本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS 受管理的政策 AWS Trusted Advisor
Trusted Advisor 具有下列 AWS 受管理的策略。
內容
AWS 受管理的策略:AWSTrustedAdvisorPriorityFullAccess
AWSTrustedAdvisorPriorityFullAccess
許可詳細資訊
在第一個陳述式中,政策包含 trustedadvisor
的以下許可:
-
說明您的帳戶和組織。
-
描述 Trusted Advisor 優先順序中識別的風險。許可允許您下載和更新風險狀態。
-
說明「 Trusted Advisor 優先順序」電子郵件通知的組態 許可允許您設定電子郵件通知,並針對委派的管理員停用這些通知。
-
設置以 Trusted Advisor 便您的帳戶可以啟用 AWS Organizations。
在第二個陳述式中,政策包含 organizations
的以下許可:
-
說明您的 Trusted Advisor 帳戶和組織。
-
列出 AWS 服務 您啟用以使用「組織」的項目。
在第三個陳述式中,政策包含 organizations
的以下許可:
-
列出「 Trusted Advisor 優先順序」的委派管理員。
-
啟用和停用 Organizations 的受信任存取權。
在第四個陳述式中,政策包含 iam
的以下許可:
-
建立
AWSServiceRoleForTrustedAdvisorReporting
服務連結角色。
在第五個陳述式中,政策包含 organizations
的以下許可:
-
允許您註冊和取消註冊 Trusted Advisor Priority 的委派管理員。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSTrustedAdvisorPriorityFullAccess", "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:UpdateRiskStatus", "trustedadvisor:DescribeNotificationConfigurations", "trustedadvisor:UpdateNotificationConfigurations", "trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Sid": "AllowAccessForOrganization", "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Sid": "AllowListDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators", "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } }, { "Sid": "AllowCreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting", "Condition": { "StringLike": { "iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com" } } }, { "Sid": "AllowRegisterDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws:organizations::*:*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }
AWS 受管理的策略:AWSTrustedAdvisorPriorityReadOnlyAccess
此AWSTrustedAdvisorPriorityReadOnlyAccess
許可詳細資訊
在第一個陳述式中,政策包含 trustedadvisor
的以下許可:
-
說明您的 Trusted Advisor 帳戶和組織。
-
說明「 Trusted Advisor 優先順序」中識別的風險,並可讓您下載這些風險。
-
描述 Trusted Advisor 優先順序電子郵件通知的組態。
在第二個和第三個陳述式中,政策包含 organizations
的以下許可:
-
使用 Organizations 說明您的組織。
-
列出 AWS 服務 您啟用以使用「組織」的項目。
-
列出 Trusted Advisor 優先順序的委派管理員
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess", "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:DescribeNotificationConfigurations" ], "Resource": "*" }, { "Sid": "AllowAccessForOrganization", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Sid": "AllowListDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }
AWS 受管政策:AWSTrustedAdvisorServiceRolePolicy
此政策連接至 AWSServiceRoleForTrustedAdvisor
服務連結角色。它允許服務連結角色為您執行動作。您無法將 AWS Identity and Access Management
(IAM) 實體附加AWSTrustedAdvisorServiceRolePolicy
此政策會授予管理許可,允許服務連結角色存取 AWS 服務。這些權限允許檢查 Trusted Advisor 以評估您的帳戶。
許可詳細資訊
此政策包含以下許可。
-
accessanalyzer
— 描述 AWS Identity and Access Management Access Analyzer 資源 -
Auto Scaling
— 說明 Amazon EC2 Auto Scaling 帳戶配額和資源 -
cloudformation
— 描述 AWS CloudFormation (CloudFormation) 帳戶配額和堆疊 -
cloudfront
— 描述 Amazon CloudFront 分佈 -
cloudtrail
— 描述 AWS CloudTrail (CloudTrail) 軌跡 -
dynamodb
- 描述 Amazon DynamoDB 帳戶配額和資源 -
dynamodbaccelerator
— 說 DynamoDB 加速器資源 -
ec2
— 描述 Amazon 彈性計算雲(AmazonEC2)帳戶配額和資源 -
elasticloadbalancing
— 說明 Elastic Load Balancing (ELB) 帳號配額與資源 -
iam
— 獲取IAM資源,例如憑據,密碼策略和證書 -
networkfirewall
— 描述 AWS Network Firewall 資源 -
kinesis
- 描述 Amazon Kinesis (Kinesis) 帳戶配額 -
rds
— 描述 Amazon Relational Database Service(AmazonRDS)資源 -
redshift
- 描述 Amazon Redshift 資源 -
route53
- 描述 Amazon Route 53 帳戶配額和資源 -
s3
- 描述 Amazon Simple Storage Service (Amazon S3) 資源 -
ses
— 獲取 Amazon 簡單電子郵件服務 (AmazonSES) 發送配額 -
sqs
-列出 Amazon 簡單隊列服務(AmazonSQS)隊列 -
cloudwatch
— 獲取 Amazon CloudWatch 事件 (CloudWatch 事件) 度量統計 -
ce
- 取得 Cost Explorer Service (Cost Explorer) 建議 -
route53resolver
— 取得 Amazon Route 53 Resolver 解析器端點和資源 -
kafka
– 取得 Amazon Managed Streaming for Apache Kafka 資源 -
ecs
— 獲取 Amazon ECS 資源 -
outposts
— 獲取 AWS Outposts 資源
