本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS SAM策略模板
AWS Serverless Application Model (AWS SAM) 允许您从策略模板列表中进行选择,将 Lambda 函数和 AWS Step Functions 状态机的权限范围限定为应用程序使用的资源。
AWS SAM 中使用策略模板 AWS Serverless Application Repository 的应用程序不需要任何特殊的客户确认即可从中部署应用程序。 AWS Serverless Application Repository
如果要请求添加新的策略模板,请执行以下操作:
1. 针对项目分支中的 policy\$1templates.json 源文件提交拉取请求。`develop` AWS SAM GitHub 你可以在网站上的 p [olicy\$1templates.](https://github.com/aws/serverless-application-model/blob/develop/samtranslator/policy_templates_data/policy_templates.json) json 中找到源文件。 GitHub
1. 在 AWS SAM GitHub 项目中提交一个问题,其中包含您的拉取请求的原因和请求链接。使用此链接提交新问题:[AWS Serverless Application Model:问题](https://github.com/aws/serverless-application-model/issues/new)。
## 语法
对于您在模板文件中指定的每个策略 AWS SAM 模板,必须始终指定一个包含策略模板占位符值的对象。如果策略模板不需要任何占位符值,则必须指定一个空对象。
### YAML
```
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- PolicyTemplateName1: # Policy template with placeholder value
Key1: Value1
- PolicyTemplateName2: {} # Policy template with no placeholder value
```
**注意**
若您已设置常规 IAM 策略或通过 Lambda 管理策略,则无需使用空对象即可设置策略模板。
## 示例
### 示例 1:具有占位符值的策略模板
以下示例显示 [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) 策略模板期待 `QueueName` 作为资源。 AWS SAM 模板检索 “`MyQueue`” Amazon SQS 队列的名称,您可以在同一个应用程序中创建该队列,也可以将其作为应用程序的参数进行请求。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - SQSPollerPolicy:
9. QueueName:
10. !GetAtt MyQueue.QueueName
```
### 示例 2:不具有占位符值的策略模板
以下示例包含 [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) 策略模板,该模板没有占位符值。
**注意**
即使没有占位符值,也必须指定一个空对象,否则会导致错误。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - CloudWatchPutMetricPolicy: {}
```
### 示例 3:包含占位符值和常规 IAM 策略的策略模板
以下示例包含 Amazon A SQSFull cess 策略和[DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy)策略模板。Amazon A SQSFull ccess AWS SAM 策略是一项 IAM 策略而不是策略,因此您不必指定空对象,因为该策略将直接传递给 CloudFormation。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - AmazonSQSFullAccess // IAM policy could be set without passing an empty object
9. - DynamoDBCrudPolicy: // SAM specific policy, has a defined structure
10. TableName:
11. !Ref SampleTable
```
## 策略模板表
下表列出了可用的策略模板。
****
| 策略模板 | 说明 |
| --- | --- |
| [AcmGetCertificatePolicy](serverless-policy-template-list.md#acm-get-certificate-policy) | 授予读取证书的权限 AWS Certificate Manager。 |
| [AMIDescribePolicy](serverless-policy-template-list.md#ami-describe-policy) | 授予描述 Amazon 机器映像的权限 (AMIs)。 |
| [AthenaQueryPolicy](serverless-policy-template-list.md#athena-query-policy) | 授予执行 Athena 查询的权限。 |
| [AWSSecretsManagerGetSecretValuePolicy](serverless-policy-template-list.md#secrets-manager-get-secret-value-policy) | 授予获取指定 AWS Secrets Manager 密钥的密钥值的权限。 |
| [AWSSecretsManagerRotationPolicy](serverless-policy-template-list.md#secrets-manager-rotation-policy) | 授予在 AWS Secrets Manager中轮换密钥的权限。 |
| [CloudFormationDescribeStacksPolicy](serverless-policy-template-list.md#cloud-formation-describe-stacks-policy) | 授予描述 CloudFormation 堆栈的权限。 |
| [CloudWatchDashboardPolicy](serverless-policy-template-list.md#cloudwatch-dashboard-policy) | 授予在 CloudWatch 仪表板上放置要操作的指标的权限。 |
| [CloudWatchDescribeAlarmHistoryPolicy](serverless-policy-template-list.md#cloudwatch-describe-alarm-history-policy) | 授予描述 CloudWatch 警报历史记录的权限。 |
| [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) | 授予向发送指标的权限 CloudWatch。 |
| [CodeCommitCrudPolicy](serverless-policy-template-list.md#codecommit-crud-policy) | 为特定 CodeCommit存储库中的create/read/update/delete对象授予权限。 |
| [CodeCommitReadPolicy](serverless-policy-template-list.md#codecommit-read-policy) | 授予读取特定 CodeCommit 存储库中对象的权限。 |
| [CodePipelineLambdaExecutionPolicy](serverless-policy-template-list.md#code-pipeline-lambda-execution-policy) | 允许调用的 Lambda 函数报告任务状态。 CodePipeline |
| [CodePipelineReadOnlyPolicy](serverless-policy-template-list.md#code-pipeline-readonly-policy) | 授予读取权限以获取有关 CodePipeline 管道的详细信息。 |
| [ComprehendBasicAccessPolicy](serverless-policy-template-list.md#comprehend-basic-access-policy) | 授予检测实体、关键短语、语言和情绪的权限。 |
