、、、、、、、、、亚马逊、、、、、(IAM)、亚马逊弹性计算云 (Amazon EC2) AWS CloudFormation、 AWS Batch Amazon Evicently AWS CloudTrail、 AWS CodeArtifact Amazon Forecast CodeGuru、、 AWS Directory Service、(IAM)、Amazon Evisently、Amazon Forecast、、(IAM)、Amazon E AWS Organizations visently、Amazon Forecast、( AWS Ground Station IAM) CloudWatch 、Amazon Managed Streaming Amazon Managed Kafka(亚马逊 MSK AWS Identity and Access Management )、亚马逊 Lightsail、Amazon Logs、、、Amazon Pinpoint、亚马逊虚拟私有云(亚马逊 VPC) AWS IoT Greengrass CloudWatch AWS Elemental MediaConnect AWS Elemental MediaTailor)、Amazon Personalize、Amazon Quick AWS Migration Hub Refactor Spaces、、Amazon Simple Storage Service、A SageMaker mazon AI、。 AWS Transfer Family | 2023 年 6 月 13 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 "amplify:GetBranch", "amplify:ListBranches", "app-integrations:GetEventIntegration", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", "appmesh:DescribeRoute", "appmesh:ListRoutes", "aps:ListRuleGroupsNamespaces", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "batch:DescribeSchedulingPolicies", "batch:ListSchedulingPolicies", "cloudformation:ListTypes", "cloudtrail:ListTrails", "codeartifact:ListDomains", "codeguru-profiler:DescribeProfilingGroup", "codeguru-profiler:GetNotificationConfiguration", "codeguru-profiler:GetPolicy", "codeguru-profiler:ListProfilingGroups", "ds:DescribeDomainControllers", "dynamodb:DescribeTableReplicaAutoScaling", "dynamodb:DescribeTimeToLive", "ec2:DescribeTrafficMirrorFilters", "evidently:GetLaunch", "evidently:ListLaunches", "forecast:DescribeDatasetGroup", "forecast:ListDatasetGroups", "greengrass:DescribeComponent", "greengrass:GetComponent", "greengrass:ListComponents", "greengrass:ListComponentVersions", "groundstation:GetMissionProfile", "groundstation:ListMissionProfiles", "iam:ListGroups", "iam:ListRoles", "kafka:DescribeConfiguration", "kafka:DescribeConfigurationRevision", "kafka:ListConfigurations", "lightsail:GetRelationalDatabases", "logs:ListTagsLogGroup", "mediaconnect:DescribeFlow", "mediaconnect:ListFlows", "mediatailor:GetPlaybackConfiguration", "mediatailor:ListPlaybackConfigurations", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetEmailTemplate", "mobiletargeting:GetEventStream", "mobiletargeting:ListTemplates", "networkmanager:GetCustomerGatewayAssociations", "networkmanager:GetLinkAssociations", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", "personalize:DescribeSolution", "personalize:ListDatasetGroups", "personalize:ListDatasetImportJobs", "personalize:ListDatasets", "personalize:ListSchemas", "personalize:ListSolutions", "personalize:ListTagsForResource", "quicksight:ListTemplates", "refactor-spaces:GetEnvironment", "refactor-spaces:GetService", "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", "s3:GetAccessPointPolicyStatusForObjectLambda", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeFeatureGroup", "sagemaker:ListDeviceFleets", "sagemaker:ListFeatureGroups", "sagemaker:ListModels", and "transfer:ListTagsForResource" | 该政策现在支持 Amazon Connect、Amazon Connect AWS Amplify、Prometheus 的亚马逊托管服务 AWS App Mesh、亚马逊 Athena、、、、、、、、、亚马逊、、、、、(IAM)、亚马逊弹性计算云 (Amazon EC2) AWS CloudFormation、 AWS Batch Amazon Evicently AWS CloudTrail、 AWS CodeArtifact Amazon Forecast CodeGuru、 AWS Directory Service、、(IAM)、Amazon Evisently、Amazon Forecast、、(IAM)、Amazon E AWS Organizations visently、Amazon Forecast、( AWS Ground Station IAM) CloudWatch 、Amazon Managed Streaming Amazon Managed Kafka(亚马逊 MSK AWS Identity and Access Management )、亚马逊 Lightsail、Amazon Logs、、、Amazon Pinpoint、亚马逊虚拟私有云(亚马逊 VPC) AWS IoT Greengrass CloudWatch AWS Elemental MediaConnect AWS Elemental MediaTailor、Amazon Personalize、Amazon Quick AWS Migration Hub Refactor Spaces、、Amazon Simple Storage Service、A SageMaker mazon AI、。 AWS Transfer Family | 2023 年 6 月 13 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, GetInstanceTypesFromInstanceRequirement ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations | 该政策现在支持亚马逊托管工作流程的额外权限,包括、、、亚马逊 AWS Amplify、、亚马逊弹性计算云 AWS App Mesh AWS App Runner CloudFront、亚马逊 Kendra AWS CodeArtifact、亚马逊 Macie、亚马逊 Route 53、亚马逊 A AWS Transfer Family I、Amazon Pinpoint、、 SageMaker Resilience Hub、亚马逊 AWS Migration Hub AWS 、Di AWS rectory Service 和。 CloudWatch AWS WAF | 2023 年 4 月 13 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, ec2:GetInstanceTypesFromInstanceRequirement, ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations | 该政策现在支持亚马逊托管工作流程的额外权限,包括、、、亚马逊 AWS Amplify、、亚马逊弹性计算云 AWS App Mesh AWS App Runner CloudFront、亚马逊 Kendra AWS CodeArtifact、亚马逊 Macie、亚马逊 Route 53、亚马逊 A AWS Transfer Family I、Amazon Pinpoint、、 SageMaker Resilience Hub、亚马逊 AWS Migration Hub AWS 、Di AWS rectory Service 和。 CloudWatch AWS WAF | 2023 年 4 月 13 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudfront:GetResponseHeadersPolicy, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions | 该政策现在支持亚马逊、亚马逊 WorkSpaces 应用程序、亚马逊、亚马逊 AppFlow、、、、亚马逊、、 AWS App Runner、Amazon CloudWatch Evicently CloudFront、Amazon F CloudWatch orecast AWS CodeArtifact AWS CodeCommit AWS Device Farm、 AWS Identity and Access Management (IAM)、、Amazon MemoryDB AWS IoT、Amazon Pinpoint、、、、亚马逊关系数据库 AWS Panorama服务 (Amazon RDS) AWS Network Manager、Amazon Redshift 和亚马逊 AI 的额外权限。 AWS Ground Station SageMaker | 2023 年 3 月 30 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudformation:ListTypes, cloudfront:GetResponseHeadersPolicy, cloudfront:ListDistributions, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, ec2:DescribeTrafficMirrorFilters, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions | 该政策现在支持亚马逊托管工作流程、亚马逊 WorkSpaces 应用程序、、亚马逊 AppFlow、、亚马逊、、、、 AWS App Runner、亚马逊弹性计算云 (Amazon EC2) CloudFront CloudWatch AWS CodeArtifact AWS CodeCommit、Amazon Evicently AWS Device Farm、Amazon Forecast、、(IAM)、、、A CloudWatch mazon MemoryDB AWS Ground Station AWS Identity and Access Management 、Amazon Pinpoint AWS IoT、、、、亚马逊关系数据库服务 (Amaz AWS Network Manager on RDS)、 AWS Panorama亚马逊 Reds的额外权限 Redshift 和亚马逊 AI。 AWS CloudFormation SageMaker | 2023 年 3 月 30 日 |
| [AWSConfigRulesExecutionRole](#security-iam-awsmanpol-AWSConfigRulesExecutionRole)— AWS Config 开始跟踪此 AWS 托管策略的更改 | 此策略允许 AWS Lambda 函数访问定期发送到 Amazon S3 的 AWS Config AWS Config API 和配置快照。评估 AWS 自定义 Lambda 规则的配置更改的函数需要此访问权限。 | 2023 年 3 月 7 日 |
