本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
當您建立索引、資料來源或常見問答集時, Amazon Kendra 需要存取建立 Amazon Kendra 資源所需的 AWS 資源。您必須先建立 a AWS Identity and Access Management (IAM) 政策,才能建立 Amazon Kendra 資源。當您呼叫 操作時,您會提供已連接政策之角色的 Amazon Resource Name (ARN)。例如,如果您呼叫 BatchPutDocument API 以從 儲存 Amazon S3 貯體新增文件,您可以 Amazon Kendra 向 角色提供可存取儲存貯體的政策。
您可以在 Amazon Kendra 主控台中建立新的 IAM 角色,或選擇要使用的 IAM 現有角色。主控台會顯示角色名稱中具有字串 "kendra" 或 "Kendra" 的角色。
下列主題提供必要政策的詳細資訊。如果您使用 Amazon Kendra 主控台建立 IAM 角色,則會為您建立這些政策。
主題
IAM 索引的 角色
建立索引時,您必須提供 IAM 角色寫入 的許可 Amazon CloudWatch。您也必須提供允許 Amazon Kendra 擔任角色的信任政策。以下是必須提供的政策。
允許 Amazon Kendra 存取 CloudWatch 日誌的角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "AWS/Kendra"
}
}
},
{
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*"
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*:log-stream:*"
}
]
}允許 Amazon Kendra 存取的角色政策 AWS Secrets Manager。如果您使用使用者內容搭配 Secrets Manager 做為金鑰位置,您可以使用下列政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"cloudwatch:PutMetricData",
"Resource":"*",
"Condition":{
"StringEquals":{
"cloudwatch:namespace":"AWS/Kendra"
}
}
},
{
"Effect":"Allow",
"Action":"logs:DescribeLogGroups",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"logs:CreateLogGroup",
"Resource":"arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*"
},
{
"Effect":"Allow",
"Action":[
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource":"arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*:log-stream:*"
},
{
"Effect":"Allow",
"Action":[
"secretsmanager:GetSecretValue"
],
"Resource":[
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect":"Allow",
"Action":[
"kms:Decrypt"
],
"Resource":[
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition":{
"StringLike":{
"kms:ViaService":[
"secretsmanager.your-region.amazonaws.com"
]
}
}
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM BatchPutDocument API 的 角色
警告
Amazon Kendra 不會使用將許可授予 Amazon Kendra 委託人與 S3 儲存貯體互動的儲存貯體政策。而是使用 IAM 角色。請確定 Amazon Kendra 不包含在您的儲存貯體政策中做為信任的成員,以避免意外授予許可給任意委託人時發生任何資料安全問題。不過,您可以新增儲存貯體政策,以跨不同帳戶使用 儲存 Amazon S3 貯體。如需詳細資訊,請參閱跨 Amazon S3 帳戶使用的政策。如需 S3 資料來源角色的相關資訊 IAM ,請參閱 IAM 角色。
當您使用 BatchPutDocument API 為 Amazon S3 儲存貯體中的文件編製索引時,您必須 Amazon Kendra 向 IAM 角色提供 儲存貯體的存取權。您也必須提供信任政策, Amazon Kendra 允許 擔任該角色。如果儲存貯體中的文件已加密,您必須提供使用 AWS KMS 客戶主金鑰 (CMK) 解密文件的許可。
允許 存取 Amazon S3 儲存貯 Amazon Kendra 體的必要角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建議您在信任政策aws:sourceArn中包含 aws:sourceAccount和 。這會限制許可,並安全地檢查 aws:sourceAccount和 aws:sourceArn 是否與 sts:AssumeRole動作 IAM 的角色政策中提供的相同。這可防止未經授權的實體存取您的 IAM 角色及其許可。如需詳細資訊,請參閱混淆代理人問題的 AWS Identity and Access Management 指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index/*"
}
}
}
]
}允許 Amazon Kendra 使用客戶主金鑰 AWS KMS (CMK) 解密 Amazon S3 儲存貯體中文件的選用角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}IAM 資料來源的 角色
當您使用 CreateDataSource API 時,您必須提供具有存取資源許可 Amazon Kendra IAM 的角色。所需的特定許可取決於資料來源。
當您使用 Adobe Experience Manager 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Adobe Experience Manager 的許可。
-
呼叫 Adobe Experience Manager 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Adobe Experience Manager 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Alfresco 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Alfresco 的許可。
-
呼叫 Alfresco 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Alfresco 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Aurora (MySQL) 時,您會為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Aurora (MySQL) 的許可。
-
呼叫 Aurora (MySQL) 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Aurora (MySQL) 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Aurora (PostgreSQL) 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Aurora (PostgreSQL) 的許可。
-
呼叫 (PostgreSQL) 連接器所需公有 Aurora APIs 的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Aurora (PostgreSQL) 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 時 Amazon FSx,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Amazon FSx 檔案系統的許可。
-
檔案系統所在的存取許可 Amazon Virtual Private Cloud (VPC) Amazon FSx 。
-
取得 Amazon FSx 檔案系統 Active Directory 網域名稱的許可。
-
呼叫連接器所需公有 APIs的 Amazon FSx 許可。
-
呼叫
BatchPutDocument和BatchDeleteDocumentAPIs 以更新索引的許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:{{secret-id}}"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/{{key-id}}"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action":[
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "kendra.*.amazonaws.com"
},
"ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
}
}
},
{
"Sid": "AllowsKendraToGetDomainNameOfActiveDirectory",
"Effect": "Allow",
"Action": "ds:DescribeDirectories",
"Resource": "*"
},
{
"Sid": "AllowsKendraToCallRequiredFsxAPIs",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"kendra.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用資料庫做為資料來源時,您會 Amazon Kendra 提供具有連線至 所需許可的角色。其中包含:
-
存取包含網站使用者名稱和密碼之 AWS Secrets Manager 秘密的許可。如需秘密內容的詳細資訊,請參閱資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 存放之使用者名稱和密碼秘密的許可 Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。 -
存取儲存 Amazon S3 貯體的許可,其中包含用於與網站通訊的 SSL 憑證。
注意
您可以透過 將資料庫資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}您可以搭配資料來源使用兩個選用政策。
如果您已加密儲存 Amazon S3 貯體,其中包含用於與 通訊的 SSL 憑證,請提供政策以授予 金鑰的 Amazon Kendra 存取權。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}如果您使用的是 VPC,請提供允許 Amazon Kendra 存取所需資源的政策。請參閱IAM 資料來源的角色、所需政策的 VPC。
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Amazon RDS (Microsoft SQL Server) 資料來源連接器時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Amazon RDS (Microsoft SQL Server) 資料來源執行個體的許可。
-
呼叫 Amazon RDS (Microsoft SQL Server) 資料來源連接器所需公APIs 的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以將 Amazon RDS (Microsoft SQL Server) 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Amazon RDS (MySQL) 資料來源連接器時,您會為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Amazon RDS (MySQL) 資料來源執行個體的許可。
-
呼叫 Amazon RDS (MySQL) 資料來源連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 ( Amazon RDS MySQL) 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Amazon RDS Oracle 資料來源連接器時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Amazon RDS (Oracle) 資料來源執行個體的許可。
-
呼叫 Amazon RDS (Oracle) 資料來源連接器所需公APIs 的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Amazon RDS Oracle 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Amazon RDS (PostgreSQL) 資料來源連接器時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Amazon RDS (PostgreSQL) 資料來源執行個體的許可。
-
呼叫 (PostgreSQL) 資料來源連接器所需公有 Amazon RDS APIs 的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Amazon RDS (PostgreSQL) 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}警告
Amazon Kendra 不會使用將許可授予 Amazon Kendra 委託人與 S3 儲存貯體互動的儲存貯體政策。而是使用 IAM 角色。請確定 Amazon Kendra 不包含在您的儲存貯體政策中做為信任的成員,以避免意外授予許可給任意委託人時發生任何資料安全問題。不過,您可以新增儲存貯體政策,以跨不同帳戶使用 儲存 Amazon S3 貯體。如需詳細資訊,請參閱 跨帳戶使用 Amazon S3 的政策(向下捲動)。
當您使用 儲存 Amazon S3 貯體做為資料來源時,您會提供角色,該角色具有存取儲存貯體的許可,以及使用 BatchPutDocument 和 BatchDeleteDocument操作。如果儲存 Amazon S3 貯體中的文件已加密,您必須提供使用 AWS KMS 客戶主金鑰 (CMK) 解密文件的許可。
下列角色政策必須允許 Amazon Kendra 擔任角色。進一步向下捲動以檢視要擔任角色的信任政策。
允許 Amazon Kendra 使用 Amazon S3 儲存貯體做為資料來源的必要角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
]
}
]
}允許 Amazon Kendra 使用客戶主金鑰 AWS KMS (CMK) 解密 Amazon S3 儲存貯體中文件的選用角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}允許 在使用 時存取 儲存 Amazon S3 貯 Amazon Kendra 體的選用角色政策 Amazon VPC,無需啟用 AWS KMS 或共用 AWS KMS 許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]",
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:security-group/[[security-group]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_{{your-account-id}}_{{index-id}}_{data-source-id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-accoount-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "kendra.amazonaws.com"
},
"ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}",
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}
]
}選用的角色政策, Amazon Kendra 允許 在使用 時存取 儲存 Amazon S3 貯體 Amazon VPC,並啟用 AWS KMS 許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/{{key-id}}"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]",
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:security-group/[[security-group]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_{{your-account-id}}_{{index-id}}_{data-source-id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "kendra.amazonaws.com"
},
"ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}",
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}跨帳戶使用 Amazon S3 的政策
如果您的儲存 Amazon S3 貯體與您用於 Amazon Kendra 索引的帳戶位於不同的 帳戶中,您可以建立政策來跨帳戶使用它。
當儲存 Amazon S3 貯體與您的 Amazon Kendra 索引位於不同的帳戶時,使用儲存貯體做為資料來源的角色政策。請注意, s3:PutObject和 s3:PutObjectAcl是選用的,如果您想要包含存取控制清單的組態檔案,請使用此選項。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::$bucket-in-other-account/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::$bucket-in-other-account/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:$your-region:$your-account-id:index/$index-id"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::$bucket-in-other-account/*"
}
]
}允許 Amazon S3 資料來源角色跨帳戶存取儲存貯體的 Amazon S3 儲存貯體政策。請注意, s3:PutObject和 s3:PutObjectAcl是選用的,如果您想要包含存取控制清單的組態檔案,請使用此選項。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "$kendra-s3-connector-role-arn"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::$bucket-in-other-account/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "$kendra-s3-connector-role-arn"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::$bucket-in-other-account"
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 Amazon Kendra Web Crawler 時,您會為角色提供下列政策:
-
存取秘密的許可,該 AWS Secrets Manager 秘密包含登入資料,以連接到基本身分驗證支援的網站或 Web 代理伺服器。如需秘密內容的詳細資訊,請參閱使用 Web 爬蟲程式資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 儲存的使用者名稱和密碼秘密的許可 Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。 -
如果您使用 儲存 Amazon S3 貯體來存放種子 URLs或網站地圖的清單,請包含存取儲存 Amazon S3 貯體的許可。
注意
您可以將 Amazon Kendra Web 爬蟲程式資料來源 Amazon Kendra 連接至 Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您將種子 URLs或網站地圖存放在 Amazon S3 儲存貯體中,則必須將此許可新增至角色。
,
{"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Box 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Slack 的許可。
-
呼叫 Box 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Box 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-d}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Confluence 伺服器做為資料來源時,您可以為角色提供下列政策:
-
存取秘密的許可 AWS Secrets Manager ,其中包含連線至 Confluence 所需的登入資料。如需秘密內容的詳細資訊,請參閱 Confluence 資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 儲存的使用者名稱和密碼秘密的許可 Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。
注意
您可以透過 將 Confluence 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}如果您使用的是 VPC,請提供允許 Amazon Kendra 存取所需資源的政策。請參閱IAM 資料來源的角色、所需政策的 VPC。
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}對於 Confluence 連接器 v2.0 資料來源,您可以使用下列政策來提供角色。
-
存取包含 Confluence 身分驗證憑證之 AWS Secrets Manager 秘密的許可。如需秘密內容的詳細資訊,請參閱 Confluence 資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 存放的使用者名稱和密碼秘密的許可 AWS Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。
您也必須連接允許 Amazon Kendra 擔任角色的信任政策。
注意
您可以透過 將 Confluence 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
允許 Amazon Kendra 連線到 Confluence 的角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id",
"arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/*"
]
}
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Dropbox 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Dropbox 的許可。
-
呼叫 Dropbox 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Dropbox 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {"StringLike": {"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Drupal 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Drupal 的許可。
-
呼叫 Drupal 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DescribePrincipalMapping、DeletePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Drupal 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 GitHub 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 GitHub 的許可。
-
呼叫 GitHub 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DescribePrincipalMapping、DeletePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 GitHub 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Gmail 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Gmail 的許可。
-
呼叫 Gmailconnector 所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DescribePrincipalMapping、DeletePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Gmail 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {"StringLike": {"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Google Workspace Drive 資料來源時,您會 Amazon Kendra 提供具有連線到網站所需許可的角色。其中包含:
-
取得和解密 AWS Secrets Manager 秘密的許可,其中包含連線至 Google Drive 網站所需的用戶端帳戶電子郵件、管理員帳戶電子郵件和私有金鑰。如需秘密內容的詳細資訊,請參閱 Google Drive 資料來源。
-
使用 BatchPutDocument 和 BatchDeleteDocument APIs許可。
注意
您可以透過 將 Google Drive 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 IBM DB2 資料來源連接器時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 IBM DB2 資料來源執行個體的許可。
-
呼叫 IBM DB2 資料來源連接器所需公APIs 的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DescribePrincipalMapping、DeletePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 IBM DB2 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 Jira 時,您會為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Jira 的許可。
-
呼叫 Jira 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DescribePrincipalMapping、DeletePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Jira 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Microsoft Exchange 資料來源時,您會 Amazon Kendra 提供具有連線到網站所需許可的角色。其中包含:
-
取得和解密秘密的許可 AWS Secrets Manager ,其中包含連線至 Microsoft Exchange 網站所需的應用程式 ID 和私密金鑰。如需秘密內容的詳細資訊,請參閱 Microsoft Exchange 資料來源。
-
使用 BatchPutDocument 和 BatchDeleteDocument APIs許可。
注意
您可以透過 將 Microsoft Exchange 資料來源連線至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您要將要編製索引的使用者清單存放在 Amazon S3 儲存貯體中,您還必須提供使用 S3 GetObject操作的許可。下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com",
"s3.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Microsoft OneDrive 資料來源時,您會 Amazon Kendra 提供具有連線到網站所需許可的角色。其中包含:
-
取得和解密秘密的許可 AWS Secrets Manager ,其中包含連線至 OneDrive 網站所需的應用程式 ID 和私密金鑰。如需秘密內容的詳細資訊,請參閱 Microsoft OneDrive 資料來源。
-
使用 BatchPutDocument 和 BatchDeleteDocument APIs許可。
注意
您可以透過 將 Microsoft OneDrive 資料來源連線至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您要將要編製索引的使用者清單存放在 Amazon S3 儲存貯體中,您還必須提供使用 S3 GetObject操作的許可。下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com",
"s3.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}對於 Microsoft SharePoint 連接器 v1.0 資料來源,您可以為角色提供下列政策。
-
存取包含 SharePoint 網站使用者名稱和密碼之 AWS Secrets Manager 秘密的許可。如需秘密內容的詳細資訊,請參閱 Microsoft SharePoint 資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 存放之使用者名稱和密碼秘密的許可 AWS Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。 -
存取儲存 Amazon S3 貯體的許可,其中包含用於與 SharePoint 網站通訊的 SSL 憑證。
您還必須連接允許 Amazon Kendra 擔任角色的信任政策。
注意
您可以透過 將 Microsoft SharePoint 資料來源連線至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}如果您已加密包含用於與 SharePoint 網站通訊之 SSL 憑證的 Amazon S3 儲存貯體,請提供政策以授予 金鑰的 Amazon Kendra 存取權。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}對於 Microsoft SharePoint 連接器 v2.0 資料來源,您可以為角色提供下列政策。
-
存取包含 SharePoint 網站身分驗證憑證之 AWS Secrets Manager 秘密的許可。如需秘密內容的詳細資訊,請參閱 Microsoft SharePoint 資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 存放之使用者名稱和密碼秘密的許可 AWS Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。 -
存取儲存 Amazon S3 貯體的許可,其中包含用於與 SharePoint 網站通訊的 SSL 憑證。
您還必須連接允許 Amazon Kendra 擔任角色的信任政策。
注意
您可以透過 將 Microsoft SharePoint 資料來源連線至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id",
"arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/*"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/key-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:your-region:your-account-id:subnet/subnet-ids",
"arn:aws:ec2:your-region:your-account-id:security-group/security-group"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "arn:aws:ec2:region:account_id:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_your-account-id_index-id_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:your-region:your-account-id:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:your-region:your-account-id:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AWS_KENDRA": "kendra_your-account-id_index-id_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}如果您已加密包含用於與 SharePoint 網站通訊之 SSL 憑證的 Amazon S3 儲存貯體,請提供政策以授予 金鑰的 Amazon Kendra 存取權。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:youraccount-id:key/key-id"
]
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Microsoft SQL Server 時,您會為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Microsoft SQL Server 執行個體的許可。
-
呼叫 Microsoft SQL Server 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DescribePrincipalMapping、DeletePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Microsoft SQL Server 資料來源連線至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Microsoft Teams 資料來源時,您會 Amazon Kendra 提供具有連線到網站所需許可的角色。其中包含:
-
取得和解密 AWS Secrets Manager 秘密的許可,其中包含連線至 Microsoft Teams 所需的用戶端 ID 和用戶端秘密。如需秘密內容的詳細資訊,請參閱 Microsoft Teams 資料來源。
注意
您可以透過 將 Microsoft Teams 資料來源連線至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:client-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Microsoft Yammer 資料來源時,您會 Amazon Kendra 提供具有連線到網站所需許可的角色。其中包含:
-
取得和解密 AWS Secrets Manager 秘密的許可,其中包含連線至 Microsoft Yammer 網站所需的應用程式 ID 和私密金鑰。如需秘密內容的詳細資訊,請參閱 Microsoft Yammer 資料來源。
-
使用 BatchPutDocument 和 BatchDeleteDocument APIs許可。
注意
您可以透過 將 Microsoft Yammer 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您要將要編製索引的使用者清單存放在 Amazon S3 儲存貯體中,您還必須提供使用 S3 GetObject操作的許可。下列 IAM 政策提供必要的許可:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com",
"s3.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 My SQL 資料來源連接器時,您會為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 My SQL 資料來源執行個體的許可。
-
呼叫 My SQL 資料來源連接器所需公APIs 的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 MySQL 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Oracle 資料來源連接器時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Oracle 資料來源執行個體的許可。
-
呼叫 Oracle 資料來源連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Oracle 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 PostgreSQL 資料來源連接器時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 PostgreSQL 資料來源執行個體的許可。
-
呼叫 PostgreSQL 資料來源連接器所需公有 APIs 的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 PostgreSQL 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Quip 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證您的 Quip 的許可。
-
呼叫 Quip 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Quip 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{yoour-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{your-index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{your-index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 Salesforce 做為資料來源時,您可以為角色提供下列政策:
-
存取包含 Salesforce 網站使用者名稱和密碼之 AWS Secrets Manager 秘密的許可。如需秘密內容的詳細資訊,請參閱 Salesforce 資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 存放之使用者名稱和密碼秘密的許可 Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。
注意
您可以透過 將 Salesforce 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:account-id:index/index-id"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}當您使用 ServiceNow 做為資料來源時,您會為角色提供下列政策:
-
存取包含 ServiceNow 網站使用者名稱和密碼之 Secrets Manager 秘密的許可。如需秘密內容的詳細資訊,請參閱 ServiceNow 資料來源。
-
使用 AWS KMS 客戶主金鑰 (CMK) 解密 存放之使用者名稱和密碼秘密的許可 Secrets Manager。
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的許可。
注意
您可以透過 將 ServiceNow 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 Slack 時,您可以為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Slack 的許可。
-
呼叫 Slack 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Slack 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 Zendesk 時,您會為角色提供下列政策。
-
存取 AWS Secrets Manager 秘密以驗證 Zendesk 套件的許可。
-
呼叫 Zendesk 連接器所需公有 APIs的許可。
-
呼叫
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMapping、DescribePrincipalMapping和ListGroupsOlderThanOrderingIdAPIs許可。
注意
您可以透過 將 Zendesk 資料來源連接至 Amazon Kendra Amazon VPC。如果您使用的是 Amazon VPC,則需要新增其他許可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}虛擬私有雲端 (VPC) IAM 角色
如果您使用虛擬私有雲端 (VPC) 連線到資料來源,則必須提供下列額外許可。
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_{{account_id}}_{{index_id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AWS_KENDRA": "kendra_{{account_id}}_{{index_id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM 常見問答集 (FAQs的 角色
當您使用 CreateFaq API 將問題和答案載入索引時,您必須 Amazon Kendra 向 IAM 角色提供包含來源檔案的 Amazon S3 儲存貯體存取權。如果來源檔案已加密,您必須提供使用 AWS KMS 客戶主金鑰 (CMK) 解密檔案的許可。
允許 存取 Amazon S3 儲存貯 Amazon Kendra 體的必要角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}允許 Amazon Kendra 使用客戶主金鑰 AWS KMS (CMK) 解密 Amazon S3 儲存貯體中檔案的選用角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM 查詢建議的 角色
當您使用 Amazon S3 檔案做為查詢建議封鎖清單時,您會提供具有存取 Amazon S3 檔案和儲存貯體 Amazon S3 許可的角色。如果儲存貯體中的 Amazon S3 區塊清單文字檔案 ( Amazon S3 檔案) 已加密,您必須提供使用 AWS KMS 客戶主金鑰 (CMK) 解密文件的許可。
允許 Amazon Kendra 使用 Amazon S3 檔案做為查詢建議封鎖清單的必要角色政策。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
允許 Amazon Kendra 使用客戶主金鑰 AWS KMS (CMK) 解密 Amazon S3 儲存貯體中文件的選用角色政策。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM 使用者和群組主體映射的 角色
當您使用 PutPrincipalMapping API 將使用者映射至其群組,以依使用者內容篩選搜尋結果時,您需要提供屬於群組的使用者或子群組清單。如果您的清單超過 1000 個使用者或群組,您需要提供具有存取清單 Amazon S3 檔案和儲存 Amazon S3 貯體許可的角色。如果 Amazon S3 儲存貯體中清單的文字檔案 ( Amazon S3 檔案) 已加密,您必須提供使用 AWS KMS 客戶主金鑰 (CMK) 解密文件的許可。
允許 Amazon Kendra 使用 Amazon S3 檔案做為屬於群組之使用者和子群組清單的必要角色政策。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
允許 Amazon Kendra 使用客戶主金鑰 AWS KMS (CMK) 解密 Amazon S3 儲存貯體中文件的選用角色政策。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}
允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建議您在信任政策aws:sourceArn中包含 aws:sourceAccount和 。這會限制許可,並安全地檢查 aws:sourceAccount和 aws:sourceArn 是否與 sts:AssumeRole動作 IAM 的角色政策中提供的相同。這可防止未經授權的實體存取您的 IAM 角色及其許可。如需詳細資訊,請參閱混淆代理人問題的 AWS Identity and Access Management 指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
}
}
}
]
}IAM 的 角色 AWS IAM Identity Center
當您使用 UserGroupResolutionConfiguration 物件從 AWS IAM Identity Center 身分來源擷取群組和使用者的存取層級時,您需要提供具有存取許可的角色 IAM Identity Center。
允許 Amazon Kendra 存取的必要角色政策 IAM Identity Center。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:SearchUsers",
"sso-directory:ListGroupsForUser",
"sso-directory:DescribeGroups",
"sso:ListDirectoryAssociations"
],
"Resource": [
"*"
]
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"kendra.amazonaws.com"
]
}
}
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAMAmazon Kendra 體驗的 角色
當您使用 CreateExperience 或 UpdateExperience APIs建立或更新搜尋應用程式時,您必須提供具有存取必要操作和 IAM Identity Center 許可的角色。
允許 Amazon Kendra 存取儲存使用者和群組資訊之Query操作、QuerySuggestions操作、SubmitFeedback操作和 IAM Identity Center 的必要角色政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsKendraSearchAppToCallKendraApi",
"Effect": "Allow",
"Action": [
"kendra:GetQuerySuggestions",
"kendra:Query",
"kendra:DescribeIndex",
"kendra:ListFaqs",
"kendra:DescribeDataSource",
"kendra:ListDataSources",
"kendra:DescribeFaq",
"kendra:SubmitFeedback"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
]
},
{
"Sid": "AllowKendraSearchAppToDescribeDataSourcesAndFaq",
"Effect": "Allow",
"Action": [
"kendra:DescribeDataSource",
"kendra:DescribeFaq"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/data-source-id",
"arn:aws:kendra:your-region:your-account-id:index/index-id/faq/faq-id"
]
},
{
"Sid": "AllowKendraSearchAppToCallSSODescribeUsersAndGroups",
"Effect": "Allow",
"Action": [
"sso-directory:ListGroupsForUser",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso-directory:DescribeGroups",
"sso-directory:DescribeUsers",
"sso:ListDirectoryAssociations"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
}
]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建議您在信任政策aws:sourceArn中包含 aws:sourceAccount和 。這會限制許可,並安全地檢查 aws:sourceAccount和 aws:sourceArn 是否與 sts:AssumeRole動作 IAM 的角色政策中提供的相同。這可防止未經授權的實體存取您的 IAM 角色及其許可。如需詳細資訊,請參閱混淆代理人問題的 AWS Identity and Access Management 指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
}
}
}
]
}IAM 自訂文件擴充的 角色
當您使用 CustomDocumentEnrichmentConfiguration 物件來套用文件中繼資料和內容的進階變更時,您必須提供具有執行 PreExtractionHookConfiguration和/或 所需許可的角色PostExtractionHookConfiguration。您可以為 PreExtractionHookConfiguration和/或 設定 Lambda 函數,PostExtractionHookConfiguration以在擷取過程中套用文件中繼資料和內容的進階變更。如果您選擇為儲存 Amazon S3 貯體啟用伺服器端加密,則必須提供使用 AWS KMS 客戶主金鑰 (CMK) 來加密和解密儲存 Amazon S3 貯體中存放之物件的許可。
允許 Amazon Kendra 為您的儲存貯體 Amazon S3 執行 PreExtractionHookConfiguration和 PostExtractionHookConfiguration 加密的必要角色政策。
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:your-region:your-account-id:function:lambda-function"
}]
}允許 Amazon Kendra 執行的選用角色政策PreExtractionHookConfiguration,PostExtractionHookConfiguration無需加密儲存 Amazon S3 貯體。
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:your-region:your-account-id:function:lambda-function"
}]
}允許 Amazon Kendra 擔任角色的信任政策。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建議您在信任政策aws:sourceArn中包含 aws:sourceAccount和 。這會限制許可,並安全地檢查 aws:sourceAccount和 aws:sourceArn 是否與 sts:AssumeRole動作 IAM 的角色政策中提供的相同。這可防止未經授權的實體存取您的 IAM 角色及其許可。如需詳細資訊,請參閱混淆代理人問題的 AWS Identity and Access Management 指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
}
}
}
]
}