| [CostExplorerReadOnlyPolicy](serverless-policy-template-list.md#cost-explorer-readonly-policy) | 向只读的 Cost Explorer 授予账单历史记录 APIs 的只读权限。 |
| [DynamoDBBackupFullAccessPolicy](serverless-policy-template-list.md#ddb-back-full-policy) | 授予对表进行 DynamoDB 按需备份的读和写权限。 |
| [DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy) | 授予对 Amazon DynamoDB 表的创建、读取、更新和删除权限。 |
| [DynamoDBReadPolicy](serverless-policy-template-list.md#dynamo-db-read-policy) | 授予对 DynamoDB 表的只读权限。 |
| [DynamoDBReconfigurePolicy](serverless-policy-template-list.md#dynamo-db-reconfigure-policy) | 授予重新配置 DynamoDB 表的权限。 |
| [DynamoDBRestoreFromBackupPolicy](serverless-policy-template-list.md#ddb-restore-from-backup-policy) | 授予从备份还原 DynamoDB 表的权限。 |
| [DynamoDBStreamReadPolicy](serverless-policy-template-list.md#dynamo-db-stream-read-policy) | 授予描述和读取 DynamoDB 流和记录的权限。 |
| [DynamoDBWritePolicy](serverless-policy-template-list.md#dynamo-db-write-policy) | 授予对 DynamoDB 表的只写权限。 |
| [EC2CopyImagePolicy](serverless-policy-template-list.md#ec2-copy-image-policy) | 授予复制 Amazon EC2 映像的权限。 |
| [EC2DescribePolicy](serverless-policy-template-list.md#ec2-describe-policy) | 授予描述 Amazon Elastic Compute Cloud (Amazon EC2) 实例的权限。 |
| [EcsRunTaskPolicy](serverless-policy-template-list.md#ecs-run-task-policy) | 授予根据任务定义启动新任务的权限。 |
| [EFSWriteAccessPolicy](serverless-policy-template-list.md#efs-write-access-policy) | 授予挂载具有写入访问权限的 Amazon EFS 文件系统的权限。 |
| [EKSDescribePolicy](serverless-policy-template-list.md#eks-describe-policy) | 授予描述或列出 Amazon EKS 集群的权限。 |
| [ElasticMapReduceAddJobFlowStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-add-job-flows-policy) | 授予将新步骤添加到运行的集群中的权限。 |
| [ElasticMapReduceCancelStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-cancel-steps-policy) | 授予取消正在运行中的集群中的一个或多个待处理步骤的权限。 |
| [ElasticMapReduceModifyInstanceFleetPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-fleet-policy) | 授予列出集群内实例集的详细信息和修改这些实例集的容量的权限。 |
| [ElasticMapReduceModifyInstanceGroupsPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-groups-policy) | 授予列出集群内实例组的详细信息和修改这些实例组的设置的权限。 |
| [ElasticMapReduceSetTerminationProtectionPolicy](serverless-policy-template-list.md#elastic-map-reduce-set-termination-protection-policy) | 授予为集群设置终止保护的权限。 |
| [ElasticMapReduceTerminateJobFlowsPolicy](serverless-policy-template-list.md#elastic-map-reduce-terminate-job-flows-policy) | 授予关闭集群的权限。 |
| [ElasticsearchHttpPostPolicy](serverless-policy-template-list.md#elastic-search-http-post-policy) | 向 Amazon OpenSearch 服务授予 POST 权限。 |
| [EventBridgePutEventsPolicy](serverless-policy-template-list.md#eventbridge-put-events-policy) | 授予向发送事件的权限 EventBridge。 |
| [FilterLogEventsPolicy](serverless-policy-template-list.md#filter-log-events-policy) | 授予筛选指定 CloudWatch 日志组中的日志事件的权限。 |
| [FirehoseCrudPolicy](serverless-policy-template-list.md#firehose-crud-policy) | 授予创建、写入、更新和删除 Firehose 传输流的权限。 |
| [FirehoseWritePolicy](serverless-policy-template-list.md#firehose-write-policy) | 授予写入 Firehose 传输流的权限。 |
| [KinesisCrudPolicy](serverless-policy-template-list.md#kinesis-crud-policy) | 授予创建、发布和删除 Amazon Kinesis 流的权限。 |
| [KinesisStreamReadPolicy](serverless-policy-template-list.md#kinesis-stream-read-policy) | 授予列出和读取 Amazon Kinesis 流的权限。 |
| [KMSDecryptPolicy](serverless-policy-template-list.md#kms-decrypt-policy) | 授予使用 AWS Key Management Service (AWS KMS) 密钥解密的权限。 |
| [KMSEncryptPolicy](serverless-policy-template-list.md#kms-encrypt-policy) | 允许使用 AWS Key Management Service (AWS KMS) 密钥进行加密。 |
| [LambdaInvokePolicy](serverless-policy-template-list.md#lambda-invoke-policy) | 授予调用 AWS Lambda 函数、别名或版本的权限。 |
| [MobileAnalyticsWriteOnlyAccessPolicy](serverless-policy-template-list.md#mobile-analytics-write-only-access-policy) | 授予对所有应用程序资源放置事件数据的只写权限。 |
| [OrganizationsListAccountsPolicy](serverless-policy-template-list.md#organizations-list-accounts-policy) | 授予列出子女账户名称的只读权限,以及 IDs. |
| [PinpointEndpointAccessPolicy](serverless-policy-template-list.md#pinpoint-endpoint-access-policy) | 授予为 Amazon Pinpoint 应用程序获取并更新端点的权限。 |