| [AWSConfigRoleForOrganizations](#security-iam-awsmanpol-AWSConfigRoleForOrganizations)— AWS Config 开始跟踪此 AWS 托管策略的更改 | 此策略 AWS Config 允许只读调用 AWS Organizations APIs。 | 2023 年 3 月 7 日 |
| [AWSConfigRemediationServiceRolePolicy](#security-iam-awsmanpol-AWSConfigRemediationServiceRolePolicy)— AWS Config 开始跟踪此 AWS 托管策略的更改 | 此政策 AWS Config 允许代表您修复`NON_COMPLIANT`资源。 | 2023 年 3 月 7 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 auditmanager:GetAccountStatus | 此策略现在授予返回 AWS Audit Manager中的账户注册状态的权限。 | 2023 年 3 月 3 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 auditmanager:GetAccountStatus | 此策略现在授予返回 AWS Audit Manager中的账户注册状态的权限。 | 2023 年 3 月 3 日 |
| [AWSConfigMultiAccountSetupPolicy](#security-iam-awsmanpol-AWSConfigMultiAccountSetupPolicy)— AWS Config 开始跟踪此 AWS 托管策略的更改 | 此策略 AWS Config 允许使用调用 AWS 服务并在整个组织中部署 AWS Config 资源 AWS Organizations。 | 2023 年 2 月 27 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | 该政策现在支持Apache Airflow、Amazon Application WorkSpaces s、 AWS IoT Amazon Reviewer、Amazon Kinesis Video Streams AWS HealthLake、 CodeGuru 亚马逊应用程序恢复控制器 (ARC)、亚马逊弹性计算云 (Amazon EC2) AWS Device Farm、亚马逊 Pinpoint、IAM (IAM)、亚马逊和亚马逊日志的亚马逊托管工作流程的额外权限。 AWS Identity and Access Management GuardDuty CloudWatch | 2023 年 2 月 1 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | 该政策现在支持Apache Airflow、Amazon Application WorkSpaces s、 AWS IoT Amazon Reviewer、Amazon Kinesis Video Streams AWS HealthLake、 CodeGuru 亚马逊应用程序恢复控制器 (ARC)、亚马逊弹性计算云 (Amazon EC2) AWS Device Farm、亚马逊 Pinpoint、IAM (IAM)、亚马逊和亚马逊日志的亚马逊托管工作流程的额外权限。 AWS Identity and Access Management GuardDuty CloudWatch | 2023 年 2 月 1 日 |
| [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – 更新 config:DescribeConfigRules | 作为安全最佳实践,此策略现在取消了对 `config:DescribeConfigRules` 的广泛资源级别权限。 | 2023 年 1 月 12 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, AWS Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | 该政策现在支持亚马逊托管服务 Prometheus AWS Audit Manager、、、、、、、、、、 AWS Device Farm、 AWS Database Migration Service Amazon Elightsail AWS Directory Service、、、Amazon Quick、 AWS Glue、 AWS IoT亚马逊应用程序恢复控制器 (ARC) AWS Elemental MediaPackage AWS Network Manager、亚马逊 AWS Resource Access Manager简单存储服务 (Amazon S3) 和亚马逊 Timestream 的额外权限。AWS DMS | 2022 年 12 月 15 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | 该政策现在支持亚马逊托管服务 Prometheus AWS Audit Manager、、、、、、、、、、 AWS Device Farm、 AWS Database Migration Service Amazon Elightsail AWS Directory Service、、、Amazon Quick、 AWS Glue、 AWS IoT亚马逊应用程序恢复控制器 (ARC) AWS Elemental MediaPackage AWS Network Manager、亚马逊 AWS Resource Access Manager简单存储服务 (Amazon S3) 和亚马逊 Timestream 的额外权限。AWS DMS | 2022 年 12 月 15 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 cloudformation:ListStackResources and cloudformation:ListStacks | 现在,此策略允许返回指定 AWS CloudFormation 堆栈中所有资源的描述并返回状态与指定StackStatusFilter堆栈的摘要信息。 | 2022 年 11 月 7 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 cloudformation:ListStackResources and cloudformation:ListStacks | 现在,此策略允许返回指定 AWS CloudFormation 堆栈中所有资源的描述并返回状态与指定StackStatusFilter堆栈的摘要信息。 | 2022 年 11 月 7 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | 该政策现在支持以下方面的额外权限:Apache Airflow AWS Certificate Manager、、、亚马逊密钥空间、亚马逊、Amazon Connect AWS Amplify AWS Glue DataBrew、 AWS AppConfig亚马逊弹性计算云 (亚马逊 EC2) CloudWatch、亚马逊 Elastic Kubernetes 服务 (亚马逊 EKS)、亚马逊、、亚马逊欺诈探测器、亚马逊、亚马逊 GameLift 服务器、Amazon Location Service EventBridge、 AWS Fault Injection Service、Amazon Lex、A FSx mazon Lightsail、A AWS IoT mazon Pinpoin OpsWorks t、、、、Amazon Quick、亚马逊关系数据库服务(亚马逊 AWS Panorama AWS Resource Access Manager RDS)、亚马逊 AWS RoboMaker Rekognition AWS Resource Groups、、、Amazon Route 53、亚马逊简单存储服务 AWS Cloud Map(Amazon S3)、以及。 AWS Security Token Service | 2022 年 10 月 19 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | 该政策现在支持以下方面的额外权限:Apache Airflow AWS Certificate Manager、、、亚马逊密钥空间、亚马逊、Amazon Connect AWS Amplify AWS Glue DataBrew、 AWS AppConfig亚马逊弹性计算云 (亚马逊 EC2) CloudWatch、亚马逊 Elastic Kubernetes 服务 (亚马逊 EKS)、亚马逊、、亚马逊欺诈探测器、亚马逊、亚马逊 GameLift 服务器、Amazon Location Service EventBridge、 AWS Fault Injection Service、Amazon Lex、A FSx mazon Lightsail、A AWS IoT mazon Pinpoin OpsWorks t、、、、Amazon Quick、亚马逊关系数据库服务(亚马逊 AWS Panorama AWS Resource Access Manager RDS)、亚马逊 AWS RoboMaker Rekognition AWS Resource Groups、、、Amazon Route 53、亚马逊简单存储服务 AWS Cloud Map(Amazon S3)、以及。 AWS Security Token Service | 2022 年 10 月 19 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 Glue::GetTable | 现在,此策略授予在数据目录中检索指定 AWS Glue 表的表定义的权限。 | 2022 年 9 月 14 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 Glue::GetTable | 现在,此策略授予在数据目录中检索指定 AWS Glue 表的表定义的权限。 | 2022 年 9 月 14 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | 该政策现在支持亚马逊 AppFlow、亚马逊、亚马逊 R CloudWatch UM、Amazon Synth CloudWatch etics CloudWatch、Amazon Connect 客户档案、Amazon Connect 语音 ID、Amazon DevOps Guru、亚马逊弹性计算云 (Amazon EC2)、亚马逊 EC2 Auto Scaling、亚马逊 EMR、亚马逊、亚马逊、亚马逊架构、亚马逊 Amazon FinSpace欺诈探测器、亚马逊 Fraud Detector、亚马逊 EMR、亚马逊 Fraud Detector、亚马 EventBridge逊服务器、 EventBridge 亚马逊互动视频服务(亚马 GameLift 逊 IVS)Interactive Video Service、适用于 Apache Flink 的亚马逊托管服务、EC2 Image Builder、Amazon Lex、亚马逊 Lightsail、亚马逊定位服务、亚马逊 Lookout for Equict、亚马逊 Lookout for Metrics、亚马逊 Lookout for Vision、亚马逊托管区块链、亚马逊 MQ、亚马逊 Nimble Pinpo StudioAmazon int、Amazon Quick、亚马逊应用程序恢复控制器 (ARC)、亚马逊简单 Amazon Route 53 Resolver存储服务 (Amazon S3)、亚马逊 SimpleDB、亚马逊简单电子邮件服务 (Amazon SES) Service、Amazon Timestream、、、、、、、、、、、、、、、、、、、、、、、、 AWS AppConfig AWS AppSync AWS Auto Scaling AWS Backup AWS Budgets AWS Cost Explorer AWS Cloud9 AWS Directory Service AWS DataSync AWS Elemental MediaPackage AWS Glue AWS IoT AWS IoT Analytics AWS IoT Events AWS IoT SiteWise AWS IoT TwinMaker AWS Lake Formation、 AWS License Manager AWS Resilience Hub、 AWS Signer、和 AWS Transfer Family。 | 2022 年 9 月 7 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | 该政策现在支持亚马逊 AppFlow、亚马逊、亚马逊 R CloudWatch UM、Amazon Synth CloudWatch etics CloudWatch、Amazon Connect 客户档案、Amazon Connect 语音 ID、Amazon DevOps Guru、亚马逊弹性计算云 (Amazon EC2)、亚马逊 EC2 Auto Scaling、亚马逊 EMR、亚马逊、亚马逊、亚马逊架构、亚马逊 Amazon FinSpace欺诈探测器、亚马逊 Fraud Detector、亚马逊 EMR、亚马逊 Fraud Detector、亚马 EventBridge逊服务器、 EventBridge 亚马逊互动视频服务(亚马 GameLift 逊 IVS)Interactive Video Service、适用于 Apache Flink 的亚马逊托管服务、EC2 Image Builder、Amazon Lex、亚马逊 Lightsail、亚马逊定位服务、亚马逊 Lookout for Equict、亚马逊 Lookout for Metrics、亚马逊 Lookout for Vision、亚马逊托管区块链、亚马逊 MQ、亚马逊 Nimble Pinpo StudioAmazon int、Amazon Quick、亚马逊应用程序恢复控制器 (ARC)、亚马逊简单 Amazon Route 53 Resolver存储服务 (Amazon S3)、亚马逊 SimpleDB、亚马逊简单电子邮件服务 (Amazon SES) Service、Amazon Timestream、、、、、、、、、、、、、、、、、、、、、、、、 AWS AppConfig AWS AppSync AWS Auto Scaling AWS Backup AWS Budgets AWS Cost Explorer AWS Cloud9 AWS Directory Service AWS DataSync AWS Elemental MediaPackage AWS Glue AWS IoT AWS IoT Analytics AWS IoT Events AWS IoT SiteWise AWS IoT TwinMaker AWS Lake Formation、 AWS License Manager AWS Resilience Hub、 AWS Signer、和 AWS Transfer Family | 2022 年 9 月 7 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | 该政策现在支持Apache Airflow、Amazon Application WorkSpaces s、 AWS IoT Amazon Reviewer、Amazon Kinesis Video Streams AWS HealthLake、 CodeGuru 亚马逊应用程序恢复控制器 (ARC)、亚马逊弹性计算云 (Amazon EC2) AWS Device Farm、亚马逊 Pinpoint、IAM (IAM)、亚马逊和亚马逊日志的亚马逊托管工作流程的额外权限。 AWS Identity and Access Management GuardDuty CloudWatch | 2023 年 2 月 1 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | 该政策现在支持Apache Airflow、Amazon Application WorkSpaces s、 AWS IoT Amazon Reviewer、Amazon Kinesis Video Streams AWS HealthLake、 CodeGuru 亚马逊应用程序恢复控制器 (ARC)、亚马逊弹性计算云 (Amazon EC2) AWS Device Farm、亚马逊 Pinpoint、IAM (IAM)、亚马逊和亚马逊日志的亚马逊托管工作流程的额外权限。 AWS Identity and Access Management GuardDuty CloudWatch | 2023 年 2 月 1 日 |
| [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – 更新 config:DescribeConfigRules | 作为安全最佳实践,此策略现在取消了对 `config:DescribeConfigRules` 的广泛资源级别权限。 | 2023 年 1 月 12 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, AWS Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | 该政策现在支持亚马逊托管服务 Prometheus AWS Audit Manager、、、、、、、、、、 AWS Device Farm、 AWS Database Migration Service Amazon Elightsail AWS Directory Service、、、Amazon Quick、 AWS Glue、 AWS IoT亚马逊应用程序恢复控制器 (ARC) AWS Elemental MediaPackage AWS Network Manager、亚马逊 AWS Resource Access Manager简单存储服务 (Amazon S3) 和亚马逊 Timestream 的额外权限。AWS DMS | 2022 年 12 月 15 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | 该政策现在支持亚马逊托管服务 Prometheus AWS Audit Manager、、、、、、、、、、 AWS Device Farm、 AWS Database Migration Service Amazon Elightsail AWS Directory Service、、、Amazon Quick、 AWS Glue、 AWS IoT亚马逊应用程序恢复控制器 (ARC) AWS Elemental MediaPackage AWS Network Manager、亚马逊 AWS Resource Access Manager简单存储服务 (Amazon S3) 和亚马逊 Timestream 的额外权限。AWS DMS | 2022 年 12 月 15 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 cloudformation:ListStackResources and cloudformation:ListStacks | 现在,此策略允许返回指定 AWS CloudFormation 堆栈中所有资源的描述并返回状态与指定StackStatusFilter堆栈的摘要信息。 | 2022 年 11 月 7 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 cloudformation:ListStackResources and cloudformation:ListStacks | 现在,此策略允许返回指定 AWS CloudFormation 堆栈中所有资源的描述并返回状态与指定StackStatusFilter堆栈的摘要信息。 | 2022 年 11 月 7 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | 该政策现在支持以下方面的额外权限:Apache Airflow AWS Certificate Manager、、、亚马逊密钥空间、亚马逊、Amazon Connect AWS Amplify AWS Glue DataBrew、 AWS AppConfig亚马逊弹性计算云 (亚马逊 EC2) CloudWatch、亚马逊 Elastic Kubernetes 服务 (亚马逊 EKS)、亚马逊、、亚马逊欺诈探测器、亚马逊、亚马逊 GameLift 服务器、Amazon Location Service EventBridge、 AWS Fault Injection Service、Amazon Lex、A FSx mazon Lightsail、A AWS IoT mazon Pinpoin OpsWorks t、、、、Amazon Quick、亚马逊关系数据库服务(亚马逊 AWS Panorama AWS Resource Access Manager RDS)、亚马逊 AWS RoboMaker Rekognition AWS Resource Groups、、、Amazon Route 53、亚马逊简单存储服务 AWS Cloud Map(Amazon S3)、以及。 AWS Security Token Service | 2022 年 10 月 19 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | 该政策现在支持以下方面的额外权限:Apache Airflow AWS Certificate Manager、、、亚马逊密钥空间、亚马逊、Amazon Connect AWS Amplify AWS Glue DataBrew、 AWS AppConfig亚马逊弹性计算云 (亚马逊 EC2) CloudWatch、亚马逊 Elastic Kubernetes 服务 (亚马逊 EKS)、亚马逊、、亚马逊欺诈探测器、亚马逊、亚马逊 GameLift 服务器、Amazon Location Service EventBridge、 AWS Fault Injection Service、Amazon Lex、A FSx mazon Lightsail、A AWS IoT mazon Pinpoin OpsWorks t、、、、Amazon Quick、亚马逊关系数据库服务(亚马逊 AWS Panorama AWS Resource Access Manager RDS)、亚马逊 AWS RoboMaker Rekognition AWS Resource Groups、、、Amazon Route 53、亚马逊简单存储服务 AWS Cloud Map(Amazon S3)、以及。 AWS Security Token Service | 2022 年 10 月 19 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 Glue::GetTable | 现在,此策略授予在数据目录中检索指定 AWS Glue 表的表定义的权限。 | 2022 年 9 月 14 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 Glue::GetTable | 现在,此策略授予在数据目录中检索指定 AWS Glue 表的表定义的权限。 | 2022 年 9 月 14 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | 该政策现在支持亚马逊 AppFlow、亚马逊、亚马逊 R CloudWatch UM、Amazon Synth CloudWatch etics CloudWatch、Amazon Connect 客户档案、Amazon Connect 语音 ID、Amazon DevOps Guru、亚马逊弹性计算云 (Amazon EC2)、亚马逊 EC2 Auto Scaling、亚马逊 EMR、亚马逊、亚马逊、亚马逊架构、亚马逊 Amazon FinSpace欺诈探测器、亚马逊 Fraud Detector、亚马逊 EMR、亚马逊 Fraud Detector、亚马 EventBridge逊服务器、 EventBridge 亚马逊互动视频服务(亚马 GameLift 逊 IVS)Interactive Video Service、适用于 Apache Flink 的亚马逊托管服务、EC2 Image Builder、Amazon Lex、亚马逊 Lightsail、亚马逊定位服务、亚马逊 Lookout for Equict、亚马逊 Lookout for Metrics、亚马逊 Lookout for Vision、亚马逊托管区块链、亚马逊 MQ、亚马逊 Nimble Pinpo StudioAmazon int、Amazon Quick、亚马逊应用程序恢复控制器 (ARC)、亚马逊简单 Amazon Route 53 Resolver存储服务 (Amazon S3)、亚马逊 SimpleDB、亚马逊简单电子邮件服务 (Amazon SES) Service、Amazon Timestream、、、、、、、、、、、、、、、、、、、、、、、、 AWS AppConfig AWS AppSync AWS Auto Scaling AWS Backup AWS Budgets AWS Cost Explorer AWS Cloud9 AWS Directory Service AWS DataSync AWS Elemental MediaPackage AWS Glue AWS IoT AWS IoT Analytics AWS IoT Events AWS IoT SiteWise AWS IoT TwinMaker AWS Lake Formation、 AWS License Manager AWS Resilience Hub、 AWS Signer、和 AWS Transfer Family。 | 2022 年 9 月 7 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | 该政策现在支持亚马逊 AppFlow、亚马逊、亚马逊 R CloudWatch UM、Amazon Synth CloudWatch etics CloudWatch、Amazon Connect 客户档案、Amazon Connect 语音 ID、Amazon DevOps Guru、亚马逊弹性计算云 (Amazon EC2)、亚马逊 EC2 Auto Scaling、亚马逊 EMR、亚马逊、亚马逊、亚马逊架构、亚马逊 Amazon FinSpace欺诈探测器、亚马逊 Fraud Detector、亚马逊 EMR、亚马逊 Fraud Detector、亚马 EventBridge逊服务器、 EventBridge 亚马逊互动视频服务(亚马 GameLift 逊 IVS)Interactive Video Service、适用于 Apache Flink 的亚马逊托管服务、EC2 Image Builder、Amazon Lex、亚马逊 Lightsail、亚马逊定位服务、亚马逊 Lookout for Equict、亚马逊 Lookout for Metrics、亚马逊 Lookout for Vision、亚马逊托管区块链、亚马逊 MQ、亚马逊 Nimble Pinpo StudioAmazon int、Amazon Quick、亚马逊应用程序恢复控制器 (ARC)、亚马逊简单 Amazon Route 53 Resolver存储服务 (Amazon S3)、亚马逊 SimpleDB、亚马逊简单电子邮件服务 (Amazon SES) Service、Amazon Timestream、、、、、、、、、、、、、、、、、、、、、、、、 AWS AppConfig AWS AppSync AWS Auto Scaling AWS Backup AWS Budgets AWS Cost Explorer AWS Cloud9 AWS Directory Service AWS DataSync AWS Elemental MediaPackage AWS Glue AWS IoT AWS IoT Analytics AWS IoT Events AWS IoT SiteWise AWS IoT TwinMaker AWS Lake Formation、 AWS License Manager AWS Resilience Hub、 AWS Signer、和 AWS Transfer Family | 2022 年 9 月 7 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists | 此策略现在允许返回中 AWS DataSync 代理人、 DataSync 来源和目标位置以及 DataSync 任务的列表 AWS 账户;列出与中一个或多个指定命名空间关联的 AWS Cloud Map 命名空间和服务的摘要信息 AWS 账户;以及列出中所有可用的 Amazon Simple Email Service (Amazon SES) 联系人列表。 AWS 账户 | 2022 年 8 月 22 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists | 此策略现在允许返回中 AWS DataSync 代理人、 DataSync 来源和目标位置以及 DataSync 任务的列表 AWS 账户;列出与中一个或多个指定命名空间关联的 AWS Cloud Map 命名空间和服务的摘要信息 AWS 账户;以及列出中所有可用的 Amazon Simple Email Service (Amazon SES) 联系人列表。 AWS 账户 | 2022 年 8 月 22 日 |
