AWS 的 受管政策 AWS Clean Rooms - AWS Clean Rooms
AWSCleanRoomsReadOnlyAccessAWSCleanRoomsFullAccessAWSCleanRoomsFullAccessNoQueryingAWSCleanRoomsMLReadOnlyAccessAWSCleanRoomsMLFullAccess政策更新

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

AWS 的 受管政策 AWS Clean Rooms

AWS 受管政策是由 AWS AWS .managed 政策建立和管理的獨立政策旨在為許多常見使用案例提供許可,以便您可以開始將許可指派給使用者、群組和角色。

請記住, AWS 受管政策可能不會授予特定使用案例的最低權限許可,因為這些許可可供所有 AWS 客戶使用。我們建議您定義使用案例專屬的客戶管理政策,以便進一步減少許可。

您無法變更 AWS 受管政策中定義的許可。如果 AWS 更新受管政策中 AWS 定義的許可,則更新會影響政策連接的所有主體身分 (使用者、群組和角色)。當新的 AWS 服務 啟動或新的API操作可用於現有 服務時, AWS 最有可能更新受 AWS 管政策。

如需詳細資訊,請參閱 IAM 使用者指南 中的 AWS 受管政策

AWS 受管政策: AWSCleanRoomsReadOnlyAccess

您可以AWSCleanRoomsReadOnlyAccess連接至您的IAM委託人。

此政策會授予協同AWSCleanRoomsReadOnlyAccess合作中資源和中繼資料的唯讀許可。

許可詳細資訊

此政策包含以下許可:

  • CleanRoomsRead – 允許主體唯讀存取 服務。

  • ConsoleDisplayTables – 允許主體唯讀存取所需的 AWS Glue 中繼資料,以顯示主控台上基礎 AWS Glue 資料表的資料。

  • ConsoleLogSummaryQueryLogs – 允許主體查看查詢日誌。

  • ConsoleLogSummaryObtainLogs – 允許主體擷取日誌結果。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "CleanRoomsRead",
			"Effect": "Allow",
			"Action": [
				"cleanrooms:BatchGet*",
				"cleanrooms:Get*",
				"cleanrooms:List*"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsoleDisplayTables",
			"Effect": "Allow",
			"Action": [
				"glue:GetDatabase",
				"glue:GetDatabases",
				"glue:GetTable",
				"glue:GetTables",
				"glue:GetPartition",
				"glue:GetPartitions",
				"glue:GetSchema",
				"glue:GetSchemaVersion",
				"glue:BatchGetPartition"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsoleLogSummaryQueryLogs",
			"Effect": "Allow",
			"Action": [
				"logs:StartQuery"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*"
		},
		{
			"Sid": "ConsoleLogSummaryObtainLogs",
			"Effect": "Allow",
			"Action": [
				"logs:GetQueryResults"
			],
			"Resource": "*"
		}
	]
}

AWS 受管政策: AWSCleanRoomsFullAccess

您可以AWSCleanRoomsFullAccess連接至您的IAM委託人。

此政策會授予管理許可,允許在 AWS Clean Rooms 協同作業中完整存取 (讀取、寫入和更新) 資源和中繼資料。此政策包含執行查詢的存取權。

許可詳細資訊

此政策包含以下許可:

  • CleanRoomsAccess – 授予 所有資源的所有動作的完整存取權 AWS Clean Rooms。

  • PassServiceRole – 准許將服務角色傳遞給具有 " 的服務 (PassedToService 條件)cleanrooms名稱中的 "。

  • ListRolesToPickServiceRole – 允許主體列出其所有角色,以便在使用 時選擇服務角色 AWS Clean Rooms。

  • GetRoleAndListRolePoliciesToInspectServiceRole – 允許主體在 中查看服務角色和對應的政策IAM。

  • ListPoliciesToInspectServiceRolePolicy – 允許主體在 中查看服務角色和對應的政策IAM。

  • GetPolicyToInspectServiceRolePolicy – 允許主體在 中查看服務角色和對應的政策IAM。

  • ConsoleDisplayTables – 允許主體唯讀存取所需的 AWS Glue 中繼資料,以顯示主控台上基礎 AWS Glue 資料表的資料。

  • ConsolePickQueryResultsBucketListAll – 允許委託人從寫入查詢結果的所有可用 S3 儲存貯體清單中選擇 Amazon S3 儲存貯體。 S3