| [PollyFullAccessPolicy](serverless-policy-template-list.md#polly-full-access-policy) | 授予对 Amazon Polly 词典资源的完全访问权限。 |
| [RekognitionDetectOnlyPolicy](serverless-policy-template-list.md#rekognition-detect-only-policy) | 授予检测人脸、标签和文本的权限。 |
| [RekognitionFacesManagementPolicy](serverless-policy-template-list.md#rekognition-face-management-policy) | 授予在 Amazon Rekognition 集合中添加、删除和搜索人脸的权限。 |
| [RekognitionFacesPolicy](serverless-policy-template-list.md#rekognition-faces-policy) | 授予比较并检测面部和标签的权限。 |
| [RekognitionLabelsPolicy](serverless-policy-template-list.md#rekognition-labels-policy) | 授予检测对象和审核标签的权限。 |
| [RekognitionNoDataAccessPolicy](serverless-policy-template-list.md#rekognition-no-data-access-policy) | 授予比较并检测面部和标签的权限。 |
| [RekognitionReadPolicy](serverless-policy-template-list.md#rekognition-read-policy) | 授予列出和搜索人脸的权限。 |
| [RekognitionWriteOnlyAccessPolicy](serverless-policy-template-list.md#rekognition-write-only-access-policy) | 授予创建集合和为人脸编制索引的权限。 |
| [Route53ChangeResourceRecordSetsPolicy](serverless-policy-template-list.md#route53-change-resource-record-sets-policy) | 授予更改 Route 53 中的资源记录集的权限。 |
| [S3CrudPolicy](serverless-policy-template-list.md#s3-crud-policy) | 授予创建、读取、更新和删除权限,以便对 Amazon S3 存储桶中的对象执行操作。 |
| [S3FullAccessPolicy](serverless-policy-template-list.md#s3-full-access-policy) | 授予完全访问权限,以便对 Amazon S3 存储桶中的对象执行操作。 |
| [S3ReadPolicy](serverless-policy-template-list.md#s3-read-policy) | 授予读取 Amazon Simple Storage Service (Amazon S3) 存储桶中的对象的只读权限。 |
| [S3WritePolicy](serverless-policy-template-list.md#s3-write-policy) | 授予将对象写入到 Amazon S3 存储桶的写入权限。 |
| [SageMakerCreateEndpointConfigPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-config-policy) | 授予在 SageMaker AI 中创建终端节点配置的权限。 |
| [SageMakerCreateEndpointPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-policy) | 授予在 SageMaker AI 中创建终端节点的权限。 |
| [ServerlessRepoReadWriteAccessPolicy](serverless-policy-template-list.md#serverlessrepo-read-write-access-policy) | 授予在 AWS Serverless Application Repository 服务中创建和列出应用程序的权限。 |
| [SESBulkTemplatedCrudPolicy](serverless-policy-template-list.md#ses-bulk-templated-crud-policy) | 授予发送电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。 |
| [SESBulkTemplatedCrudPolicy\$1v2](serverless-policy-template-list.md#ses-bulk-templated-crud-policy-v2) | 授予发送 Amazon SES 电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。 |
| [SESCrudPolicy](serverless-policy-template-list.md#ses-crud-policy) | 授予发送电子邮件和验证身份的权限。 |
| [SESEmailTemplateCrudPolicy](serverless-policy-template-list.md#ses-email-template-crud-policy) | 授予创建、获取、列出、更新和删除 Amazon SES 电子邮件模板的权限。 |
| [SESSendBouncePolicy](serverless-policy-template-list.md#ses-send-bounce-policy) | SendBounce 授予亚马逊简单电子邮件服务 (Amazon SES) Service 身份的权限。 |
| [SNSCrudPolicy](serverless-policy-template-list.md#sns-crud-policy) | 授予创建、发布和订阅 Amazon SNS 主题的权限。 |
| [SNSPublishMessagePolicy](serverless-policy-template-list.md#sqs-publish-message-policy) | 授予将消息发布到 Amazon Simple Notification Service (Amazon SNS)主题的权限。 |
| [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) | 授予轮询 Amazon Simple Queue Service (Amazon SQS) 队列的权限。 |
| [SQSSendMessagePolicy](serverless-policy-template-list.md#sqs-send-message-policy) | 授予向 Amazon SQS 队列发送消息的权限。 |
| [SSMParameterReadPolicy](serverless-policy-template-list.md#ssm-parameter-read-policy) | 授予访问来自 Amazon EC2 Systems Manager (SSM) Parameter Store 的参数的权限,以便在此账户中加载密钥。在参数名称不包含斜杠前缀时使用。 |
| [SSMParameterWithSlashPrefixReadPolicy](serverless-policy-template-list.md#ssm-parameter-slash-read-policy) | 授予访问来自 Amazon EC2 Systems Manager (SSM) Parameter Store 的参数的权限,以便在此账户中加载密钥。在参数名称包含斜杠前缀时使用。 |
| [StepFunctionsExecutionPolicy](serverless-policy-template-list.md#stepfunctions-execution-policy) | 授予开始执行 Step Functions 状态机的权限。 |
| [TextractDetectAnalyzePolicy](serverless-policy-template-list.md#textract-detect-analyze-policy) | 授予使用 Amazon Textract 检测和分析文档的权限。 |
