身份中心的基于身份的策略示IAM例 - AWS IAM Identity Center

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

身份中心的基于身份的策略示IAM例

本主题提供了一些策略示例,您可以创建这些IAM策略来向用户和角色授予管理 Ident IAM ity Center 的权限。

重要

我们建议您先阅读介绍性主题,这些主题解释了可用于管理 Ident IAM ity Center 资源访问权限的基本概念和选项。有关更多信息,请参阅 管理IAM身份中心资源的访问权限概述

本主题的各个部分涵盖以下内容:

自定义策略示例

本节提供了需要自定义IAM策略的常见用例示例。这些示例策略是基于身份的策略,不指定主体元素。这是因为使用基于身份的策略时,您无需指定获得权限的主体。相反,您将策略附加到主体。当您将基于身份的权限策略附加到角色时,该IAM角色的信任策略中标识的委托人将获得权限。您可以在中创建基于身份的策略IAM并将其附加到用户、组和/或角色。在 Identity Center 中创建权限集时,您也可以将这些策略应用于IAMIAM身份中心用户。

注意

在为您的环境创建策略时使用这些示例,并确保在生产环境中部署这些策略之前测试正面(“授予访问”)和负面(“拒绝访问”)测试用例。有关测试IAM策略的更多信息,请参阅IAM用户指南》中的使用IAMIAM策略模拟器测试策略。

示例 1:允许用户查看 Ident IAM ity Center

以下权限策略向用户授予只读权限,以便他们可以查看在 Ident IAM ity Center 中配置的所有设置和目录信息。

注意

本策略仅供参考。在生产环境中,我们建议您使用 Ident IAM ity Center 的ViewOnlyAccess AWS 托管策略。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ds:DescribeDirectories", "ds:DescribeTrusts", "iam:ListPolicies", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListRoots", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListPermissionSets", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", "sso-directory:DescribeDirectory", "sso-directory:SearchUsers", "sso-directory:SearchGroups" ], "Resource": "*" } ] }

示例 2:允许用户在 Ident IAM ity Center AWS 账户 中管理权限

以下权限策略授予允许用户为您的 AWS 账户创建、管理和部署权限集的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AttachManagedPolicyToPermissionSet", "sso:CreateAccountAssignment", "sso:CreatePermissionSet", "sso:DeleteAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:DetachManagedPolicyFromPermissionSet", "sso:ProvisionPermissionSet", "sso:PutInlinePolicyToPermissionSet", "sso:UpdatePermissionSet" ], "Resource": "*" }, { "Sid": "IAMListPermissions", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "AccessToSSOProvisionedRoles", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:PutRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" }, { "Effect": "Allow", "Action": [ "iam:GetSAMLProvider" ], "Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE" } ] }
注意

和” "Sid": "AccessToSSOProvisionedRoles" 部分下列出的"Sid": "IAMListPermissions"其他权限仅用于使用户能够在 AWS Organizations 管理账户中创建任务。在某些情况下,您可能还需要添加 iam:UpdateSAMLProvider 到这些部分。

示例 3:允许用户在 Ident IAM ity Center 中管理应用程序

以下权限策略授予允许用户在 Identity Center 中查看和配置应用程序的权限,包括在 Ident IAM ity Center 目录中预集成的 SaaS 应用程序。IAM

注意

管理应用程序的用户和组分配需要以下策略示例中使用的 sso:AssociateProfile 操作。它还允许用户使用现有权限集向 AWS 账户 其分配用户和组。如果用户必须在 Ident IAM ity Center 中管理 AWS 账户 访问权限,并且需要管理权限集所需的权限,请参阅示例 2:允许用户在 Ident IAM ity Center AWS 账户 中管理权限