| [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – 添加 cloudwatch:PutMetricData | 该政策现在授予向 Amazon 发布指标数据点的权限 CloudWatch。 | 2022 年 7 月 25 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet | 该政策现在支持亚马逊弹性容器服务 (Amazon ECS)、亚马逊、亚马逊、亚马逊、亚马逊、适用于 A ElastiCache pache Flink 的亚马逊 EventBridge托管服务 FSx、亚马逊定位服务、适用于 Apache Kafka 的亚马逊托管流媒体、Amazon Quick、Amazon Rekognition、亚马逊简单存储服务 (Amazon S3) 的额外权限 Service AWS RoboMaker、亚马逊简单电子邮件服务 (Amazon SES)、、、、、、、、、、(IAM 身份中心 AWS Amplify) AWS AppConfig AWS DataSync、EC2 Im AWS Firewall Manager age Bu AWS AppSync il AWS Billing Conductor der 和 Elastic Load Balancing。 AWS Glue AWS IAM Identity Center | 2022 年 7 月 15 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet | 该政策现在支持亚马逊弹性容器服务 (Amazon ECS)、亚马逊、亚马逊、亚马逊、亚马逊、适用于 A ElastiCache pache Flink 的亚马逊 EventBridge托管服务 FSx、亚马逊定位服务、适用于 Apache Kafka 的亚马逊托管流媒体、Amazon Quick、Amazon Rekognition、亚马逊简单存储服务 (Amazon S3) 的额外权限 Service AWS RoboMaker、亚马逊简单电子邮件服务 (Amazon SES)、、、、、、、、、、(IAM 身份中心 AWS Amplify) AWS AppConfig AWS DataSync、EC2 Im AWS Firewall Manager age Bu AWS AppSync il AWS Billing Conductor der 和 Elastic Load Balancing。 AWS Glue AWS IAM Identity Center | 2022 年 7 月 15 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource | 此政策现在授予以下权限:获取指定的 Amazon Athena 数据目录 AWS 账户、在中列出 Athena 数据目录以及列出与 Athena 工作组或数据目录资源关联的标签;获取 Amazon Detective 行为图列表并列出侦探行为图的标签;获取给定开发终端节点名称列表的资源元数据列表,获取有关指定开发的信息端点,获取所有开发端点,检索 AWS Glue 指定的安全 AWS Glue AWS Glue AWS 账户 AWS Glue 配置,获取所有 AWS Glue 安全配置,获取与 AWS Glue 资源关联的标签列表,获取有关具有指定名称 AWS Glue 的工作组的信息,检索 AWS 账户中所有 AWS Glue Crawler 资源的名称,获取中所有 AWS Glue `DevEndpoint`资源的名称 AWS 账户,列出中所有 AWS Glue 作业资源的名称,获取 AWS Glue 成员账户的详细信息,列出账户中创建 AWS Glue 的工作流名称,以及列出账户的可用 AWS Glue 工作组; AWS 账户检索有关 Amazon GuardDuty 筛选器的详细信息 GuardDuty IPSet、检索 GuardDutyThreatIntelSet、检索、检索 GuardDuty 成员账户、获取 GuardDuty筛选条件列表、获取 GuardDuty 服务、检索GuardDuty 服务标签并获取服务的信息;获取 Amazon Macie 账户的当前状态和配置设置;检索 AWS Resource Access Manager (AWS RAM) 资源共享的资源和委托人关联以及检索有关资源的详细信息 IPSets ThreatIntelSets GuardDuty AWS RAM 共享;要获取有关亚马逊简单电子邮件服务 (Amazon SES) 现有配置集的信息,请获取与 Amazon SES 配置集关联的事件目标列表,并列出与 Amazon SES 账户关联的所有配置集;要获取身份中心目录属性列表,请获取权限集的详细信息,获取附加到指定 IAM 身份中心的 IAM 托管策略设置,获取为 IAM 身份中心实例设置的权限,并获取 IAM 身份的标签 AWS IAM Identity Center 中心资源。 | 2022 年 5 月 31 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource | 此政策现在授予以下权限:获取指定的 Amazon Athena 数据目录 AWS 账户、在中列出 Athena 数据目录以及列出与 Athena 工作组或数据目录资源关联的标签;获取 Amazon Detective 行为图列表并列出侦探行为图的标签;获取给定开发终端节点名称列表的资源元数据列表,获取有关指定开发的信息端点,获取所有开发端点,检索 AWS Glue 指定的安全 AWS Glue AWS Glue AWS 账户 AWS Glue 配置,获取所有 AWS Glue 安全配置,获取与 AWS Glue 资源关联的标签列表,获取有关具有指定名称 AWS Glue 的工作组的信息,检索 AWS 账户中所有 AWS Glue Crawler 资源的名称,获取中所有 AWS Glue `DevEndpoint`资源的名称 AWS 账户,列出中所有 AWS Glue 作业资源的名称,获取 AWS Glue 成员账户的详细信息,列出账户中创建 AWS Glue 的工作流名称,以及列出账户的可用 AWS Glue 工作组; AWS 账户检索有关 Amazon GuardDuty 筛选器的详细信息 GuardDuty IPSet、检索 GuardDutyThreatIntelSet、检索、检索 GuardDuty 成员账户、获取 GuardDuty筛选条件列表、获取 GuardDuty 服务、检索GuardDuty 服务标签并获取服务的信息;获取 Amazon Macie 账户的当前状态和配置设置;检索 AWS Resource Access Manager (AWS RAM) 资源共享的资源和委托人关联以及检索有关资源的详细信息 IPSets ThreatIntelSets GuardDuty AWS RAM 共享;要获取有关亚马逊简单电子邮件服务 (Amazon SES) 现有配置集的信息,请获取与 Amazon SES 配置集关联的事件目标列表,并列出与 Amazon SES 账户关联的所有配置集;要获取身份中心目录属性列表,请获取权限集的详细信息,获取附加到指定 IAM 身份中心的 IAM 托管策略设置,获取为 IAM 身份中心实例设置的权限,并获取 IAM 身份的标签 AWS IAM Identity Center 中心资源。 | 2022 年 5 月 31 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies | 此策略现在授予以下权限:获取有关所有或指定 AWS CloudTrail 事件数据存储 (EDS) 的信息、获取有关全部或指定 AWS CloudFormation 资源的信息、获取 DynamoDB 加速器 (DAX) 参数组或子网组的列表、获取 AWS Database Migration Service 有关当前正在访问的区域中您的账户的AWS DMS() 复制任务的信息,以及获取指定类型的所有策略的列表。 AWS Organizations | 2022 年 4 月 7 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies | 此策略现在授予以下权限:获取有关所有或指定 AWS CloudTrail 事件数据存储 (EDS) 的信息、获取有关全部或指定 AWS CloudFormation 资源的信息、获取 DynamoDB 加速器 (DAX) 参数组或子网组的列表、获取 AWS Database Migration Service 有关当前正在访问的区域中您的账户的AWS DMS() 复制任务的信息,以及获取指定类型的所有策略的列表。 AWS Organizations | 2022 年 4 月 7 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces | 该策略现在支持、、DynamoDB 加速器 AWS Backup AWS Batch、亚马逊 DynamoDB、 AWS Database Migration Service亚马逊弹性计算云 (Amazon EC2)、亚马逊 Elastic Kubernetes Service、亚马逊、亚马逊、、、、亚马逊关系数据库服务、V2 和 FSx亚马逊 GuardDuty的额外权限。 AWS Key Management Service AWS OpsWorks AWS WAF WorkSpaces | 2022 年 3 月 14 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces | 该策略现在支持、、DynamoDB 加速器 AWS Backup AWS Batch、亚马逊 DynamoDB、 AWS Database Migration Service亚马逊弹性计算云 (Amazon EC2)、亚马逊 Elastic Kubernetes Service、亚马逊、亚马逊、、、、亚马逊关系数据库服务、V2 和 FSx亚马逊 GuardDuty的额外权限。 AWS Key Management Service AWS OpsWorks AWS WAF WorkSpaces | 2022 年 3 月 14 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies | 现在,该策略允许获取有关 Elastic Beanstalk 环境的详细信息以及指定 Elastic Beanstalk 配置集的设置描述、获取或 Elasticsearch 版本的地图、描述数据库 OpenSearch 的可用的 Amazon RDS 选项组以及获取有关部署配置的信息。 CodeDeploy 现在,该策略还授予以下权限:检索附加到的指定备用联系人 AWS 账户、检索有关 AWS Organizations 策略的信息、检索 Amazon ECR 存储库策略、检索有关存档 AWS Config 规则的信息、检索 Amazon ECS 任务定义系列列表、列出指定子 OU 或账户的根或上级组织单位 (OUs),以及列出附加到指定目标根目录、组织单位或账户的策略。 | 2022 年 2 月 10 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies | 现在,该策略允许获取有关 Elastic Beanstalk 环境的详细信息以及指定 Elastic Beanstalk 配置集的设置描述、获取或 Elasticsearch 版本的地图、描述数据库 OpenSearch 的可用的 Amazon RDS 选项组以及获取有关部署配置的信息。 CodeDeploy 现在,该策略还授予以下权限:检索附加到的指定备用联系人 AWS 账户、检索有关 AWS Organizations 策略的信息、检索 Amazon ECR 存储库策略、检索有关存档 AWS Config 规则的信息、检索 Amazon ECS 任务定义系列列表、列出指定子 OU 或账户的根或上级组织单位 (OUs),以及列出附加到指定目标根目录、组织单位或账户的策略。 | 2022 年 2 月 10 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent | 该策略现在授予创建 Amazon CloudWatch 日志组和流以及向已创建的日志流写入日志的权限。 | 2021 年 12 月 15 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent | 该策略现在授予创建 Amazon CloudWatch 日志组和流以及向已创建的日志流写入日志的权限。 | 2021 年 12 月 15 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – 添加 es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots | 该策略现在授予获取有关亚马逊 OpenSearch 服务(OpenSearch 服务)的详细信息 domain/domains 以及获取特定亚马逊关系数据库服务 (Amazon RDS) 数据库参数组的详细参数列表的权限。