| [TextractGetResultPolicy](serverless-policy-template-list.md#textract-get-result-policy) | 授予从 Amazon Textract 中获取检测到和分析过的文档的权限。 |
| [TextractPolicy](serverless-policy-template-list.md#textract-policy) | 授予对 Amazon Textract 的完全访问权限。 |
| [VPCAccessPolicy](serverless-policy-template-list.md#vpc-access-policy) | 授予访问权限以创建、删除、描述和分离弹性网络接口。 |
## 问题排查
### SAM CLI 错误:“必须为策略模板'< policy-template-name >'指定有效的参数值”
执行 `sam build` 时,您会看到以下错误:
```
"Must specify valid parameter values for policy template ''"
```
这意味着您在声明没有任何占位符值的策略模板时没有传递空对象。
要解决此问题,请如以下示例所示声明策略:[CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy)。
```
1. MyFunction:
2. Policies:
3. - CloudWatchPutMetricPolicy: {}
```
# AWS SAM 策略模板列表
以下是可用的策略模板以及应用于每个模板的权限。 AWS Serverless Application Model (AWS SAM) 会自动使用相应信息填充占位符项目(例如 AWS 区域和账户 ID)。
**Topics**
+ [AcmGetCertificatePolicy](#acm-get-certificate-policy)
+ [AMIDescribePolicy](#ami-describe-policy)
+ [AthenaQueryPolicy](#athena-query-policy)
+ [AWSSecretsManagerGetSecretValuePolicy](#secrets-manager-get-secret-value-policy)
+ [AWSSecretsManagerRotationPolicy](#secrets-manager-rotation-policy)
+ [CloudFormationDescribeStacksPolicy](#cloud-formation-describe-stacks-policy)
+ [CloudWatchDashboardPolicy](#cloudwatch-dashboard-policy)
+ [CloudWatchDescribeAlarmHistoryPolicy](#cloudwatch-describe-alarm-history-policy)
+ [CloudWatchPutMetricPolicy](#cloudwatch-put-metric-policy)
+ [CodePipelineLambdaExecutionPolicy](#code-pipeline-lambda-execution-policy)
+ [CodePipelineReadOnlyPolicy](#code-pipeline-readonly-policy)
+ [CodeCommitCrudPolicy](#codecommit-crud-policy)
+ [CodeCommitReadPolicy](#codecommit-read-policy)
+ [ComprehendBasicAccessPolicy](#comprehend-basic-access-policy)
+ [CostExplorerReadOnlyPolicy](#cost-explorer-readonly-policy)
+ [DynamoDBBackupFullAccessPolicy](#ddb-back-full-policy)
+ [DynamoDBCrudPolicy](#dynamo-db-crud-policy)
+ [DynamoDBReadPolicy](#dynamo-db-read-policy)
+ [DynamoDBReconfigurePolicy](#dynamo-db-reconfigure-policy)
+ [DynamoDBRestoreFromBackupPolicy](#ddb-restore-from-backup-policy)
+ [DynamoDBStreamReadPolicy](#dynamo-db-stream-read-policy)
+ [DynamoDBWritePolicy](#dynamo-db-write-policy)
+ [EC2CopyImagePolicy](#ec2-copy-image-policy)
+ [EC2DescribePolicy](#ec2-describe-policy)
+ [EcsRunTaskPolicy](#ecs-run-task-policy)
+ [EFSWriteAccessPolicy](#efs-write-access-policy)
+ [EKSDescribePolicy](#eks-describe-policy)
+ [ElasticMapReduceAddJobFlowStepsPolicy](#elastic-map-reduce-add-job-flows-policy)
+ [ElasticMapReduceCancelStepsPolicy](#elastic-map-reduce-cancel-steps-policy)
+ [ElasticMapReduceModifyInstanceFleetPolicy](#elastic-map-reduce-modify-instance-fleet-policy)
+ [ElasticMapReduceModifyInstanceGroupsPolicy](#elastic-map-reduce-modify-instance-groups-policy)
+ [ElasticMapReduceSetTerminationProtectionPolicy](#elastic-map-reduce-set-termination-protection-policy)
+ [ElasticMapReduceTerminateJobFlowsPolicy](#elastic-map-reduce-terminate-job-flows-policy)
+ [ElasticsearchHttpPostPolicy](#elastic-search-http-post-policy)
+ [EventBridgePutEventsPolicy](#eventbridge-put-events-policy)
+ [FilterLogEventsPolicy](#filter-log-events-policy)
+ [FirehoseCrudPolicy](#firehose-crud-policy)
+ [FirehoseWritePolicy](#firehose-write-policy)
+ [KinesisCrudPolicy](#kinesis-crud-policy)
+ [KinesisStreamReadPolicy](#kinesis-stream-read-policy)
+ [KMSDecryptPolicy](#kms-decrypt-policy)
+ [KMSEncryptPolicy](#kms-encrypt-policy)
+ [LambdaInvokePolicy](#lambda-invoke-policy)
+ [MobileAnalyticsWriteOnlyAccessPolicy](#mobile-analytics-write-only-access-policy)
+ [OrganizationsListAccountsPolicy](#organizations-list-accounts-policy)
+ [PinpointEndpointAccessPolicy](#pinpoint-endpoint-access-policy)
+ [PollyFullAccessPolicy](#polly-full-access-policy)
+ [RekognitionDetectOnlyPolicy](#rekognition-detect-only-policy)
+ [RekognitionFacesManagementPolicy](#rekognition-face-management-policy)
+ [RekognitionFacesPolicy](#rekognition-faces-policy)