截至 2020 年 10 月,其中许多操作只能通过 AWS 控制台进行。此示例策略包括“读取”操作,例如列表、获取和搜索,这些操作与本例中控制台的无错误操作相关。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AssociateProfile", "sso:CreateApplicationInstance", "sso:ImportApplicationInstanceServiceProviderMetadata", "sso:DeleteApplicationInstance", "sso:DeleteProfile", "sso:DisassociateProfile", "sso:GetApplicationTemplate", "sso:UpdateApplicationInstanceServiceProviderConfiguration", "sso:UpdateApplicationInstanceDisplayData", "sso:DeleteManagedApplicationInstance", "sso:UpdateApplicationInstanceStatus", "sso:GetManagedApplicationInstance", "sso:UpdateManagedApplicationInstanceStatus", "sso:CreateManagedApplicationInstance", "sso:UpdateApplicationInstanceSecurityConfiguration", "sso:UpdateApplicationInstanceResponseConfiguration", "sso:GetApplicationInstance", "sso:CreateApplicationInstanceCertificate", "sso:UpdateApplicationInstanceResponseSchemaConfiguration", "sso:UpdateApplicationInstanceActiveCertificate", "sso:DeleteApplicationInstanceCertificate", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationTemplates", "sso:ListApplications", "sso:ListApplicationInstances", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:ListProfileAssociations", "sso:ListInstances", "sso:GetProfile", "sso:GetSSOStatus", "sso:GetSsoConfiguration", "sso-directory:DescribeDirectory", "sso-directory:DescribeUsers", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }

示例 4:允许用户管理 Identity Center 目录中的用户和组

以下权限策略授予允许用户在 Ident IAM ity Center 中创建、查看、修改和删除用户和组的权限。

在某些情况下,会限制在 Ident IAM ity Center 中对用户和群组进行直接修改。例如,当选择 Active Directory 或启用了自动预置的外部身份提供商作为身份源时。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:ListGroupsForUser", "sso-directory:DisableUser", "sso-directory:EnableUser", "sso-directory:SearchGroups", "sso-directory:DeleteGroup", "sso-directory:AddMemberToGroup", "sso-directory:DescribeDirectory", "sso-directory:UpdateUser", "sso-directory:ListMembersInGroup", "sso-directory:CreateUser", "sso-directory:DescribeGroups", "sso-directory:SearchUsers", "sso:ListDirectoryAssociations", "sso-directory:RemoveMemberFromGroup", "sso-directory:DeleteUser", "sso-directory:DescribeUsers", "sso-directory:UpdateGroup", "sso-directory:CreateGroup" ], "Resource": "*" } ] }

使用IAM身份中心控制台所需的权限

要让用户在没有错误的情况下使用 Ident IAM ity Center 控制台,则需要额外的权限。如果创建的IAM策略比所需的最低权限更严格,则控制台将无法按预期运行,供拥有该策略的用户使用。以下示例列出了确保在 Ident IAM ity Center 控制台中无错误操作可能需要的一组权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:DescribeAccountAssignmentCreationStatus", "sso:DescribeAccountAssignmentDeletionStatus", "sso:DescribePermissionSet", "sso:DescribePermissionSetProvisioningStatus", "sso:DescribePermissionsPolicies", "sso:DescribeRegisteredRegions", "sso:GetApplicationInstance", "sso:GetApplicationTemplate", "sso:GetInlinePolicyForPermissionSet", "sso:GetManagedApplicationInstance", "sso:GetMfaDeviceManagementForDirectory", "sso:GetPermissionSet", "sso:GetPermissionsPolicy", "sso:GetProfile", "sso:GetSharedSsoConfiguration", "sso:GetSsoConfiguration", "sso:GetSSOStatus", "sso:GetTrust", "sso:ListAccountAssignmentCreationStatus", "sso:ListAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationInstances", "sso:ListApplications", "sso:ListApplicationTemplates", "sso:ListDirectoryAssociations", "sso:ListInstances", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetProvisioningStatus", "sso:ListPermissionSets", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListProfileAssociations", "sso:ListProfiles", "sso:ListTagsForResource", "sso-directory:DescribeDirectory", "sso-directory:DescribeGroups", "sso-directory:DescribeUsers", "sso-directory:ListGroupsForUser", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }