使用主控台大量移轉原則 - AWS 帳單
必要條件確認您的移轉

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用主控台大量移轉原則

注意

如下所示 AWS Identity and Access Management (IAM) 行動已於 2023 年 7 月達到標準支援結束:

  • aws-portal 命名空間

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

如果您正在使用 AWS Organizations,您可以使用大量政策移轉程式指令碼或大量政策移轉工具,從付款人帳戶更新政策。您還可以使用舊的到細微的操作映射引用來驗證需要添加的IAM操作。

如果您有 AWS 帳戶,或者是 AWS Organizations 在 2023 年 3 月 6 日上午 11:00 (PDT) 或之後建立,細微的動作已在您的組織中生效。

本節介紹如何使用 AWS Billing and Cost Management 控制台,用於將您的舊政策從 Organizations 帳戶或標準帳戶遷移到批量的細微操作。您可以透過兩種方式使用主控台完成舊版政策的遷移:

使用AWS建議的移轉程序

這是一個簡化的單一操作過程,您可以將舊操作遷移到映射的細微操作 AWS。 如需詳細資訊,請參閱使用建議的動作大量移轉舊版原則

使用自訂的移轉程序

此程序可讓您檢閱及變更建議的動作 AWS 在進行大量移轉之前,以及自訂要移轉組織中的哪些帳戶。如需詳細資訊,請參閱自訂動作以大量移轉舊版原則

使用主控台大量移轉的必要條件

這兩種移轉選項都需要您在主控台中同意,以便 AWS 可以為您指派的舊版動作建議精細的IAM動作。要做到這一點,你將需要登錄到 AWS 帳號作為IAM主參與者,可IAM執行下列動作以繼續策略更新。

Management account
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced",
"aws-portal:UpdateConsoleActionSetEnforced",
"purchase-orders:UpdateConsoleActionSetEnforced",
"iam:GetAccountAuthorizationDetails",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"scheduler:GetSchedule", 
"scheduler:DeleteSchedule",
"scheduler:CreateSchedule",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackSets",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:ListStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:CreateStack",
"cloudformation:UpdateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:DescribeStacks",
"ec2:DescribeRegions",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"iam:GenerateOrganizationsAccessReport",
"iam:GetOrganizationsAccessReport",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"sts:AssumeRole",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:GetInlinePolicyForPermissionSet",
"sso:DescribePermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
Member account or standard account
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced", // Not needed for member account
"aws-portal:UpdateConsoleActionSetEnforced", // Not needed for member account
"purchase-orders:UpdateConsoleActionSetEnforced", // Not needed for member account
"iam:GetAccountAuthorizationDetails",
"ec2:DescribeRegions",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl", 
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
主題

確認您的移轉

你可以看看是否有 AWS Organizations 仍需使用移轉工具移轉的帳戶。

確認是否所有帳戶都已移轉

  1. 登入 AWS Management Console.

  2. 在頁面頂端的搜尋列中輸入Bulk Policy Migrator

  3. 在 [管理新IAM動作] 頁面上,選擇 [移轉帳戶] 索引標籤。

如果表格未顯示任何剩餘帳戶,則所有帳戶都已成功遷移。