+ [RekognitionLabelsPolicy](#rekognition-labels-policy)
+ [RekognitionNoDataAccessPolicy](#rekognition-no-data-access-policy)
+ [RekognitionReadPolicy](#rekognition-read-policy)
+ [RekognitionWriteOnlyAccessPolicy](#rekognition-write-only-access-policy)
+ [Route53ChangeResourceRecordSetsPolicy](#route53-change-resource-record-sets-policy)
+ [S3CrudPolicy](#s3-crud-policy)
+ [S3FullAccessPolicy](#s3-full-access-policy)
+ [S3ReadPolicy](#s3-read-policy)
+ [S3WritePolicy](#s3-write-policy)
+ [SageMakerCreateEndpointConfigPolicy](#sagemaker-create-endpoint-config-policy)
+ [SageMakerCreateEndpointPolicy](#sagemaker-create-endpoint-policy)
+ [ServerlessRepoReadWriteAccessPolicy](#serverlessrepo-read-write-access-policy)
+ [SESBulkTemplatedCrudPolicy](#ses-bulk-templated-crud-policy)
+ [SESBulkTemplatedCrudPolicy\$1v2](#ses-bulk-templated-crud-policy-v2)
+ [SESCrudPolicy](#ses-crud-policy)
+ [SESEmailTemplateCrudPolicy](#ses-email-template-crud-policy)
+ [SESSendBouncePolicy](#ses-send-bounce-policy)
+ [SNSCrudPolicy](#sns-crud-policy)
+ [SNSPublishMessagePolicy](#sqs-publish-message-policy)
+ [SQSPollerPolicy](#sqs-poller-policy)
+ [SQSSendMessagePolicy](#sqs-send-message-policy)
+ [SSMParameterReadPolicy](#ssm-parameter-read-policy)
+ [SSMParameterWithSlashPrefixReadPolicy](#ssm-parameter-slash-read-policy)
+ [StepFunctionsExecutionPolicy](#stepfunctions-execution-policy)
+ [TextractDetectAnalyzePolicy](#textract-detect-analyze-policy)
+ [TextractGetResultPolicy](#textract-get-result-policy)
+ [TextractPolicy](#textract-policy)
+ [VPCAccessPolicy](#vpc-access-policy)
## AcmGetCertificatePolicy
授予读取证书的权限 AWS Certificate Manager。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:GetCertificate"
],
"Resource": {
"Fn::Sub": [
"${certificateArn}",
{
"certificateArn": {
"Ref": "CertificateArn"
}
}
]
}
}
]
```
## AMIDescribePolicy
授予描述 Amazon 机器映像的权限 (AMIs)。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages"
],
"Resource": "*"
}
]
```
## AthenaQueryPolicy
授予执行 Athena 查询的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListWorkGroups",
"athena:GetExecutionEngine",
"athena:GetExecutionEngines",
"athena:GetNamespace",
"athena:GetCatalogs",
"athena:GetNamespaces",
"athena:GetTables",
"athena:GetTable"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:DeleteNamedQuery",
"athena:GetNamedQuery",
"athena:ListQueryExecutions",
"athena:StopQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListNamedQueries",
"athena:CreateNamedQuery",
"athena:GetQueryExecution",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:GetWorkGroup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
{
"workgroupName": {
"Ref": "WorkGroupName"
}
}
]
}
}
]
```
## AWSSecretsManagerGetSecretValuePolicy
授予获取指定 AWS Secrets Manager 密钥的密钥值的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": {
"Fn::Sub": [
"${secretArn}",
{
"secretArn": {
"Ref": "SecretArn"
}
}
]
}
}
]
```
## AWSSecretsManagerRotationPolicy
授予在 AWS Secrets Manager中轮换密钥的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*"
},
"Condition": {
"StringEquals": {
"secretsmanager:resource/AllowRotationLambdaArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
}
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword"
],
"Resource": "*"
}
]
```
## CloudFormationDescribeStacksPolicy
授予描述 CloudFormation 堆栈的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
}
}
]
```
## CloudWatchDashboardPolicy
授予在 CloudWatch 仪表板上放置要操作的指标的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:PutDashboard",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
```
## CloudWatchDescribeAlarmHistoryPolicy
授予描述亚马逊 CloudWatch 警报历史记录的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmHistory"
],
"Resource": "*"
}
]
```
## CloudWatchPutMetricPolicy
授予向发送指标的权限 CloudWatch。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
```
## CodePipelineLambdaExecutionPolicy
允许调用的 Lambda 函数报告任务状态。 AWS CodePipeline
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:PutJobSuccessResult",