该政策还授予获取有关Ama ElastiCache zon快照的详细信息的权限。 | 2021 年 9 月 8 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – 添加 es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots | 该策略现在授予获取有关亚马逊 OpenSearch 服务(OpenSearch 服务)的详细信息 domain/domains 以及获取特定亚马逊关系数据库服务 (Amazon RDS) 数据库参数组的详细参数列表的权限。该政策还授予获取有关Ama ElastiCache zon快照的详细信息的权限。 | 2021 年 9 月 8 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 添加logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine AWS 资源类型以及其他权限 | 此策略现在授予列出日志组的标签,列出状态机的标签,以及列出所有状态机的权限。此策略现在授予获取有关状态机的详细信息的权限。该政策现在还支持亚马逊 EC2 Systems Manager Manager (SSM)、亚马逊弹性容器注册表、亚马逊 FSx、亚马逊数据 Firehose、适用于 Apache Kafka 的亚马逊托管流媒体(亚马逊 MSK)、亚马逊关系数据库服务(亚马逊 RDS)、亚马逊 Route 53、Amazon AI SageMaker 、亚马逊简单通知服务、和。 AWS Database Migration Service AWS Global Accelerator AWS Storage Gateway | 2021 年 7 月 28 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 添加 l ogs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine 以及 AWS 资源类型的其他权限 | 此策略现在授予列出日志组的标签,列出状态机的标签,以及列出所有状态机的权限。此策略现在授予获取有关状态机的详细信息的权限。该政策现在还支持亚马逊 EC2 Systems Manager Manager (SSM)、亚马逊弹性容器注册表、亚马逊 FSx、亚马逊数据 Firehose、适用于 Apache Kafka 的亚马逊托管流媒体(亚马逊 MSK)、亚马逊关系数据库服务(亚马逊 RDS)、亚马逊 Route 53、Amazon AI SageMaker 、亚马逊简单通知服务、和。 AWS Database Migration Service AWS Global Accelerator AWS Storage Gateway | 2021 年 7 月 28 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 为 AWS 资源类型添加ssm:DescribeDocumentPermission权限和其他权限 | 此策略现在授予查看有关 IAM Access Analyzer 的 AWS Systems Manager 文档和信息的权限。该政策现在支持亚马逊 Kinesis、亚马逊、亚马逊 EMR、 ElastiCache亚马逊 Route 53 和 AWS Network Firewall亚马逊关系数据库服务 (Amazon RDS) 的其他 AWS 资源类型。这些权限更改 AWS Config 允许调用支持这些资源类型APIs 所需的只读权限。此策略现在还支持筛选[lambda-inside-vpc](https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html) AWS Config 托管规则的 Lambda @Edge 函数。 | 2021 年 6 月 8 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 为 AWS 资源类型添加ssm:DescribeDocumentPermission权限和其他权限 | 此策略现在授予查看有关 IAM Access Analyzer 的 AWS Systems Manager 文档和信息的权限。该政策现在支持亚马逊 Kinesis、亚马逊、亚马逊 EMR、 ElastiCache亚马逊 Route 53 和 AWS Network Firewall亚马逊关系数据库服务 (Amazon RDS) 的其他 AWS 资源类型。这些权限更改 AWS Config 允许调用支持这些资源类型APIs 所需的只读权限。此策略现在还支持筛选[lambda-inside-vpc](https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html) AWS Config 托管规则的 Lambda @Edge 函数。 | 2021 年 6 月 8 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 添加apigateway:GET对 API Gateway 进行只读 GET 调用的s3:GetAccessPointPolicys3:GetAccessPointPolicyStatus权限以及只读调用 Amazon S3 的权限和权限 APIs | 现在,此策略授予 AWS Config 允许对 API Gateway 进行只读 GET 调用的权限,以支持 API 网关的 AWS Config 规则。该策略还增加了允许 AWS Config 以 APIs只读方式调用 Amazon Simple Storage Service (Amazon S3) 的权限,这些权限是支持`AWS::S3::AccessPoint`新资源类型所必需的。 | 2021 年 5 月 10 日 |
| [AWS\$1ConfiGrole](#security-iam-awsmanpol-AWS_ConfigRole) — 添加apigateway:GET对 API Gateway 进行只读 GET 调用的s3:GetAccessPointPolicy权限以及只读调用 Amazon S3 的s3:GetAccessPointPolicyStatus权限和权限 APIs | 现在,此策略授予的权限 AWS Config 允许对 API Gateway 进行只读 GET 调用, AWS Config 以支持 API 网关。该策略还增加了允许 AWS Config 以 APIs只读方式调用 Amazon Simple Storage Service (Amazon S3) 的权限,这些权限是支持`AWS::S3::AccessPoint`新资源类型所必需的。 | 2021 年 5 月 10 日 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy)— 为 AWS 资源类型添加ssm:ListDocuments权限和其他权限 | 此策略现在授予查看有关 AWS Systems Manager 指定文档信息的权限 该政策现在还支持亚马逊弹性文件系统 AWS Backup、亚马逊、亚马逊简单存储服务 (Amazon S3) ElastiCache、亚马逊弹性计算云 (Amazon EC2)、亚马逊 Kinesis、亚马逊 A AWS Database Migration Service I 和 SageMaker 亚马逊 Route 53 的其他 AWS 资源类型。这些权限更改 AWS Config 允许调用支持这些资源类型 APIs 所需的只读权限。 | 2021 年 4 月 1 日 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole)— 为 AWS 资源类型添加ssm:ListDocuments权限和其他权限 | 此策略现在授予查看有关 AWS Systems Manager 指定文档信息的权限 该政策现在还支持亚马逊弹性文件系统 AWS Backup、亚马逊、亚马逊简单存储服务 (Amazon S3) ElastiCache、亚马逊弹性计算云 (Amazon EC2)、亚马逊 Kinesis、亚马逊 A AWS Database Migration Service I 和 SageMaker 亚马逊 Route 53 的其他 AWS 资源类型。这些权限更改 AWS Config 允许调用支持这些资源类型 APIs 所需的只读权限。 | 2021 年 4 月 1 日 |
| `AWSConfigRole` 已弃用 | `AWSConfigRole` 已弃用。替换策略是。`AWS_ConfigRole` | 2021 年 4 月 1 日 |
| AWS Config 开始跟踪更改 | AWS Config 开始跟踪其 AWS 托管策略的更改。 | 2021 年 4 月 1 日 |
# 分配给的 IAM 角色的权限 AWS Config
IAM 角色允许您定义一组权限。 AWS Config 担任您分配给它的角色来写入您的 S3 存储桶、发布到您的 SNS 主题以及发出`Describe`或 `List` API 请求以获取 AWS 资源的配置详细信息。有关 IAM 角色的更多信息,请参阅《IAM 用户指南》**中的 [IAM 角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html)。
当您使用 AWS Config 控制台创建或更新 IAM 角色时, AWS Config 会自动为您附加所需的权限。有关更多信息,请参阅 [使用控制台设置 AWS Config](gs-console.md)。
**策略与合规结果**
[IAM 策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)和 [AWS Organizations中管理的其他策略](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html)可能会影响 AWS Config 是否有权记录资源的配置更改。此外,规则会直接评估资源的配置,且执行评估时不会考虑这些策略。确保现行策略与您打算使用 AWS Config的方式保持一致。
**Contents**
+ [创建 IAM 角色策略](#iam-role-policies)
+ [将 IAM 信任策略添加到您的角色](#iam-trust-policy)
+ [用于 S3 存储桶的 IAM 角色策略](#iam-role-policies-S3-bucket)
+ [KMS 密钥的 IAM 角色策略](#iam-role-policies-S3-kms-key)
+ [用于 Amazon SNS 主题的 IAM 角色策略](#iam-role-policies-sns-topic)
+ [用于获取配置详细信息的 IAM 角色策略](#iam-role-policies-describe-apis)
+ [管理 S3 存储桶记录的权限](#troubleshooting-recording-s3-bucket-policy)
## 创建 IAM 角色策略
当您使用 AWS Config 控制台创建 IAM 角色时, AWS Config 会自动为您附加该角色所需的权限。
如果您使用 AWS CLI 进行设置 AWS Config 或更新现有 IAM 角色,则必须手动更新策略以允许 AWS Config 访问您的 S3 存储桶、发布到您的 SNS 主题并获取有关您的资源的配置详细信息。
### 将 IAM 信任策略添加到您的角色
您可以创建一个 IAM 信任策略,该策略 AWS Config 允许代入角色并使用它来跟踪您的资源。有关信任策略的更多信息,请参阅《IAM 用户指南》中的[角色术语和概念](https://docs.aws.amazon.com/IAM/latest/UserGuide/d_roles_terms-and-concepts.html)。**
以下是 AWS Config 角色的信任策略示例:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}
```
------
您可以使用上述 IAM 角色信任关系中的 `AWS:SourceAccount` 条件来限制 Config 服务主体,仅在代表特定账户执行操作时与 AWS IAM 角色进行交互。
AWS Config 还支持这样的`AWS:SourceArn`条件,即限制 Config 服务委托人只能在代表拥有账户执行操作时担任 IAM 角色。使用 AWS Config 服务主体时,该`AWS:SourceArn`属性将始终设置为`arn:aws:config:sourceRegion:sourceAccountID:*`客户管理的配置记录器的区域,以及`sourceAccountID`包含客户管理的配置记录器的帐户的 ID。`sourceRegion`
例如,添加以下条件限制 Config 服务主体只能代表账户 `123456789012` 中 `us-east-1` 区域中客户管理的配置记录器代入 IAM 角色:`"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`。
### 用于 S3 存储桶的 IAM 角色策略
以下示例策略授予访问您的 S3 存储桶的 AWS Config 权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource":[
"arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/myAccountID/*"
],
"Condition":{
"StringLike":{
"s3:x-amz-acl":"bucket-owner-full-control"
}
}
},
{
"Effect":"Allow",
"Action":[
"s3:GetBucketAcl"
],
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
}
]
