本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
IAMAmazon 的政策示例 QuickSight
本节提供了您可以在 Amazon 上使用的IAM政策示例 QuickSight。
IAM亚马逊基于身份的政策 QuickSight
本部分显示了适用于Amazon的基于身份的政策的示例。 QuickSight
主题
- IAM用于控制台管理的基于身份的 QuickSight IAM策略
- IAMAma QuickSight zon 基于身份的政策:控制面板
- IAMAma QuickSight zon 基于身份的政策:命名空间
- IAMAmazon 基于身份的政策 QuickSight:自定义权限
- IAMAmazon 基于身份的政策 QuickSight:自定义电子邮件报告模板
- IAM亚马逊基于身份的政策 QuickSight:创建用户
- IAMAmazon 基于身份的政策 QuickSight:创建和管理群组
- IAMAmazon 基于身份的政策 QuickSight:标准版的所有访问权限
- IAM亚马逊基于身份的政策 QuickSight:带IAM身份中心的企业版的所有访问权限(专业版角色)
- IAMAmazon 基于身份的政策 QuickSight:带IAM身份中心的企业版的所有访问权限
- IAM亚马逊基于身份的政策 QuickSight:带活动目录的企业版的所有访问权限
- IAM亚马逊基于身份的政策 QuickSight:活动目录组
- IAMAmazon 基于身份的政策 QuickSight:使用管理员资产管理控制台
- IAMAmazon 基于身份的政策 QuickSight:使用管理员密钥管理控制台
- AWS 资源 Amazon QuickSight:企业版中的范围界定政策
IAM用于控制台管理的基于身份的 QuickSight IAM策略
以下示例显示了 QuickSight IAM控制台管理操作所需的IAM权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog" ], "Resource": [ "*" ] } ] }
IAMAma QuickSight zon 基于身份的政策:控制面板
以下示例显示了允许共享和嵌入特定仪表板的仪表板的IAM策略。
{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89", "Effect": "Allow" } ] }
IAMAma QuickSight zon 基于身份的政策:命名空间
以下示例显示了允许 QuickSight 管理员创建或删除命名空间的IAM策略。
创建命名空间
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "ds:DescribeDirectories", "quicksight:CreateNamespace" ], "Resource": "*" } ] }
删除命名空间
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:DescribeDirectories", "quicksight:DeleteNamespace" ], "Resource": "*" } ] }
IAMAmazon 基于身份的政策 QuickSight:自定义权限
以下示例显示了一个允许 QuickSight 管理员或开发人员管理自定义权限的IAM策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:*CustomPermissions" ], "Resource": "*" } ] }
以下示例显示了另一种授予与上一个示例中所示相同权限的方法。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:CreateCustomPermissions", "quicksight:DescribeCustomPermissions", "quicksight:ListCustomPermissions", "quicksight:UpdateCustomPermissions", "quicksight:DeleteCustomPermissions" ], "Resource": "*" } ] }
IAMAmazon 基于身份的政策 QuickSight:自定义电子邮件报告模板
以下示例显示了一项策略,该策略允许在中查看、更新和创建电子邮件报告模板 QuickSight,以及获取 Amazon Simple Email Service 身份的验证属性。此策略允许 QuickSight 管理员创建和更新自定义电子邮件报告模板,并确认他们想要发送电子邮件报告的任何自定义电子邮件地址均为经过验证的身份SES。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight: DescribeAccountCustomization", "quicksight: CreateAccountCustomization", "quicksight: UpdateAccountCustomization", "quicksight: DescribeEmailCustomizationTemplate", "quicksight: CreateEmailCustomizationTemplate", "quicksight: UpdateEmailCustomizationTemplate", "ses: GetIdentityVerificationAttributes" ], "Resource": "*" } ] }
IAM亚马逊基于身份的政策 QuickSight:创建用户
以下示例显示了仅允许创建 Amazon QuickSight 用户的策略。对于 quicksight:CreateReader、quicksight:CreateUser 和 quicksight:CreateAdmin,您可以限制 "Resource":
"arn:aws:quicksight:: 权限。有关本指南中所述的所有其他权限,请使用 <YOUR_AWS_ACCOUNTID>:user/${aws:userid}""Resource":
"*"。您指定的资源将权限范围限制为指定的资源。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}" } ] }
IAMAmazon 基于身份的政策 QuickSight:创建和管理群组
以下示例显示了一个允许 QuickSight 管理员和开发人员创建和管理群组的策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:ListGroups", "quicksight:CreateGroup", "quicksight:SearchGroups", "quicksight:ListGroupMemberships", "quicksight:CreateGroupMembership", "quicksight:DeleteGroupMembership", "quicksight:DescribeGroupMembership", "quicksight:ListUsers" ], "Resource": "*" } ] }
IAMAmazon 基于身份的政策 QuickSight:标准版的所有访问权限
以下 Amazon QuickSight 标准版示例显示了允许订阅和创建作者和读者的策略。此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateUser", "quicksight:DescribeAccountSubscription", "quicksight:Subscribe" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
IAM亚马逊基于身份的政策 QuickSight:带IAM身份中心的企业版的所有访问权限(专业版角色)
以下 Amazon E QuickSight nterprise 版示例显示了一项策略,该策略允许 QuickSight 用户使用与 IAM Identity Center 集成的 QuickSight 账户订阅 QuickSight、创建用户和管理 Active Directory。
该政策还允许用户订阅 QuickSight 专业版角色,这些角色授予对 QuickSight 生成式商业智能功能中的 Amazon Q 的访问权限。有关 Amazon 专业角色的更多信息 QuickSight,请参阅开始使用生成式 BI。
此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "iam:CreateServiceLinkedRole", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:DescribeGroup", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization", "user-subscriptions:CreateClaim", "user-subscriptions:UpdateClaim" ], "Resource": [ "*" ] } ] }
IAMAmazon 基于身份的政策 QuickSight:带IAM身份中心的企业版的所有访问权限
以下 Amazon E QuickSight nterprise 版示例显示了一项策略,该策略允许在与 Identity Center 集成的 QuickSight 账户中订阅、创建用户和管理 Active Director IAM y。
此政策不授予在中创建 Pro 角色的权限 QuickSight。要创建授予订阅 Pro 角色权限的策略 QuickSight,请参阅IAM亚马逊基于身份的政策 QuickSight:带IAM身份中心的企业版的所有访问权限(专业版角色)。
此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:DescribeGroup", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization" ], "Resource": [ "*" ] } ] }
IAM亚马逊基于身份的政策 QuickSight:带活动目录的企业版的所有访问权限
以下 Amazon E QuickSight nterprise 版示例显示了一项策略,该策略允许在使用 Active Directory 进行身份管理的 QuickSight 账户中订阅、创建用户和管理 Active Directory。此示例明确拒绝亚马逊 QuickSight取消订阅的权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateAdmin", "quicksight:Subscribe", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
IAM亚马逊基于身份的政策 QuickSight:活动目录组
以下示例显示了允许对亚马逊 QuickSight 企业版账户进行 Active Directory 群组管理的IAM策略。
{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }
IAMAmazon 基于身份的政策 QuickSight:使用管理员资产管理控制台
以下示例显示了允许访问管理员资产管理控制台的IAM策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:SearchGroups", "quicksight:SearchUsers", "quicksight:ListNamespaces", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeFolderPermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListFolders", "quicksight:SearchAnalyses", "quicksight:SearchDashboards", "quicksight:SearchFolders", "quicksight:SearchDatasets", "quicksight:SearchDatasources", "quicksight:UpdateAnalysisPermissions", "quicksight:UpdateDashboardPermissions", "quicksight:UpdateDataSetPermissions", "quicksight:UpdateDataSourcePermissions", "quicksight:UpdateFolderPermissions" ], "Resource": "*" } ] }
IAMAmazon 基于身份的政策 QuickSight:使用管理员密钥管理控制台
以下示例显示了允许访问管理员密钥管理控制台的IAM策略。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration", "quicksight:UpdateKeyRegistration", "quicksight:ListKMSKeysForUser", "kms:CreateGrant", "kms:ListGrants", "kms:ListAliases" ], "Resource":"*" } ] }
需要"quicksight:ListKMSKeysForUser"和"kms:ListAliases"权限才能从 QuickSight 控制台访问客户托管的密钥。 "quicksight:ListKMSKeysForUser""kms:ListAliases"并且不需要使用 QuickSight 密钥管理APIs。
要指定您希望用户能够访问哪些密钥,请使用UpdateKeyRegistration条件键将您希望用户访问的密钥添加到quicksight:KmsKeyArns条件中。ARNs用户只能访问中指定的密钥UpdateKeyRegistration。有关支持的条件键的更多信息 QuickSight,请参阅 Amazon 的条件键 QuickSight。
以下示例为所有CMKs注册到账户的Describe用户授予权限,为注册到UpdateCMKs该 QuickSight 账户的特定用户授予权限。 QuickSight
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*" }, { "Effect":"Allow", "Action":[ "quicksight:UpdateKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*", "Condition":{ "ForAllValues:StringEquals":{ "quicksight:KmsKeyArns":[ "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1", "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2", "..." ] } } }, { "Effect":"Allow", "Action":[ "kms:CreateGrant", "kms:ListGrants" ], "Resource":"arn:aws:kms:us-west-2:123456789012:key/*" } ] }
AWS 资源 Amazon QuickSight:企业版中的范围界定政策
以下 Amazon E QuickSight nterprise 版示例显示了一个策略,该策略允许设置 AWS 资源默认访问权限和 AWS 资源权限范围策略。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:*IAMPolicyAssignment*", "quicksight:AccountConfigurations" ], "Effect": "Allow", "Resource": "*" } ] }