"codepipeline:PutJobFailureResult"
],
"Resource": "*"
}
]
```
## CodePipelineReadOnlyPolicy
授予读取权限以获取有关 CodePipeline 管道的详细信息。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:ListPipelineExecutions"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}",
{
"pipelinename": {
"Ref": "PipelineName"
}
}
]
}
}
]
```
## CodeCommitCrudPolicy
授予在特定 CodeCommit存储库中创建、读取、更新和删除对象的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush",
"codecommit:CreateBranch",
"codecommit:DeleteBranch",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:UpdateDefaultBranch",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:CreateUnreferencedMergeCommit",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:CreatePullRequest",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay",
"codecommit:PostCommentForPullRequest",
"codecommit:UpdatePullRequestDescription",
"codecommit:UpdatePullRequestStatus",
"codecommit:UpdatePullRequestTitle",
"codecommit:DeleteFile",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:PutFile",
"codecommit:DeleteCommentContent",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:PostCommentForComparedCommit",
"codecommit:PostCommentReply",
"codecommit:UpdateComment",
"codecommit:BatchGetCommits",
"codecommit:CreateCommit",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:UpdateRepositoryDescription",
"codecommit:ListTagsForResource",
"codecommit:TagResource",
"codecommit:UntagResource",
"codecommit:GetRepositoryTriggers",
"codecommit:PutRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## CodeCommitReadPolicy
授予读取特定 CodeCommit 存储库中对象的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:BatchGetCommits",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:ListTagsForResource",
"codecommit:GetRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## ComprehendBasicAccessPolicy
授予检测实体、关键短语、语言和情绪的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"comprehend:BatchDetectKeyPhrases",
"comprehend:DetectDominantLanguage",
"comprehend:DetectEntities",
"comprehend:BatchDetectEntities",
"comprehend:DetectKeyPhrases",
"comprehend:DetectSentiment",
"comprehend:BatchDetectDominantLanguage",
"comprehend:BatchDetectSentiment"
],
"Resource": "*"
}
]
```
## CostExplorerReadOnlyPolicy
向只读 AWS Cost Explorer (Cost Explorer)授予账单历史记录 APIs 的只读权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetTags"
],
"Resource": "*"
}
]
```
## DynamoDBBackupFullAccessPolicy
授予对表进行 DynamoDB 按需备份的读和写权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:DescribeContinuousBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteBackup",
"dynamodb:DescribeBackup",
"dynamodb:ListBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBCrudPolicy
授予对 Amazon DynamoDB 表的创建、读取、更新和删除权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ConditionCheckItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReadPolicy
授予对 DynamoDB 表的只读权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReconfigurePolicy
授予重新配置 DynamoDB 表的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateTable"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBRestoreFromBackupPolicy
授予从备份还原 DynamoDB 表的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:RestoreTableFromBackup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBStreamReadPolicy
授予描述和读取 DynamoDB 流和记录的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}",
{
"tableName": {
"Ref": "TableName"
},
"streamName": {
"Ref": "StreamName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:ListStreams"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBWritePolicy
授予对 DynamoDB 表的只写权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## EC2CopyImagePolicy
允许复制 Amazon EC2 图片。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CopyImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}",
{
"imageId": {
"Ref": "ImageId"
}
}
]
}
}
]
```
## EC2DescribePolicy
允许描述亚马逊弹性计算云 (Amazon EC2) 实例。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
```
## EcsRunTaskPolicy
授予根据任务定义启动新任务的权限。
```