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "access-analyzer:ListAnalyzers" "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "ce:GetReservationPurchaseRecommendation", "ce:GetSavingsPlansPurchaseRecommendation", "cloudformation:DescribeAccountLimits", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetTrail", "cloudtrail:ListTrails", "cloudtrail:GetEventSelectors", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "dax:DescribeClusters", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeReservedInstances", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeInternetGateways", "ec2:DescribeImages", "ec2:DescribeNatGateways", "ec2:DescribeVolumes", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSnapshots", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:GetManagedPrefixListEntries", "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions" "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetServerCertificate", "iam:ListServerCertificates", "iam:ListSAMLProviders", "kinesis:DescribeLimits", "kafka:DescribeClusterV2", "kafka:ListClustersV2", "kafka:ListNodes", "network-firewall:ListFirewalls", "network-firewall:DescribeFirewall", "outposts:GetOutpost", "outposts:ListAssets", "outposts:ListOutposts", "rds:DescribeAccountAttributes", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultParameters", "rds:DescribeEvents", "rds:DescribeOptionGroupOptions", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribeReservedDBInstances", "rds:DescribeReservedDBInstancesOfferings", "rds:ListTagsForResource", "redshift:DescribeClusters", "redshift:DescribeReservedNodeOfferings", "redshift:DescribeReservedNodes", "route53:GetAccountLimit", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53resolver:ListResolverEndpoints", "route53resolver:ListResolverEndpointIpAddresses", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetLifecycleConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "ses:GetSendQuota", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" } ] }
AWS 受管理策略:AWSTrustedAdvisorReportingServiceRolePolicy
此原則會附加至AWSServiceRoleForTrustedAdvisorReporting
服務連結角色,可 Trusted Advisor 針對組織檢視功能執行動作。您無法將附加AWSTrustedAdvisorReportingServiceRolePolicy
此原則會授與允許服務連結角色執行 AWS Organizations 動作的管理權限。
許可詳細資訊
此政策包含以下許可。
-
organizations
- 描述您的組織,並列出服務存取權、帳戶、父系、子系和組織單位
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListDelegatedAdministrators", "organizations:ListOrganizationalUnitsForParent", "organizations:ListChildren", "organizations:ListParents", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount" ], "Effect": "Allow", "Resource": "*" } ] }
Trusted AdvisorAWS 受管理策略的更新
檢視這些服務開始追蹤這些變更 AWS Support Trusted Advisor 後 AWS 受管理政策的更新詳細資料。如需有關此頁面變更的自動警示,請訂閱文件歷史紀錄頁面上的RSS摘要。
下表說明自 2021 年 8 月 10 日起對 Trusted Advisor 受管政策的重要更新。
Trusted Advisor | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
變更 | 描述 | 日期 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorServiceRolePolicy 更新至現有策略。 |
Trusted Advisor 已新增動作以授與 |
2024年6月11日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorServiceRolePolicy 更新至現有策略。 |
Trusted Advisor 添加了新的操作以 |
2024年1月18日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorPriorityFullAccess 更新至現有策略。 |
Trusted Advisor 更新受 |
2023 年 12 月 6 日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorPriorityReadOnlyAccess 更新至現有策略。 |
Trusted Advisor 更新受 |
2023 年 12 月 6 日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorServiceRolePolicy – 更新現有政策 |
Trusted Advisor 添加了新操作以授予 |
2023 年 11 月 9 日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorServiceRolePolicy – 更新現有政策 |
Trusted Advisor 添加了新的IAM操作 |
2023 年 9 月 14 日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorReportingServiceRolePolicy 附加在 Trusted Advisor |
將 Trusted Advisor |
2023 年 2 月 28 日 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorPriorityFullAccess 和 AWSTrustedAdvisorPriorityReadOnlyAccess 新的 AWS 受管政策 Trusted Advisor |
Trusted Advisor 新增了兩個新的受管理策略,您可以用來控制對 Trusted Advisor 優先級的存取。 |
2022 年 8 月 17 日 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWSTrustedAdvisorServiceRolePolicy – 更新現有政策 |
Trusted Advisor 添加了新操作以授予 進行 Auto Scaling 群組運作狀態檢查需要 進行 Simple Storage Service (Amazon S3) 儲存貯體許可檢查需要 |
2021 年 8 月 10 日 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
變更發佈的日誌 |
Trusted Advisor 開始追蹤其 AWS 受管理策略的變更。 |
2021 年 8 月 10 日 |