AWS Organizations 的基于资源的策略示例
以下代码示例说明如何使用基于资源的委托策略。有关更多信息,请参阅 AWS Organizations 的委托管理员。
示例:查看组织、OU、账户和策略
在委托策略管理之前,必须委托浏览组织结构并查看组织单元(OU)、账户及其附加策略的权限。
此示例说明如何将这些权限包含在成员账户 AccountId 的基于资源的委托策略中。
重要
建议您仅包含对所需最低操作的权限,如示例所示,但可以使用此策略委托任何 Organizations 只读操作。
此示例委托策略授予以编程方式通过 AWS API 或 AWS CLI 完成此操作的必要权限。要使用此委托策略,请将 AccountId 的 AWS 占位符文本替换为您自己的信息。然后,按照 AWS Organizations 的委托管理员 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountId:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*" } ] }
示例:创建、读取、更新和删除策略
您可以创建基于资源的委派策略,允许管理账户委派任何策略类型的 create、read、update 和 delete 操作。此示例展示了如何将服务控制策略的这些操作委派给成员账户 MemberAccountId。示例中展示的两个资源分别授予对客户自主管理型和 AWS 托管式服务控制策略的访问权限。
重要
此策略允许委派管理员对组织中任何账户(包括管理账户)创建的策略执行指定操作。
此策略不允许委派管理员附加或分离策略,因为未包含执行 organizations:AttachPolicy 和 organizations:DetachPolicy 操作所需的权限。
此示例委托策略授予以编程方式通过 AWS API 或 AWS CLI 完成此操作的必要权限。请用您自己的信息替换 MemberAccountId、ManagementAccountId 和 OrganizationId 的 AWS 占位符文本。然后,按照 AWS Organizations 的委托管理员 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "SERVICE_CONTROL_POLICY" } } }, { "Sid": "DelegatingMinimalActionsForSCPs", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:CreatePolicy", "organizations:DescribePolicy", "organizations:UpdatePolicy", "organizations:DeletePolicy" ], "Resource": [ "arn:aws:organizations::ManagementAccountId:policy/o-OrganizationId/service_control_policy/*", "arn:aws:organizations::aws:policy/service_control_policy/*" ] } ] }
示例:标记和取消标记策略
此示例展示了如何创建基于资源的委派策略,以允许委派管理员标记或取消标记备份策略。此策略会授予通过 AWS API 或 AWS CLI 以编程方式完成此操作所需的权限。
要使用此委派策略,请用您自己的信息替换 MemberAccountId、ManagementAccountId 和 OrganizationId 的 AWS 占位符文本。然后,按照 AWS Organizations 的委托管理员 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "BACKUP_POLICY" } } }, { "Sid": "DelegatingTaggingBackupPolicies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:TagResource", "organizations:UntagResource" ], "Resource": "arn:aws:organizations::ManagementAccountId:policy/o-OrganizationId/backup_policy/*" } ] }
示例:将策略附加到单个 OU 或账户
此示例展示了如何创建基于资源的委派策略,以允许来自指定组织单位(OU)或指定账户的委派管理员 attach 或 detach Organizations 策略。在委派这些操作之前,必须委派浏览组织结构并查看组织结构下账户的权限。有关详细信息,请参阅 示例:查看组织、OU、账户和策略
重要
-
虽然此策略允许将策略附加到指定 OU 或账户或将其分离,但未包含子 OU 和子 OU 下的账户。
-
此策略允许委托管理员对组织中任何账户(包括管理账户)创建的策略执行指定操作。
此示例委托策略授予以编程方式通过 AWS API 或 AWS CLI 完成此操作的必要权限。要使用此委派策略,请用您自己的信息替换 MemberAccountId、ManagementAccountId、OrganizationId 和 TargetAccountId 的 AWS 占位符文本。然后,按照 AWS Organizations 的委托管理员 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AttachDetachPoliciesSpecifiedAccountOU", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:AttachPolicy", "organizations:DetachPolicy" ], "Resource": [ "arn:aws:organizations::ManagementAccountId:ou/o-OrganizationId/ou-OUId", "arn:aws:organizations::ManagementAccountId:account/o-OrganizationId/TargetAccountId", "arn:aws:organizations::ManagementAccountId:policy/o-OrganizationId/backup_policy/*" ] } ] }
要将附加和分离策略的责任委派给组织中的任何 OU 或账户,请将上一个示例中的资源替换为以下资源:
"Resource": [ "arn:aws:organizations::ManagementAccountId:ou/o-OrganizationId/*", "arn:aws:organizations::ManagementAccountId:account/o-OrganizationId/*", "arn:aws:organizations::ManagementAccountId:policy/o-OrganizationId/backup_policy/*" ]
示例:管理组织备份策略所需的合并权限
此示例说明如何创建基于资源的委托策略,该策略允许管理账户委托管理组织内部备份策略所需的全部权限,包括 create、read、update 和 delete 操作以及 attach 和 detach 策略操作。
重要
此策略允许委托管理员对组织中任何账户(包括管理账户)创建的策略执行指定操作。
此示例委托策略授予以编程方式通过 AWS API 或 AWS CLI 完成此操作的必要权限。要使用此委托策略,请用您自己的信息替换 MemberAccountId、ManagementAccountId、OrganizationId 和 RootId 的 AWS 占位符文本。然后,按照 AWS Organizations 的委托管理员 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListTagsForResource" ], "Resource": "*" }, { "Sid": "DelegatingNecessaryDescribeListActionsForSpecificPolicyType", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "BACKUP_POLICY" } } }, { "Sid": "DelegatingAllActionsForBackupPolicies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId:root" }, "Action": [ "organizations:CreatePolicy", "organizations:UpdatePolicy", "organizations:DeletePolicy", "organizations:AttachPolicy", "organizations:DetachPolicy", "organizations:EnablePolicyType", "organizations:DisablePolicyType" ], "Resource": [ "arn:aws:organizations::ManagementAccountId:root/o-OrganizationId/r-RootId", "arn:aws:organizations::ManagementAccountId:ou/o-OrganizationId/*", "arn:aws:organizations::ManagementAccountId:account/o-OrganizationId/*", "arn:aws:organizations::ManagementAccountId:policy/o-OrganizationId/backup_policy/*" ], "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "BACKUP_POLICY" } } } ] }