  • SetQueryResultsBucket – 允許主體選擇寫入查詢結果的 S3 儲存貯體。

  • ConsoleDisplayQueryResults – 允許委託人向客戶顯示查詢結果,從 S3 儲存貯體讀取。

  • WriteQueryResults – 允許委託人將查詢結果寫入客戶擁有的 S3 儲存貯體。

  • EstablishLogDeliveries – 允許委託人將查詢日誌交付至客戶的 Amazon CloudWatch Logs 日誌群組。

  • SetupLogGroupsDescribe – 允許主體使用 Amazon CloudWatch Logs 日誌群組建立程序。

  • SetupLogGroupsCreate – 允許主體建立 Amazon CloudWatch Logs 日誌群組。

  • SetupLogGroupsResourcePolicy – 允許主體在 Amazon CloudWatch Logs 日誌群組上設定資源政策。

  • ConsoleLogSummaryQueryLogs – 允許主體查看查詢日誌。

  • ConsoleLogSummaryObtainLogs – 允許主體擷取日誌結果。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "CleanRoomsAccess",
			"Effect": "Allow",
			"Action": [
				"cleanrooms:*"
			],
			"Resource": "*"
		},
		{
			"Sid": "PassServiceRole",
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*",
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "ListRolesToPickServiceRole",
			"Effect": "Allow",
			"Action": [
				"iam:ListRoles"
			],
			"Resource": "*"
		},
		{
			"Sid": "GetRoleAndListRolePoliciesToInspectServiceRole",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole",
				"iam:ListRolePolicies",
				"iam:ListAttachedRolePolicies"
			],
			"Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*"
		},
		{
			"Sid": "ListPoliciesToInspectServiceRolePolicy",
			"Effect": "Allow",
			"Action": [
				"iam:ListPolicies"
			],
			"Resource": "*"
		},
		{
			"Sid": "GetPolicyToInspectServiceRolePolicy",
			"Effect": "Allow",
			"Action": [
				"iam:GetPolicy",
				"iam:GetPolicyVersion"
			],
			"Resource": "arn:aws:iam::*:policy/*cleanrooms*"
		},
		{
			"Sid": "ConsoleDisplayTables",
			"Effect": "Allow",
			"Action": [
				"glue:GetDatabase",
				"glue:GetDatabases",
				"glue:GetTable",
				"glue:GetTables",
				"glue:GetPartition",
				"glue:GetPartitions",
				"glue:GetSchema",
				"glue:GetSchemaVersion",
				"glue:BatchGetPartition"
			],
			"Resource": "*"
		},
		{
			"Sid": "ConsolePickQueryResultsBucketListAll",
			"Effect": "Allow",
			"Action": [
				"s3:ListAllMyBuckets"
			],
			"Resource": "*"
		},
		{
			"Sid": "SetQueryResultsBucket",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketLocation",
				"s3:ListBucketVersions"
			],
			"Resource": "arn:aws:s3:::cleanrooms-queryresults*"
		},
		{
			"Sid": "WriteQueryResults",
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket",
				"s3:PutObject"
			],
			"Resource": "arn:aws:s3:::cleanrooms-queryresults*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "ConsoleDisplayQueryResults",
			"Effect": "Allow",
			"Action": [
				"s3:GetObject"
			],
			"Resource": "arn:aws:s3:::cleanrooms-queryresults*"
		},
		{
			"Sid": "EstablishLogDeliveries",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogDelivery",
				"logs:GetLogDelivery",
				"logs:UpdateLogDelivery",
				"logs:DeleteLogDelivery",
				"logs:ListLogDeliveries"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "SetupLogGroupsDescribe",
			"Effect": "Allow",
			"Action": [
				"logs:DescribeLogGroups"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "SetupLogGroupsCreate",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "SetupLogGroupsResourcePolicy",
			"Effect": "Allow",
			"Action": [
			  "logs:DescribeResourcePolicies",
				"logs:PutResourcePolicy"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "ConsoleLogSummaryQueryLogs",
			"Effect": "Allow",
			"Action": [
				"logs:StartQuery"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*"
		},
		{
			"Sid": "ConsoleLogSummaryObtainLogs",
			"Effect": "Allow",
			"Action": [
				"logs:GetQueryResults"
			],
			"Resource": "*"
		}
	]
}

AWS 受管政策: AWSCleanRoomsFullAccessNoQuerying

您可以AWSCleanRoomsFullAccessNoQuerying連接至您的 IAM principals.

此政策會授予管理許可,允許在 AWS Clean Rooms 協同作業中完整存取 (讀取、寫入和更新) 資源和中繼資料。此政策排除執行查詢的存取權。

許可詳細資訊

此政策包含以下許可:

  • CleanRoomsAccess – 授予 所有資源的所有動作的完整存取權 AWS Clean Rooms,但協同作業中查詢除外。

  • CleanRoomsNoQuerying – 明確拒絕StartProtectedQueryUpdateProtectedQuery防止查詢。

  • PassServiceRole – 准許將服務角色傳遞給具有 " 的服務 (PassedToService 條件)cleanrooms名稱中的 "。

  • ListRolesToPickServiceRole – 允許主體列出其所有角色,以便在使用 時選擇服務角色 AWS Clean Rooms。

  • GetRoleAndListRolePoliciesToInspectServiceRole – 允許主體在 中查看服務角色和對應的政策IAM。

  • ListPoliciesToInspectServiceRolePolicy – 允許主體在 中查看服務角色和對應的政策IAM。

  • GetPolicyToInspectServiceRolePolicy – 允許主體在 中查看服務角色和對應的政策IAM。

  • ConsoleDisplayTables – 允許主體唯讀存取所需的 AWS Glue 中繼資料,以顯示主控台上基礎 AWS Glue 資料表的資料。

  • EstablishLogDeliveries – 允許委託人將查詢日誌交付至客戶的 Amazon CloudWatch Logs 日誌群組。

  • SetupLogGroupsDescribe – 允許主體使用 Amazon CloudWatch Logs 日誌群組建立程序。

  • SetupLogGroupsCreate – 允許主體建立 Amazon CloudWatch Logs 日誌群組。

  • SetupLogGroupsResourcePolicy – 允許主體在 Amazon CloudWatch Logs 日誌群組上設定資源政策。

  • ConsoleLogSummaryQueryLogs – 允許主體查看查詢日誌。

  • ConsoleLogSummaryObtainLogs – 允許主體擷取日誌結果。

  • cleanrooms – 管理 服務內的 AWS Clean Rooms 協同作業、分析範本、設定的資料表、成員資格和相關資源。執行各種操作,例如建立、更新、刪除、列出和擷取有關這些資源的資訊。

  • iam – 將名稱包含 "cleanrooms" 的服務角色傳遞給 AWS Clean Rooms 服務。列出角色、政策,並檢查與服務相關的 AWS Clean Rooms 服務角色和政策。

  • glue – 從 擷取資料庫、資料表、分割區和結構描述的相關資訊 AWS Glue。這是 AWS Clean Rooms 服務顯示基礎資料來源並與之互動的必要條件。

  • logs – 管理日誌交付、日誌群組和資源政策 CloudWatch 。查詢和擷取 AWS Clean Rooms 與服務相關的日誌。這些許可對於服務內的監控、稽核和疑難排解目的而言是必要的。

此政策也明確拒絕動作cleanrooms:UpdateProtectedQuerycleanrooms:StartProtectedQuery並防止使用者直接執行或更新受保護的查詢,這些查詢應該透過 AWS Clean Rooms 受控制的機制完成。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "CleanRoomsAccess",
			"Effect": "Allow",
			"Action": [
				"cleanrooms:BatchGetCollaborationAnalysisTemplate",
				"cleanrooms:BatchGetSchema",
				"cleanrooms:BatchGetSchemaAnalysisRule",
				"cleanrooms:CreateAnalysisTemplate",
				"cleanrooms:CreateCollaboration",
				"cleanrooms:CreateConfiguredTable",
				"cleanrooms:CreateConfiguredTableAnalysisRule",
				"cleanrooms:CreateConfiguredTableAssociation",
				"cleanrooms:CreateMembership",
				"cleanrooms:DeleteAnalysisTemplate",
				"cleanrooms:DeleteCollaboration",
				"cleanrooms:DeleteConfiguredTable",
				"cleanrooms:DeleteConfiguredTableAnalysisRule",
				"cleanrooms:DeleteConfiguredTableAssociation",
				"cleanrooms:DeleteMember",
				"cleanrooms:DeleteMembership",
				"cleanrooms:GetAnalysisTemplate",
				"cleanrooms:GetCollaboration",
				"cleanrooms:GetCollaborationAnalysisTemplate",
				"cleanrooms:GetConfiguredTable",
				"cleanrooms:GetConfiguredTableAnalysisRule",
				"cleanrooms:GetConfiguredTableAssociation",
				"cleanrooms:GetMembership",
				"cleanrooms:GetProtectedQuery",
				"cleanrooms:GetSchema",
				"cleanrooms:GetSchemaAnalysisRule",
				"cleanrooms:ListAnalysisTemplates",
				"cleanrooms:ListCollaborationAnalysisTemplates",
				"cleanrooms:ListCollaborations",
				"cleanrooms:ListConfiguredTableAssociations",
				"cleanrooms:ListConfiguredTables",
				"cleanrooms:ListMembers",
				"cleanrooms:ListMemberships",
				"cleanrooms:ListProtectedQueries",
				"cleanrooms:ListSchemas",
				"cleanrooms:UpdateAnalysisTemplate",
				"cleanrooms:UpdateCollaboration",
				"cleanrooms:UpdateConfiguredTable",
				"cleanrooms:UpdateConfiguredTableAnalysisRule",
				"cleanrooms:UpdateConfiguredTableAssociation",
				"cleanrooms:UpdateMembership",
				"cleanrooms:ListTagsForResource",
				"cleanrooms:UntagResource",
				"cleanrooms:TagResource"
			],
			"Resource": "*"
		},
		{
			"Sid": "CleanRoomsNoQuerying",
			"Effect": "Deny",
			"Action": [
				"cleanrooms:StartProtectedQuery",
				"cleanrooms:UpdateProtectedQuery"
			],
			"Resource": "*"
		},
		{
			"Sid": "PassServiceRole",
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*",
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "ListRolesToPickServiceRole",
			"Effect": "Allow",
			"Action": [
				"iam:ListRoles"
			],
			"Resource": "*"
		},
		{
			"Sid": "GetRoleAndListRolePoliciesToInspectServiceRole",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole",
				"iam:ListRolePolicies",
				"iam:ListAttachedRolePolicies"
			],
			"Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*"
		},
		{
			"Sid": "ListPoliciesToInspectServiceRolePolicy",
			"Effect": "Allow",
			"Action": [
				"iam:ListPolicies"
			],
			"Resource": "*"
		},
		{
			"Sid": "GetPolicyToInspectServiceRolePolicy",
			"Effect": "Allow",
			"Action": [
				"iam:GetPolicy",
				"iam:GetPolicyVersion"
			],
			"Resource": "arn:aws:iam::*:policy/*cleanrooms*"
		},
		{
			"Sid": "ConsoleDisplayTables",
			"Effect": "Allow",
			"Action": [
				"glue:GetDatabase",
				"glue:GetDatabases",
				"glue:GetTable",
				"glue:GetTables",
				"glue:GetPartition",
				"glue:GetPartitions",
				"glue:GetSchema",
				"glue:GetSchemaVersion",
				"glue:BatchGetPartition"
			],
			"Resource": "*"
		},
		{
			"Sid": "EstablishLogDeliveries",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogDelivery",
				"logs:GetLogDelivery",
				"logs:UpdateLogDelivery",
				"logs:DeleteLogDelivery",
				"logs:ListLogDeliveries"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "SetupLogGroupsDescribe",
			"Effect": "Allow",
			"Action": [
				"logs:DescribeLogGroups"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "SetupLogGroupsCreate",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "SetupLogGroupsResourcePolicy",
			"Effect": "Allow",
			"Action": [
			  "logs:DescribeResourcePolicies",
				"logs:PutResourcePolicy"
			],
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": "cleanrooms.amazonaws.com"
				}
			}
		},
		{
			"Sid": "ConsoleLogSummaryQueryLogs",
			"Effect": "Allow",
			"Action": [
				"logs:StartQuery"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*"
		},
		{
			"Sid": "ConsoleLogSummaryObtainLogs",
			"Effect": "Allow",
			"Action": [
				"logs:GetQueryResults"
			],
			"Resource": "*"
		}
	]
}

AWS 受管政策: AWSCleanRoomsMLReadOnlyAccess

您可以AWSCleanRoomsMLReadOnlyAccess連接至您的IAM委託人。

此政策會授予協同AWSCleanRoomsMLReadOnlyAccess合作中資源和中繼資料的唯讀許可。

此政策包含以下許可:

  • CleanRoomsConsoleNavigation – 授予檢視 AWS Clean Rooms 主控台畫面的存取權。

  • CleanRoomsMLRead – 允許主體唯讀存取 Clean Rooms ML 服務。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CleanRoomsConsoleNavigation",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:GetCollaboration",
                "cleanrooms:GetConfiguredAudienceModelAssociation",
                "cleanrooms:GetMembership",
                "cleanrooms:ListAnalysisTemplates",
                "cleanrooms:ListCollaborationAnalysisTemplates",
                "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations",
                "cleanrooms:ListCollaborations",
                "cleanrooms:ListConfiguredTableAssociations",
                "cleanrooms:ListConfiguredTables",
                "cleanrooms:ListMembers",
                "cleanrooms:ListMemberships",
                "cleanrooms:ListProtectedQueries",
                "cleanrooms:ListSchemas",
                "cleanrooms:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CleanRoomsMLRead",
            "Effect": "Allow",
            "Action": [
                "cleanrooms-ml:Get*",
                "cleanrooms-ml:List*"
            ],
            "Resource": "*"
        }
    ]
}

AWS 受管政策: AWSCleanRoomsMLFullAccess

您可以AWSCleanRoomsMLFullAcces連接至您的IAM委託人。此政策會授予管理許可,以允許完全存取 (讀取、寫入和更新) Clean Rooms ML 所需的資源和中繼資料。

許可詳細資訊

此政策包含以下許可:

  • CleanRoomsMLFullAccess – 授予所有 Clean Rooms ML 動作的存取權。

  • PassServiceRole – 准許將服務角色傳遞給具有 " 的服務 (PassedToService 條件)cleanrooms-ml名稱中的 "。

  • CleanRoomsConsoleNavigation – 授予檢視 AWS Clean Rooms 主控台畫面的存取權。

  • CollaborationMembershipCheck – 當您在協同作業中開始產生受眾 (看起來像區段) 任務時,Clean Rooms ML 服務會呼叫 ListMembers 來檢查協同作業是否有效、呼叫者是作用中成員,而設定的受眾模型擁有者是作用中成員。此許可始終是必要的;只有主控台使用者SID才需要主控台導覽。

  • AssociateModels – 允許主體將 Clean Rooms ML 模型與協同作業建立關聯。

  • TagAssociations – 允許主體將標籤新增至類似模型與協同合作之間的關聯。

  • ListRolesToPickServiceRole – 允許主體列出其所有角色,以便在使用 時選擇服務角色 AWS Clean Rooms。

  • GetRoleAndListRolePoliciesToInspectServiceRole – 允許主體在 中查看服務角色和對應的政策IAM。

  • ListPoliciesToInspectServiceRolePolicy – 允許主體在 中查看服務角色和對應的政策IAM。

  • GetPolicyToInspectServiceRolePolicy – 允許主體在 中查看服務角色和對應的政策IAM。

  • ConsoleDisplayTables – 允許主體唯讀存取所需的 AWS Glue 中繼資料,以顯示主控台上基礎 AWS Glue 資料表的資料。

  • ConsolePickOutputBucket – 允許主體為設定的受眾模型輸出選取 Amazon S3 儲存貯體。

  • ConsolePickS3Location – 允許主體選取儲存貯體中已設定受眾模型輸出的位置。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CleanRoomsMLFullAccess",
            "Effect": "Allow",
            "Action": [
                "cleanrooms-ml:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PassServiceRole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/cleanrooms-ml*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "cleanrooms-ml.amazonaws.com"
                }
            }
        },
        {
            "Sid": "CleanRoomsConsoleNavigation",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:GetCollaboration",
                "cleanrooms:GetConfiguredAudienceModelAssociation",
                "cleanrooms:GetMembership",
                "cleanrooms:ListAnalysisTemplates",
                "cleanrooms:ListCollaborationAnalysisTemplates",
                "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations",
                "cleanrooms:ListCollaborations",
                "cleanrooms:ListConfiguredTableAssociations",
                "cleanrooms:ListConfiguredTables",
                "cleanrooms:ListMembers",
                "cleanrooms:ListMemberships",
                "cleanrooms:ListProtectedQueries",
                "cleanrooms:ListSchemas",
                "cleanrooms:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CollaborationMembershipCheck",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:ListMembers"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": ["cleanrooms-ml.amazonaws.com"]
                }
            }
        },
        {
            "Sid": "AssociateModels",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:CreateConfiguredAudienceModelAssociation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "TagAssociations",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:TagResource"
            ],
            "Resource": "arn:aws:cleanrooms:*:*:membership/*/configuredaudiencemodelassociation/*"
        },
        {
            "Sid": "ListRolesToPickServiceRole", 
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "GetRoleAndListRolePoliciesToInspectServiceRole",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies"
            ],
            "Resource": [
                "arn:aws:iam::*:role/service-role/cleanrooms-ml*",
                "arn:aws:iam::*:role/role/cleanrooms-ml*"
            ]
        },
        {
            "Sid": "ListPoliciesToInspectServiceRolePolicy",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies"
            ],
            "Resource": "*"
        },
        {
            "Sid": "GetPolicyToInspectServiceRolePolicy",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicy",
                "iam:GetPolicyVersion"
            ],
            "Resource": "arn:aws:iam::*:policy/*cleanroomsml*"
        },
        {
            "Sid": "ConsoleDisplayTables", 
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:GetSchema",
                "glue:GetSchemaVersion",
                "glue:BatchGetPartition"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ConsolePickOutputBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ConsolePickS3Location",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*cleanrooms-ml*"
        }
    ]
}

AWS Clean Rooms 受 AWS 管政策的更新

檢視自此服務開始追蹤這些變更 AWS Clean Rooms 以來, 受 AWS 管政策更新的詳細資訊。如需此頁面變更的自動提醒,請訂閱 AWS Clean Rooms 文件歷史記錄頁面上的RSS摘要。

變更 描述 日期
AWSCleanRoomsFullAccessNoQuerying – 更新現有政策 已新增 cleanrooms:BatchGetSchemaAnalysisRule 至 CleanRoomsAccess. 2024 年 5 月 13 日
AWSCleanRoomsFullAccess – 更新現有政策 已更新 中的陳述式 ID AWSCleanRoomsFullAccess from ConsolePickQueryResultsBucket 至 SetQueryResultsBucket 以更好地代表許可,因為需要許可來設定查詢結果儲存貯體,無論有無主控台。 2024 年 3 月 21 日

AWSCleanRoomsMLReadOnlyAccess – 新政策

AWSCleanRoomsMLFullAccess – 新政策

已新增 AWSCleanRoomsMLReadOnlyAccess 以及 AWSCleanRoomsMLFullAccess 以支援 AWS Clean Rooms ML。

 2023 年 11 月 29 日
AWSCleanRoomsFullAccessNoQuerying – 更新現有政策 已新增 cleanrooms:CreateAnalysisTemplate, cleanrooms:GetAnalysisTemplate, cleanrooms:UpdateAnalysisTemplate, cleanrooms:DeleteAnalysisTemplate, cleanrooms:ListAnalysisTemplates, cleanrooms:GetCollaborationAnalysisTemplate, cleanrooms:BatchGetCollaborationAnalysisTemplate 和 cleanrooms:ListCollaborationAnalysisTemplates 至 CleanRoomsAccess 以啟用新的分析範本功能。 2023 年 7 月 31 日
AWSCleanRoomsFullAccessNoQuerying – 更新現有政策 已新增 cleanrooms:ListTagsForResource, cleanrooms:UntagResource 和 cleanrooms:TagResource 至 CleanRoomsAccess 以啟用資源標記。 2023 年 3 月 21 日

AWS Clean Rooms 已開始追蹤變更

AWS Clean Rooms 已開始追蹤其 AWS 受管政策的變更。

 2023 年 1 月 12 日