"Statement": [
{
"Action": [
"ecs:RunTask"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}",
{
"taskDefinition": {
"Ref": "TaskDefinition"
}
}
]
},
"Effect": "Allow"
}
]
```
## EFSWriteAccessPolicy
授予挂载具有写入访问权限的 Amazon EFS 文件系统的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}",
{
"FileSystem": {
"Ref": "FileSystem"
}
}
]
},
"Condition": {
"StringEquals": {
"elasticfilesystem:AccessPointArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}",
{
"AccessPoint": {
"Ref": "AccessPoint"
}
}
]
}
}
}
}
]
```
## EKSDescribePolicy
授予描述或列出 Amazon Elastic Kubernetes Service (Amazon EKS) 集群的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
```
## ElasticMapReduceAddJobFlowStepsPolicy
授予将新步骤添加到运行的集群中的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:AddJobFlowSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceCancelStepsPolicy
授予取消正在运行中的集群中的一个或多个待处理步骤的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:CancelSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceFleetPolicy
授予列出集群内实例集的详细信息和修改这些实例集的容量的权限。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceFleet",
"elasticmapreduce:ListInstanceFleets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceGroupsPolicy
授予列出集群内实例组的详细信息和修改这些实例组的设置的权限。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceGroups",
"elasticmapreduce:ListInstanceGroups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceSetTerminationProtectionPolicy
授予为集群设置终止保护的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:SetTerminationProtection",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceTerminateJobFlowsPolicy
授予关闭集群的权限。
```
"Statement": [
{
"Action": "elasticmapreduce:TerminateJobFlows",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticsearchHttpPostPolicy
向 Amazon OpenSearch 服务授予 POST 和 PUT 权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*",
{
"domainName": {
"Ref": "DomainName"
}
}
]
}
}
]
```
## EventBridgePutEventsPolicy
授予向 Amazon 发送事件的权限 EventBridge。
```
"Statement": [
{
"Effect": "Allow",
"Action": "events:PutEvents",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}",
{
"eventBusName": {
"Ref": "EventBusName"
}
}
]
}
}
]
```
## FilterLogEventsPolicy
授予筛选指定 CloudWatch 日志组中的日志事件的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*",
{
"logGroupName": {
"Ref": "LogGroupName"
}
}
]
}
}
]
```
## FirehoseCrudPolicy
授予创建、写入、更新和删除 Firehose 传输流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
"firehose:UpdateDestination"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## FirehoseWritePolicy
授予写入 Firehose 传输流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## KinesisCrudPolicy
授予创建、发布和删除 Amazon Kinesis 流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:AddTagsToStream",
"kinesis:CreateStream",
"kinesis:DecreaseStreamRetentionPeriod",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetShardIterator",
"kinesis:IncreaseStreamRetentionPeriod",
"kinesis:ListTagsForStream",
"kinesis:MergeShards",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:SplitShard",
"kinesis:RemoveTagsFromStream"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KinesisStreamReadPolicy
授予列出和读取 Amazon Kinesis 流的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeLimits"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*"
}
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KMSDecryptPolicy
授予使用 AWS Key Management Service (AWS KMS) 密钥解密的权限。请注意,`keyId`必须是 AWS KMS 密钥 ID,而不是密钥别名。
```
"Statement": [
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## KMSEncryptPolicy
允许使用密 AWS KMS 钥进行加密。请注意,keyID 必须是 AWS KMS 密钥 ID,而不是密钥别名。
```
"Statement": [
{
"Action": "kms:Encrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## LambdaInvokePolicy
授予调用 AWS Lambda 函数、别名或版本的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
]
```
## MobileAnalyticsWriteOnlyAccessPolicy
授予对所有应用程序资源放置事件数据的只写权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents"
],
"Resource": "*"
}
]
```
## OrganizationsListAccountsPolicy
授予列出子女账户名称的只读权限,以及 IDs.
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
]
```
## PinpointEndpointAccessPolicy
授予为 Amazon Pinpoint 应用程序获取并更新端点的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:GetEndpoint",
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:UpdateEndpointsBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*",
{
"pinpointApplicationId": {
"Ref": "PinpointApplicationId"
}
}
]
}
}
]
```
## PollyFullAccessPolicy
授予对 Amazon Polly 词典资源的完全访问权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"polly:GetLexicon",
"polly:DeleteLexicon"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}",
{
"lexiconName": {
"Ref": "LexiconName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"polly:DescribeVoices",
"polly:ListLexicons",
"polly:PutLexicon",
"polly:SynthesizeSpeech"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*"
}
]
}
]
```
## RekognitionDetectOnlyPolicy
授予检测人脸、标签和文本的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels",
"rekognition:DetectText"
],
"Resource": "*"
}
]
```
## RekognitionFacesManagementPolicy
授予在 Amazon Rekognition 集合中添加、删除和搜索人脸的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:IndexFaces",
"rekognition:DeleteFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage",
"rekognition:ListFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionFacesPolicy
授予比较并检测面部和标签的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces"
],
"Resource": "*"
}
]
```
## RekognitionLabelsPolicy
授予检测对象和审核标签的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": "*"
}
]
```
## RekognitionNoDataAccessPolicy
授予比较并检测面部和标签的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionReadPolicy
授予列出和搜索人脸的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:ListCollections",
"rekognition:ListFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionWriteOnlyAccessPolicy
授予创建集合和为人脸编制索引的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CreateCollection",
"rekognition:IndexFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## Route53ChangeResourceRecordSetsPolicy
授予更改 Route 53 中的资源记录集的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}",
{
"HostedZoneId": {
"Ref": "HostedZoneId"
}
}
]
}
}
]
```
## S3CrudPolicy
授予创建、读取、更新和删除权限,以便对 Amazon S3 存储桶中的对象执行操作。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3FullAccessPolicy
授予完全访问权限,以便对 Amazon S3 存储桶中的对象执行操作。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3ReadPolicy
授予读取 Amazon Simple Storage Service (Amazon S3) 存储桶中的对象的只读权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:GetLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3WritePolicy
授予将对象写入到 Amazon S3 存储桶的写入权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## SageMakerCreateEndpointConfigPolicy
授予在 SageMaker AI 中创建终端节点配置的权限。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpointConfig"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}",
{
"endpointConfigName": {
"Ref": "EndpointConfigName"
}
}
]
},
"Effect": "Allow"
}
]
```
## SageMakerCreateEndpointPolicy
授予在 SageMaker AI 中创建终端节点的权限。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpoint"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}",
{
"endpointName": {
"Ref": "EndpointName"
}
}
]
},
"Effect": "Allow"
}
]
```
## ServerlessRepoReadWriteAccessPolicy
授予在 AWS Serverless Application Repository (AWS SAM) 服务中创建和列出应用程序的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"serverlessrepo:CreateApplication",
"serverlessrepo:CreateApplicationVersion",
"serverlessrepo:GetApplication",
"serverlessrepo:ListApplications",
"serverlessrepo:ListApplicationVersions"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*"
}
]
}
]
```
## SESBulkTemplatedCrudPolicy
授予发送 Amazon SES 电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。
**注意**
`ses:SendTemplatedEmail` 操作需要模板 ARN。请改用 `SESBulkTemplatedCrudPolicy_v2`。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESBulkTemplatedCrudPolicy\$1v2
授予发送 Amazon SES 电子邮件、模板化电子邮件和模板化批量电子邮件以及验证身份的权限。
```
"Statement": [
{
"Action": [
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:template/${templateName}",
{
"templateName": {
"Ref": "TemplateName"
}
}
]
}
]
},
{
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:VerifyEmailIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
```
## SESCrudPolicy
授予发送电子邮件和验证身份的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESEmailTemplateCrudPolicy
授予创建、获取、列出、更新和删除 Amazon SES 电子邮件模板的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:CreateTemplate",
"ses:GetTemplate",
"ses:ListTemplates",
"ses:UpdateTemplate",
"ses:DeleteTemplate",
"ses:TestRenderTemplate"
],
"Resource": "*"
}
]
```
## SESSendBouncePolicy
SendBounce 授予亚马逊简单电子邮件服务 (Amazon SES) Service 身份的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendBounce"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SNSCrudPolicy
授予创建、发布和订阅 Amazon SNS 主题的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:ListSubscriptionsByTopic",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SNSPublishMessagePolicy
授予将消息发布到 Amazon Simple Notification Service (Amazon SNS)主题的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SQSPollerPolicy
授予轮询 Amazon Simple Queue Service (Amazon SQS) 队列的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SQSSendMessagePolicy
授予向 Amazon SQS 队列发送消息的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:SendMessage*"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SSMParameterReadPolicy
授予访问来自 Amazon S EC2 ystems Manager (SSM) 参数存储库的参数的权限,以便在此账户中加载密钥。在参数名称不包含斜杠前缀时使用。
**注意**
如果没有使用默认密钥,则还需要 `KMSDecryptPolicy` 策略。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## SSMParameterWithSlashPrefixReadPolicy
授予访问来自 Amazon S EC2 ystems Manager (SSM) 参数存储库的参数的权限,以便在此账户中加载密钥。在参数名称包含斜杠前缀时使用。
**注意**
如果没有使用默认密钥,则还需要 `KMSDecryptPolicy` 策略。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## StepFunctionsExecutionPolicy
授予开始执行 Step Functions 状态机的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
{
"stateMachineName": {
"Ref": "StateMachineName"
}
}
]
}
}
]
```
## TextractDetectAnalyzePolicy
授予使用 Amazon Textract 检测和分析文档的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:DetectDocumentText",
"textract:StartDocumentTextDetection",
"textract:StartDocumentAnalysis",
"textract:AnalyzeDocument"
],
"Resource": "*"
}
]
```
## TextractGetResultPolicy
授予从 Amazon Textract 中获取检测到和分析过的文档的权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:GetDocumentTextDetection",
"textract:GetDocumentAnalysis"
],
"Resource": "*"
}
]
```
## TextractPolicy
授予对 Amazon Textract 的完全访问权限。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:*"
],
"Resource": "*"
}
]
```
## VPCAccessPolicy
授予访问权限以创建、删除、描述和分离弹性网络接口。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface"
],
"Resource": "*"
}
]
```