}
```
------
### KMS 密钥的 IAM 角色策略
以下示例策略授予对新对象使用基于 KMS 的加密以进行 S3 存储桶交付的 AWS Config 权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
]
}
```
------
### 用于 Amazon SNS 主题的 IAM 角色策略
以下示例策略授予访问您的 SNS 主题的 AWS Config 权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":
[
{
"Effect":"Allow",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:123456789012:MyTopic"
}
]
}
```
------
如果您的 SNS 主题已加密,要了解更多设置说明,请参阅《Amazon Simple Notification Service 开发人员指南》中的**[配置 AWS KMS 权限](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sns-what-permissions-for-sse)。
### 用于获取配置详细信息的 IAM 角色策略
建议使用 AWS Config 服务相关角色:`AWSServiceRoleForConfig`。服务相关角色是预定义的,包括调用其他 AWS 服务角色 AWS Config 所需的所有权限。 AWS Config 服务相关配置记录器需要服务相关角色。有关更多信息,请参阅[为 AWS Config使用服务相关角色](https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html)。
如果您使用控制台创建或更新角色,请**AWSServiceRoleForConfig**为您 AWS Config 附加。
如果您使用 AWS CLI,请使用`attach-role-policy`命令并为以下项指定 Amazon 资源名称 (ARN):**AWSServiceRoleForConfig**
```
$ aws iam attach-role-policy --role-name myConfigRole --policy-arn arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForConfig
```
### 管理 S3 存储桶记录的权限
AWS Config 在创建、更新或删除 S3 存储桶时记录和发送通知。
建议使用 AWS Config 服务相关角色:`AWSServiceRoleForConfig`。服务相关角色是预定义的,包括调用其他 AWS 服务角色 AWS Config 所需的所有权限。 AWS Config 服务相关配置记录器需要服务相关角色。有关更多信息,请参阅[为 AWS Config使用服务相关角色](https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html)。
# 更新客户管理的配置记录器的 IAM 角色
您可以更新客户管理的配置记录器使用的 IAM 角色。在更新 IAM 角色之前,请确保您已经创建了一个新的角色来取代旧角色。您必须将策略附加到新角色,以 AWS Config 授予记录配置并将其传送到您的交付渠道的权限。
有关创建 IAM 角色并将所需策略附加到 IAM 角色的信息,请参阅 [步骤 3:创建 IAM 角色](gs-cli-prereq.md#gs-cli-create-iamrole)
**注意**
要查找现有 IAM 角色的 ARN,请访问 IAM 控制台,网址为。[https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)在导航窗格中选择 **Roles**。然后选择所需角色的名称,并在 **Summary** 页面顶部找到对应的 ARN。
## 更新 IAM 角色
您可以使用 AWS 管理控制台 或更新您的 IAM 角色 AWS CLI。
------
#### [ To update the IAM role (Console) ]
1. 登录 AWS 管理控制台 并在家中打开[https://console.aws.amazon.com/config/主 AWS Config](https://console.aws.amazon.com/config/home)机。
1. 在导航窗格中,选择**设置**。
1. 在**客户管理的记录器**选项卡上,选择“设置”页面上的**编辑**。
1. 在**数据治理**部分中,为 AWS Config以下角色选择 IAM 角色:
+ **使用现有的 AWS Config 服务相关角色**- AWS Config 创建具有所需权限的角色。
+ **从您的账户选择一个角色**:对于**现有角色**,选择您账户中的 IAM 角色。
1. 选择**保存**。
------
#### [ To update the IAM role (AWS CLI) ]
使用 [https://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) 命令并指定新角色的 Amazon 资源名称(ARN):
```
$ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole
```
------
# AWS Config 传送渠道的 Amazon S3 存储桶的权限
**重要**
本页介绍的是为 AWS Config 配送渠道设置 Amazon S3 存储桶。此页面与 AWS Config 配置记录器可以记录的`AWS::S3::Bucket`资源类型无关。
默认情况下,Amazon S3 存储桶和对象都是私有的。 AWS 账户 只有创建存储桶的人(资源所有者)才有访问权限。资源所有者可以通过创建访问策略来向其他资源和用户授予访问权限。
AWS Config 自动为您创建 S3 存储桶时,它会添加所需的权限。但是,如果您指定现有 S3 存储桶,则必须手动添加这些权限。
**Topics**
+ [使用 IAM 角色时](#required-permissions-in-another-account)
+ [使用服务相关角色时](#required-permissions-using-servicelinkedrole)
+ [授予 AWS Config 访问权限](#granting-access-in-another-account)
+ [跨账户传输](#required-permissions-cross-account)
## 使用 IAM 角色时 Amazon S3 存储桶的必需权限
AWS Config 使用您分配给配置记录器的 IAM 角色将配置历史记录和快照传送到您账户中的 S3 存储桶。对于跨账户交付, AWS Config 首先尝试使用分配的 IAM 角色。如果存储桶策略未授予 `WRITE` 对 IAM 角色的访问权限,则 AWS Config 将使用 `config.amazonaws.com` 服务主体。存储桶策略必须授予对 `config.amazonaws.com` 的 `WRITE` 访问权限才能完成传输。成功交付后, AWS Config 保留其向跨账户 S3 存储桶交付的所有对象的所有权。
AWS Config 使用您分配给配置记录器的 IAM 角色调用 Amazon S3 [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RESTBucketHEAD.html)API,以确认 S3 存储桶是否存在及其位置。如果您没有必要的确认权限,则会在 AWS CloudTrail 日志中看到`AccessDenied`错误。 AWS Config 但是,即使没有必要的权限来确认 S3 存储桶 AWS Config 是否存在及其位置,仍然 AWS Config 可以提供配置历史记录和快照。
**最小权限**
Amazon S3 `HeadBucket` API 需要执行 `s3:ListBucket` 操作。
## 使用服务相关角色时 Amazon S3 Bucket 存储桶的必需权限
AWS Config 服务相关角色无权将对象放入 Amazon S3 存储桶。如果您 AWS Config 使用服务相关角色进行设置,则 AWS Config 将使用`config.amazonaws.com`服务主体来提供配置历史记录和快照。您的账户或跨账户目标中的 S3 存储桶策略必须包括 AWS Config 服务委托人写入对象的权限。
## 授予 AWS Config 对 Amazon S3 存储桶的访问权限
完成以下步骤,启用 AWS Config 将配置历史记录和快照传送到 Amazon S3 存储桶。
1. AWS 管理控制台 使用拥有 S3 存储桶的账户登录。
1. 打开 Amazon S3 控制台,网址为 [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/)。
1. 选择 AWS Config 要用于传送配置项目的存储桶,然后选择 Propert **ie** s。
1. 选择**权限**。
1. 选择 **Edit Bucket Policy**。
1. 将以下策略复制到 **Bucket Policy Editor** 窗口中:
**安全最佳实践**
强烈建议您使用 `AWS:SourceAccount` 条件限制存储桶策略中的访问权限。这样可以确保 AWS Config 仅代表预期用户授予访问权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/[optional] prefix/AWSLogs/sourceAccountID/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}
```
------
1. 替换存储桶策略中的以下值:
+ *amzn-s3-demo-bucket*— 用于传送配置历史记录和快照的 AWS Config Amazon S3 存储桶的名称。
+ *[optional] prefix*— Amazon S3 对象密钥的可选补充,可帮助在存储桶中创建类似文件夹的组织。
+ *sourceAccountID*— AWS Config 将在其中提供配置历史记录和快照的账户的 ID。
1. 选择 **Save**,然后选择 **Close**。
该`AWS:SourceAccount`条件将 AWS Config 操作限制为指定。 AWS 账户对于组织内部向单个 S3 存储桶交付的多账户配置,请使用带有 AWS Organizations 条件密钥的 IAM 角色而不是与服务相关的角色。例如 `AWS:PrincipalOrgID`。有关更多信息,请参阅《AWS Organizations 用户指南》**中的[管理组织的访问权限](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html)。
该`AWS:SourceArn`条件将 AWS Config 操作限制在指定的交付渠道内。`AWS:SourceArn` 格式如下所示:`arn:aws:config:sourceRegion:123456789012`。
例如,要将账户 123456789012 的 S3 存储桶访问权限限制为美国东部(弗吉尼亚州北部)区域的传输通道,可添加以下条件:
```
"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:"}
```
## 跨账户传输时 Amazon S3 存储桶的必需权限
当配置 AWS Config 为将配置历史记录和快照传送到不同账户(跨账户设置)中的 Amazon S3 存储桶时,如果配置记录器和为交付通道指定的 S3 存储桶不同 AWS 账户,则需要以下权限:
+ 您分配给配置记录器的 IAM 角色需要明确的权限才能执行 `s3:ListBucket` 操作。这是因为使用此 IAM 角色 AWS Config 调用 Amazon S3 [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RESTBucketHEAD.html)API 来确定存储桶的位置。
+ S3 存储桶策略必须包括分配给配置记录器的 IAM 角色的权限。
下面是一个示例存储桶策略配置:
```
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"AWS": "IAM Role-Arn assigned to the configuration recorder"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
}
```
# AWS Config 交付渠道 KMS 密钥的权限
如果您想为 S3 存储桶的 AWS KMS 密钥创建策略,允许您对由 AWS Config S3 存储桶交付的对象使用基于 KMS 的加密,请使用本主题中的信息。
**Contents**
+ [使用 IAM 角色(S3 存储桶传输)时 KMS 密钥的必需权限](#required-permissions-s3-kms-key-using-iam-role)
+ [使用服务相关角色时 AWS KMS 密钥所需的权限(S3 存储桶交付)](#required-permissions-s3-kms-key-using-servicelinkedrole)
+ [授予对 AWS KMS 密钥的 AWS Config 访问权限](#granting-access-s3-kms-key)
## 使用 IAM 角色(S3 存储桶传输)时 KMS 密钥的必需权限
如果您 AWS Config 使用 IAM 角色进行设置,则可以将以下权限策略附加到 KMS 密钥:
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigKMSPolicy",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "*myKMSKeyARN*",
"Principal": {
"AWS": [
"account-id1",
"account-id2",
"account-id3"
]
}
}
]
}
```
**注意**
如果 IAM 角色、Amazon S3 存储桶策略或 AWS KMS 密钥未提供对 AWS Config的适当访问权限 AWS Config,则尝试向 Amazon S3 存储桶发送配置信息将失败。在这种情况下,再次 AWS Config 发送信息,这次是作为 AWS Config 服务主体发送。在这种情况下,您必须将下文提到的权限策略附加到 AWS KMS 密钥,以授予在向 Amazon S3 存储桶传送信息时使用该密钥的 AWS Config 权限。
## 使用服务相关角色时 AWS KMS 密钥所需的权限(S3 存储桶交付)
AWS Config 服务相关角色无权访问 AWS KMS 密钥。因此,如果您 AWS Config 使用服务相关角色进行设置,则 AWS Config 将改为以 AWS Config 服务主体身份发送信息。您需要在 AWS KMS 密钥上附加访问策略(如下所述),以授予在向 Amazon S3 存储桶传送信息时使用该 AWS KMS 密钥的 AWS Config 权限。
## 授予对 AWS KMS 密钥的 AWS Config 访问权限
此策略 AWS Config 允许在向 Amazon S3 存储桶传送信息时使用 AWS KMS 密钥
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigKMSPolicy",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "myKMSKeyARN",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}
```
替换密钥策略中的以下值:
+ *myKMSKeyARN*— 用于加密 AWS Config 将向其传送配置项目的 Amazon S3 存储桶中数据的 AWS KMS 密钥的 ARN。
+ *sourceAccountID*— AWS Config 将向其发送配置项目的账户的 ID。
您可以使用上述 AWS KMS 密钥策略中的`AWS:SourceAccount`条件来限制 Config 服务主体仅在代表特定账户执行操作时与 AWS KMS 密钥交互。
AWS Config 还支持这样的`AWS:SourceArn`条件,即限制 Config 服务委托人仅在代表特定 AWS Config 交付渠道执行操作时与 Amazon S3 存储桶进行交互。使用 AWS Config 服务主体时,该`AWS:SourceArn`属性将始终设置为交付渠道`arn:aws:config:sourceRegion:sourceAccountID:*`所在`sourceRegion`区域,并且`sourceAccountID`是包含配送渠道的账户的 ID。有关 AWS Config 配送渠道的更多信息,请参阅[管理交付渠道](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html)。例如,添加以下条件以限制 Config 服务主体仅代表账户 `123456789012` 中 `us-east-1` 区域中的传输通道与您的 Amazon S3 存储桶进行交互:`"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`。
# Amazon SNS 主题的权限
**不支持加密的 Amazon SNS**
AWS Config 不支持加密的 Amazon SNS 主题。
本主题介绍如何配置 AWS Config 以交付由其他账户拥有的 Amazon SNS 主题。 AWS Config 必须具有向 Amazon SNS 主题发送通知所需的权限。
当 AWS Config 控制台为您创建新的 Amazon SNS 主题时,会 AWS Config 授予必要的权限。如果您选择现有 Amazon SNS 主题,请确保 Amazon SNS 主题包含所需的权限并遵循安全最佳实践。
**不支持跨区域的 Amazon SNS 主题**
AWS Config 目前仅支持在同一个账户内 AWS 区域 和跨账户进行访问。
**Contents**
+ [使用 IAM 角色时 Amazon SNS 主题的必需权限](#required-permissions-snstopic-in-another-account)
+ [使用服务相关角色时 Amazon SNS 主题的必需权限](#required-permissions-snstopic-using-servicelinkedrole)
+ [授予 AWS Config 对 Amazon SNS 主题的访问权限](#granting-access-snstopic)
+ [Amazon SNS 主题故障排除](#troubleshooting-for-snstopic-using-servicelinkedrole)
## 使用 IAM 角色时 Amazon SNS 主题的必需权限
您可以将权限策略附加到不同账户拥有的 Amazon SNS 主题。如果要使用另一个账户中的 Amazon SNS 主题,请确保将以下策略附加到现有 Amazon SNS 主题。
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigSNSPolicy",
"Action": [
"sns:Publish"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:region:account-id:myTopic",
"Principal": {
"AWS": [
"account-id1",
"account-id2",
"account-id3"
]
}
}
]
}
```
对于`Resource`密钥,*account-id*是主题所有者的 AWS 账号。对于*account-id1**account-id2**account-id3*、和,使用将数据发送 AWS 账户 到 Amazon SNS 主题的。您可以用适当的值代替*region*和*myTopic*。
向 Amazon SNS 主题 AWS Config 发送通知时,它会首先尝试使用 IAM 角色,但是如果该角色或 AWS 账户 无权向该主题发布消息,则尝试失败。在这种情况下,将再次 AWS Config 发送通知,这次是以 AWS Config 服务主体名称 (SPN) 的形式发送。发布成功之前,主题的访问策略必须授予 `sns:Publish` 对 `config.amazonaws.com` 主体名称的访问权限。如果 IAM 角色无权向 Amazon SNS 主题发布内容,则必须按下一节中所述,在 Amazon SNS 主题中附加访问策略,以授予 AWS Config 访问该主题的权限。
## 使用服务相关角色时 Amazon SNS 主题的必需权限
AWS Config 服务相关角色无权访问 Amazon SNS 主题。因此,如果您 AWS Config 使用服务相关角色 (SLR) 进行设置,则 AWS Config 将改为以 AWS Config 服务主体身份发送信息。您需要在 Amazon SNS 主题中附加访问策略(如下所述),才能授予向亚马逊 SNS 主题发送信息的 AWS Config 权限。
对于同账户设置,当 Amazon SNS 主题和 SLR 位于同一账户中,并且 Amazon SNS 策略授予 SLR“`sns:Publish`”权限时,您无需使用 AWS Config SPN。以下权限策略和安全最佳实践建议适用于跨账户设置。
## 授予 AWS Config 对 Amazon SNS 主题的访问权限
此政策 AWS Config 允许向 Amazon SNS 主题发送通知。要授予从其他账户 AWS Config 访问 Amazon SNS 主题的权限,您需要附加以下权限策略。
**注意**
作为安全最佳实践,强烈建议通过限制对`AWS:SourceAccount`条件中列出的帐户的访问来确保 AWS Config 仅代表预期用户访问资源。
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigSNSPolicy",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:region:account-id:myTopic",
"Condition" : {
"StringEquals": {
"AWS:SourceAccount": [
"account-id1",
"account-id2",
"account-id3"
]
}
}
}
]
}
```
对于`Resource`密钥,*account-id*是主题所有者的 AWS 账号。对于*account-id1**account-id2**account-id3*、和,使用将数据发送 AWS 账户 到 Amazon SNS 主题的。您可以用适当的值代替*region*和*myTopic*。
在代表特定账户执行操作时,您可以使用之前的 Amazon SNS 主题政策中的`AWS:SourceAccount`条件来限制 AWS Config 服务主体名称 (SPN) 只能与 Amazon SNS 主题进行交互。
AWS Config 还支持将 AWS Config 服务主体名称 (SPN) 限制为仅在代表特定 AWS Config 交付渠道执行操作时与 S3 存储桶交互的`AWS:SourceArn`条件。使用 AWS Config 服务主体名称 (SPN) 时,该`AWS:SourceArn`属性将始终设置为`arn:aws:config:sourceRegion:sourceAccountID:*`交付渠道的区域,以及包含交付渠道的账户`sourceAccountID`的 ID。`sourceRegion`有关 AWS Config 交付渠道的更多信息,请参阅[管理交付渠道](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html)。例如,添加以下条件以限制 AWS Config 服务主体名称 (SPN) 仅代表账户中`us-east-1`该区域的交付渠道与您的 S3 存储桶进行交互`123456789012`:`"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`。
## Amazon SNS 主题故障排除
AWS Config 必须拥有向 Amazon SNS 主题发送通知的权限。如果 Amazon SNS 主题无法收到通知,请验证所担任 AWS Config 的 IAM 角色是否具有所需的`sns:Publish`权限。
# 对 AWS Config 身份和访问进行故障排除
使用以下信息来帮助您诊断和修复在使用 AWS Config 和 IAM 时可能遇到的常见问题。
**Topics**
+ [我无权在以下位置执行操作 AWS Config](#security_iam_troubleshoot-no-permissions)
+ [我无权执行 iam:PassRole](#security_iam_troubleshoot-passrole)
+ [我想允许我以外的人 AWS 账户 访问我的 AWS Config 资源](#security_iam_troubleshoot-cross-account-access)
## 我无权在以下位置执行操作 AWS Config
如果您收到错误提示,指明您无权执行某个操作,则必须更新策略以允许执行该操作。
当 `mateojackson` IAM 用户尝试使用控制台查看有关虚构 `my-example-widget` 资源的详细信息,但不拥有虚构 `config:GetWidget` 权限时,会发生以下示例错误。
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: config:GetWidget on resource: my-example-widget
```
在此情况下,Mateo 的策略必须更新以允许其使用 `config:GetWidget` 操作访问 `my-example-widget` 资源。
如果您需要帮助,请联系您的 AWS 管理员。您的管理员是提供登录凭证的人。
## 我无权执行 iam:PassRole
如果您收到一个错误,表明您无权执行 `iam:PassRole` 操作,则必须更新策略以允许您将角色传递给。 AWS Config
有些 AWS 服务 允许您将现有角色传递给该服务,而不是创建新的服务角色或服务相关角色。为此,您必须具有将角色传递到服务的权限。
当名为 `marymajor` 的 IAM 用户尝试使用控制台在 AWS Config中执行操作时,会发生以下示例错误。但是,服务必须具有服务角色所授予的权限才可执行此操作。Mary 不具有将角色传递到服务的权限。
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
在这种情况下,必须更新 Mary 的策略以允许她执行 `iam:PassRole` 操作。
如果您需要帮助,请联系您的 AWS 管理员。您的管理员是提供登录凭证的人。
## 我想允许我以外的人 AWS 账户 访问我的 AWS Config 资源
您可以创建一个角色,以便其他账户中的用户或您组织外的人员可以使用该角色来访问您的资源。您可以指定谁值得信赖,可以代入角色。对于支持基于资源的策略或访问控制列表 (ACLs) 的服务,您可以使用这些策略向人们授予访问您的资源的权限。
要了解更多信息,请参阅以下内容:
+ 要了解是否 AWS Config 支持这些功能,请参阅[如何 AWS Config 与 IAM 配合使用](security_iam_service-with-iam.md)。
+ 要了解如何提供对您拥有的资源的访问权限 AWS 账户 ,请参阅 [IAM 用户*指南中的向您拥有 AWS 账户 的另一个 IAM 用户*提供访问](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html)权限。
+ 要了解如何向第三方提供对您的资源的访问[权限 AWS 账户,请参阅 *IAM 用户指南*中的向第三方提供](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html)访问权限。 AWS 账户
