本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWSQuickSetupSSMDeploymentRolePolicy
描述:此政策會授予允許 Quick Setup 建立 Systems Manager 加入程序期間使用的資源的管理權限。
AWSQuickSetupSSMDeploymentRolePolicy 是AWS 受管政策。
使用此政策
您可以AWSQuickSetupSSMDeploymentRolePolicy連接至您的使用者、群組和角色。
政策詳細資訊
-
類型: AWS 受管政策
-
建立時間:2024 年 11 月 15 日 22:53 UTC
-
編輯時間:2024 年 11 月 20 日 12:43 UTC
-
ARN:
arn:aws:iam::aws:policy/AWSQuickSetupSSMDeploymentRolePolicy
政策版本
政策版本:v2 (預設值)
政策的預設版本是定義政策許可的版本。當具有 政策的使用者或角色提出存取 AWS 資源的請求時, 會 AWS 檢查政策的預設版本,以決定是否允許請求。
JSON 政策文件
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListStacks"
],
"Resource" : [
"*"
]
},
{
"Effect" : "Allow",
"Action" : [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackResourceDrifts",
"cloudformation:DetectStackDrift",
"cloudformation:DetectStackResourceDrift",
"cloudformation:DescribeStackEvents"
],
"Resource" : [
"arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-SSM-*"
]
},
{
"Effect" : "Allow",
"Action" : [
"lambda:CreateFunction",
"lambda:TagResource"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
},
"StringEquals" : {
"aws:ResourceAccount" : [
"${aws:PrincipalAccount}"
],
"aws:ResourceTag/QuickSetupDocument" : [
"AWSQuickSetupType-SSM"
],
"aws:RequestTag/QuickSetupDocument" : [
"AWSQuickSetupType-SSM"
]
},
"ForAnyValue:StringLike" : {
"aws:TagKeys" : [
"QuickSetup*"
]
}
},
"Resource" : [
"arn:aws:lambda:*:*:function:aws-quicksetup-lifecycle*"
]
},
{
"Effect" : "Allow",
"Action" : [
"lambda:InvokeFunction",
"lambda:DeleteFunction",
"lambda:UpdateFunction*"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
},
"StringEquals" : {
"aws:ResourceAccount" : [
"${aws:PrincipalAccount}"
],
"aws:ResourceTag/QuickSetupDocument" : [
"AWSQuickSetupType-SSM"
]
}
},
"Resource" : [
"arn:aws:lambda:*:*:function:aws-quicksetup-lifecycle*"
]
},
{
"Effect" : "Allow",
"Action" : [
"lambda:GetFunction"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : "cloudformation.amazonaws.com"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
},
"Resource" : "arn:aws:lambda:*:*:function:aws-quicksetup-lifecycle*"
},
{
"Effect" : "Allow",
"Action" : [
"ssm:CreateAssociation",
"ssm:UpdateAssociation",
"ssm:DeleteAssociation",
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:DescribeDocument"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
},
"Resource" : [
"arn:aws:ssm:*::document/AWSQuickSetupType-EnableAREX",
"arn:aws:ssm:*::document/AWSQuickSetupType-EnableDHMC",
"arn:aws:ssm:*::document/AWSQuickSetupType-ManageInstanceProfile",
"arn:aws:ssm:*::document/AWS-EnableExplorer",
"arn:aws:ssm:*::document/AWS-GatherSoftwareInventory",
"arn:aws:ssm:*::document/AWS-UpdateSSMAgent",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:association/*"
]
},
{
"Sid" : "SSMSLRCreate",
"Effect" : "Allow",
"Action" : [
"iam:CreateServiceLinkedRole"
],
"Resource" : [
"arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM"
],
"Condition" : {
"StringEquals" : {
"iam:AWSServiceName" : "ssm.amazonaws.com"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:CreateRole",
"iam:TagRole"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
},
"ForAnyValue:StringLike" : {
"aws:TagKeys" : [
"QuickSetup*"
]
},
"StringEquals" : {
"aws:ResourceTag/QuickSetupDocument" : [
"AWSQuickSetupType-SSM"
],
"aws:RequestTag/QuickSetupDocument" : [
"AWSQuickSetupType-SSM"
]
}
},
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-SSM-*",
"arn:aws:iam::*:role/AWS-SSM-Remediation*",
"arn:aws:iam::*:role/AWS-SSM-Diagnosis*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:GetRole",
"iam:UpdateRole",
"iam:DeleteRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags"
],
"Condition" : {
"ForAnyValue:StringEquals" : {
"aws:CalledVia" : [
"cloudformation.amazonaws.com"
]
}
},
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-SSM-*",
"arn:aws:iam::*:role/AWS-SSM-Remediation*",
"arn:aws:iam::*:role/AWS-SSM-Diagnosis*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Condition" : {
"ArnEquals" : {
"iam:PolicyARN" : [
"arn:aws:iam::aws:policy/AWSQuickSetupSSMLifecycleManagementExecutionPolicy"
]
}
},
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-SSM-LifecycleManagement-*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Condition" : {
"ArnEquals" : {
"iam:PolicyARN" : "arn:aws:iam::aws:policy/AWSQuickSetupSSMManageResourcesExecutionPolicy"
}
},
"Resource" : "arn:aws:iam::*:role/AWS-QuickSetup-SSM-ManageResources-*"
},
{
"Effect" : "Allow",
"Action" : [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Condition" : {
"ArnEquals" : {
"iam:PolicyARN" : [
"arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-AdministrationRolePolicy",
"arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-ExecutionRolePolicy",
"arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy",
"arn:aws:iam::aws:policy/AWS-SSM-Automation-DiagnosisBucketPolicy",
"arn:aws:iam::aws:policy/AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy",
"arn:aws:iam::aws:policy/AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy"
]
}
},
"Resource" : [
"arn:aws:iam::*:role/AWS-SSM-Remediation*",
"arn:aws:iam::*:role/AWS-SSM-Diagnosis*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "ssm.amazonaws.com",
"iam:ResourceTag/QuickSetupDocument" : "AWSQuickSetupType-SSM"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:aws:iam::*:role/AWS-QuickSetup-SSM-LifecycleManagement*"
],
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : "lambda.amazonaws.com",
"iam:ResourceTag/QuickSetupDocument" : "AWSQuickSetupType-SSM"
}
}
}
]
}進一步了解