+ 要了解如何通过身份联合验证提供访问权限,请参阅《IAM 用户指南》**中的[为经过外部身份验证的用户(身份联合验证)提供访问权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html)。
+ 要了解使用角色和基于资源的策略进行跨账户访问之间的差别,请参阅《IAM 用户指南》**中的 [IAM 中的跨账户资源访问](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html)。
# 将服务相关角色用于 AWS Config
AWS Config 使用 AWS Identity and Access Management (IAM) [服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role)。服务相关角色是一种与之直接关联的 IAM 角色的独特类型。 AWS Config服务相关角色由服务预定义 AWS Config ,包括该服务代表您调用其他 AWS 服务所需的所有权限。
服务相关角色使设置变得 AWS Config 更加容易,因为您不必手动添加必要的权限。 AWS Config 定义其服务相关角色的权限,除非另有定义,否则 AWS Config 只能担任其角色。定义的权限包括信任策略和权限策略,而且权限策略不能附加到任何其他 IAM 实体。
有关支持服务相关角色的其他服务的信息,请参阅[使用 IAM 的AWS 服务](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)并查找 **Service-Linked Role**(服务相关角色)列中显示为 **Yes**(是)的服务。选择**是**和链接,查看该服务的服务关联角色文档。
## 的服务相关角色权限 AWS Config
AWS Config 使用名为的服务相关角色 **AwsServiceRoleForConfig**— AWS Config 使用此服务相关角色代表您调用其他 AWS 服务。要查看最新更新,请参阅 [AWS Config AWS 托管策略的更新](security-iam-awsmanpol.md#security-iam-awsmanpol-updates)
**AwsServiceRoleForConfig** 服务关联角色信任 `config.amazonaws.com` 服务来代入角色。
该`AwsServiceRoleForConfig`角色的权限策略包含 AWS Config 资源的只读和只写权限,以及其他支持的服务中资源的只读权限。 AWS Config 要查看的托管策略 **AwsServiceRoleForConfig**,请参阅的[AWS 托管策略 AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSConfigServiceRolePolicy)。
您必须配置权限,允许 IAM 实体(如用户、组或角色)创建、编辑或删除服务关联角色。有关更多信息,请参阅《IAM 用户指南》**中的[服务关联角色权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions)。
要将服务相关角色与配合使用 AWS Config,您必须在 Amazon S3 存储桶和 Amazon SNS 主题上配置权限。有关更多信息,请参阅 [使用服务相关角色时 Amazon S3 Bucket 存储桶的必需权限跨账户传输时 Amazon S3 存储桶的必需权限](s3-bucket-policy.md#required-permissions-using-servicelinkedrole)、[使用服务相关角色时 AWS KMS 密钥所需的权限(S3 存储桶交付)](s3-kms-key-policy.md#required-permissions-s3-kms-key-using-servicelinkedrole) 和 [使用服务相关角色时 Amazon SNS 主题的必需权限](sns-topic-policy.md#required-permissions-snstopic-using-servicelinkedrole)。
## 为创建服务相关角色 AWS Config
在 IAM CLI 或 IAM API 中,用 `config.amazonaws.com` 服务名称创建一个服务相关角色。有关更多信息,请参阅《IAM 用户指南》**中的[创建服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role)。如果您删除了此服务相关角色,可以使用同样的过程再次创建角色。
## 编辑的服务相关角色 AWS Config
AWS Config 不允许您编辑**AwsServiceRoleForConfig**服务相关角色。创建服务关联角色后,您将无法更改角色的名称,因为可能有多种实体引用该角色。但是可以使用 IAM 编辑角色描述。有关更多信息,请参阅《IAM 用户指南》**中的[编辑服务关联角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role)。
## 删除的服务相关角色 AWS Config
如果不再需要使用某个需要服务关联角色的功能或服务,我们建议您删除该角色。这样就没有未被主动监控或维护的未使用实体。但是,必须先清除服务相关角色的资源,然后才能手动删除它。
**注意**
如果您尝试删除资源时 AWS Config 服务正在使用该角色,则删除可能会失败。如果发生这种情况,请等待几分钟后重试。
**删除使用的 AWS Config 资源 **AwsServiceRoleForConfig****
确保您没有使用服务相关角色的。`ConfigurationRecorders`您可以使用 AWS Config 控制台停止配置记录器。要停止记录,请选择 **Recording is on(记录已打开)**下的 **Turn off(关闭)**。
您可以删除`ConfigurationRecorder`正在使用的 AWS Config API。要删除,请使用 `delete-configuration-recorder` 命令。
```
$ aws configservice delete-configuration-recorder --configuration-recorder-name default
```
**使用 IAM 手动删除服务关联角色**
使用 IAM 控制台、IAM CLI 或 IAM API 删除 AwsServiceRoleForConfig 服务相关角色。有关更多信息,请参阅《IAM 用户指南》**中的[删除服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role)。
# 中的事件响应 AWS Config
AWS非常重视安全性。作为 AWS 云[责任共担模式](https://aws.amazon.com/compliance/shared-responsibility-model)的一部分, AWS 管理满足大多数安全敏感组织要求的数据中心、网络和软件架构。 AWS 负责与 AWS Config 服务本身有关的任何事件响应。此外,作为 AWS 客户,您也有责任维护云端的安全。这意味着您可以从自己有权访问的 AWS 工具和功能中控制您选择实施的安全性,并负责在责任共担模式中做出事件响应。
通过建立符合云端运行应用程序目标的安全基准,您可以检测出可以响应的偏差。由于安全事件响应可能是一个复杂的主题,因此我们鼓励您查看以下资源,以便更好地了解事件响应 (IR) 和您的选择对企业目标的影响:[AWS 安全事件响应指南、AWS 安全](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html)[最佳实践](https://aws.amazon.com/architecture/security-identity-compliance/?cards-all.sort-by=item.additionalFields.sortDate&cards-all.sort-order=desc)白皮书和[AWS 云采用框架 (CAF) 的安全视角](https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf)白皮书。
# 合规性验证 AWS Config
AWS Config 作为多个合规计划的一部分,第三方审计师对安全性和 AWS 合规性进行评估。其中包括 SOC、PCI、FedRAMP、HIPAA 及其他。
要了解是否属于特定合规计划的范围,请参阅AWS 服务 “[按合规计划划分的范围](https://aws.amazon.com/compliance/services-in-scope/)” ”,然后选择您感兴趣的合规计划。 AWS 服务 有关一般信息,请参阅[AWS 合规计划AWS](https://aws.amazon.com/compliance/programs/)。
您可以使用下载第三方审计报告 AWS Artifact。有关更多信息,请参阅中的 “[下载报告” 中的 “ AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html)。
您在使用 AWS 服务 时的合规责任取决于您的数据的敏感性、贵公司的合规目标以及适用的法律和法规。有关您在使用时的合规责任的更多信息 AWS 服务,请参阅[AWS 安全文档](https://docs.aws.amazon.com/security/)。
# 韧性在 AWS Config
AWS 全球基础设施是围绕 AWS 区域和可用区构建的。 AWS 区域提供多个物理隔离和隔离的可用区,这些可用区通过低延迟、高吞吐量和高度冗余的网络相连。利用可用区,您可以设计和操作在可用区之间无中断地自动实现失效转移的应用程序和数据库。与传统的单个或多个数据中心基础设施相比,可用区具有更高的可用性、容错能力和可扩展性。
有关 AWS 区域和可用区的更多信息,请参阅[AWS 全球基础设施](https://aws.amazon.com/about-aws/global-infrastructure/)。
# 中的基础设施安全 AWS Config
作为一项托管服务 AWS Config ,受 AWS 全球网络安全的保护。有关 AWS 安全服务以及如何 AWS 保护基础设施的信息,请参阅[AWS 云安全](https://aws.amazon.com/security/)。要使用基础设施安全的最佳实践来设计您的 AWS 环境,请参阅 S * AWS ecurity Pillar Well-Architected Fram* ework 中的[基础设施保护](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html)。
您可以使用 AWS 已发布的 API 调用 AWS Config 通过网络进行访问。客户端必须支持以下内容:
+ 传输层安全性协议(TLS)。我们要求使用 TLS 1.2,建议使用 TLS 1.3。
+ 具有完全向前保密(PFS)的密码套件,例如 DHE(临时 Diffie-Hellman)或 ECDHE(临时椭圆曲线 Diffie-Hellman)。大多数现代系统(如 Java 7 及更高版本)都支持这些模式。
## 配置和漏洞分析
对于 AWS Config, AWS 处理基本的安全任务,例如客户机操作系统 (OS) 和数据库修补、防火墙配置和灾难恢复。
# 防止跨服务混淆代理
混淆代理问题是一个安全性问题,即不具有某操作执行权限的实体可能会迫使具有更高权限的实体执行该操作。在中 AWS,跨服务模仿可能会导致混乱的副手问题。一个服务(*呼叫服务*)调用另一项服务(*所谓的服务*)时,可能会发生跨服务模拟。可以操纵调用服务,使用其权限以在其他情况下该服务不应有访问权限的方式对另一个客户的资源进行操作。为防止这种情况, AWS 提供可帮助您保护所有服务的数据的工具,而这些服务中的服务主体有权限访问账户中的资源。
我们建议在资源策略中使用[https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)和[https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount)全局条件上下文密钥来限制为资源 AWS Config 提供其他服务的权限。如果您只希望将一个资源与跨服务访问相关联,请使用。`aws:SourceArn`如果您想允许该账户中的任何资源与跨服务使用操作相关联,请使用。`aws:SourceAccount`
防范混淆代理问题最有效的方法是使用 `aws:SourceArn` 全局条件上下文键和资源的完整 ARN。如果不知道资源的完整 ARN,或者正在指定多个资源,请针对 ARN 未知部分使用带有通配符字符(`*`)的 `aws:SourceArn` 全局上下文条件键。例如 `arn:aws:servicename:*:123456789012:*`。
如果 `aws:SourceArn` 值不包含账户 ID,例如 Amazon S3 存储桶 ARN,您必须使用两个全局条件上下文键来限制权限。
以下示例显示了如何使用中的`aws:SourceArn`和`aws:SourceAccount`全局条件上下文密钥 AWS Config 来防止出现混淆的副手问题:[授予 AWS Config 对 Amazon S3 存储桶的访问权限](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html)。
# 的安全最佳实践 AWS Config
AWS Config 提供了许多安全功能,供您在制定和实施自己的安全策略时考虑。以下最佳实践是一般指导原则,并不代表完整安全解决方案。这些最佳实践可能不适合环境或不满足环境要求,请将其视为有用的考虑因素而不是惯例。
+ 利用标记 AWS Config,这样可以更轻松地管理、搜索和筛选资源。
+ 确认您的[配送渠道](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html)已正确设置,确认后,请验证是否[正确录制](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html)。 AWS Config
有关更多信息,请参阅 [AWS Config 最佳实践](https://aws.amazon.com/blogs/mt/aws-config-best-practices/)博客。