本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Quick 的 IAM 政策範例
本節提供可與 Quick 搭配使用的 IAM 政策範例。
## 適用於 Quick 的 IAM 身分型政策
本節顯示與 Quick 搭配使用的身分型政策範例。
**Topics**
+ [Amazon Quick IAM 主控台管理的 IAM 身分型政策](#security_iam_conosole-administration)
### Amazon Quick IAM 主控台管理的 IAM 身分型政策
下列範例顯示 Amazon Quick IAM 主控台管理動作所需的 IAM 許可。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog"
],
"Resource": [
"*"
]
}
]
}
```
## Quick: 儀表板的 IAM 身分型政策
下列範例所顯示的 IAM 政策允許為特定儀表板啟用儀表板共用和內嵌功能。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89",
"Effect": "Allow"
}
]
}
```
## Quick: 命名空間的 IAM 身分型政策
下列範例顯示允許 Amazon Quick 管理員建立或刪除命名空間的 IAM 政策。
**正在建立命名空間**
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"ds:DescribeDirectories",
"quicksight:CreateNamespace"
],
"Resource": "*"
}
]
}
```
**刪除命名空間**
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:DescribeDirectories",
"quicksight:DeleteNamespace"
],
"Resource": "*"
}
]
}
```
## Quick:自訂許可的 IAM 身分型政策
下列範例顯示允許 Amazon Quick 管理員或開發人員管理自訂許可的 IAM 政策。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:*CustomPermissions"
],
"Resource": "*"
}
]
}
```
下列範例顯示授予與上一範例中所示相同許可的另一種方法。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:CreateCustomPermissions",
"quicksight:DescribeCustomPermissions",
"quicksight:ListCustomPermissions",
"quicksight:UpdateCustomPermissions",
"quicksight:DeleteCustomPermissions"
],
"Resource": "*"
}
]
}
```
## 快速的 IAM 身分型政策:自訂電子郵件報告範本
下列範例顯示的政策允許在 Amazon Quick 中檢視、更新和建立電子郵件報告範本,以及取得 Amazon Simple Email Service 身分的驗證屬性。此政策允許 Amazon Quick 管理員建立和更新自訂電子郵件報告範本,並確認他們想要傳送電子郵件報告的任何自訂電子郵件地址是 SES 中的已驗證身分。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:DescribeAccountCustomization",
"quicksight:CreateAccountCustomization",
"quicksight:UpdateAccountCustomization",
"quicksight:DescribeEmailCustomizationTemplate",
"quicksight:CreateEmailCustomizationTemplate",
"quicksight:UpdateEmailCustomizationTemplate",
"ses:GetIdentityVerificationAttributes"
],
"Resource": "*"
}
]
}
```
## Quick 的 IAM 身分型政策:使用 Amazon Quick 受管使用者建立企業帳戶
下列範例顯示允許 Amazon Quick 管理員使用 Amazon Quick 受管使用者建立 Enterprise Edition Amazon Quick 帳戶的政策。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory"
],
"Resource": [
"*"
]
}
]
}
```
## Quick 的 IAM 身分型政策:建立使用者
下列範例顯示僅允許建立 Amazon Quick 使用者的政策。如果是 `quicksight:CreateReader`、`quicksight:CreateUser` 和 `quicksight:CreateAdmin`,您能將許可限制在 **"Resource": "arn:aws:quicksight::**:user/\$1\$1aws:userid\$1"**。對於本指南中敘述的所有其他許可,請使用 **"Resource": "\$1"**。您指定的資源會限制特定資源的許可範圍。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Action": [
"quicksight:CreateUser"
],
"Effect": "Allow",
"Resource": "arn:aws:quicksight:::user/${aws:userid}"
}
]
}
```
## Quick 的 IAM 身分型政策:建立和管理群組
下列範例顯示允許 Amazon Quick 管理員和開發人員建立和管理群組的政策。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:ListGroups",
"quicksight:CreateGroup",
"quicksight:SearchGroups",
"quicksight:ListGroupMemberships",
"quicksight:CreateGroupMembership",
"quicksight:DeleteGroupMembership",
"quicksight:DescribeGroupMembership",
"quicksight:ListUsers"
],
"Resource": "*"
}
]
}
```
## 適用於 Quick:Standard Edition 的所有存取的 IAM 身分型政策
下列 Amazon Quick Standard 版本範例顯示允許訂閱和建立作者和讀者的政策。此範例明確拒絕取消訂閱 Amazon Quick 的許可。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateUser",
"quicksight:DescribeAccountSubscription",
"quicksight:Subscribe"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
```
## 適用於 Quick 的 IAM 身分型政策:使用 IAM Identity Center 進行企業版所有存取 (Pro 角色)
下列 Amazon Quick Enterprise 版本範例顯示的政策允許 Amazon Quick 使用者訂閱 Amazon Quick、建立使用者,以及在與 IAM Identity Center 整合的 Amazon Quick 帳戶中管理 Active Directory。
此政策也允許使用者訂閱授予 Amazon Q in Quick Generative BI 功能存取權的 Amazon Quick Pro 角色。如需 Amazon Quick 中 Pro 角色的詳細資訊,請參閱[開始使用生成式 BI](https://docs.aws.amazon.com/quicksight/latest/user/generative-bi-get-started.html)。
此範例明確拒絕取消訂閱 Amazon Quick 的許可。
```
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"iam:CreateServiceLinkedRole",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization",
"user-subscriptions:CreateClaim",
"user-subscriptions:UpdateClaim",
"sso-directory:DescribeUser",
"sso:ListApplicationAssignments",
"sso-directory:DescribeGroup",
"organizations:ListAWSServiceAccessForOrganization",
"identitystore:DescribeUser",
"identitystore:DescribeGroup"
],
"Resource": [
"*"
]
}
]
}
```
## 適用於 Quick 的 IAM 身分型政策:使用 IAM Identity Center 進行 Enterprise Edition 的所有存取
下列 Amazon Quick Enterprise 版本範例顯示允許在與 IAM Identity Center 整合的 Amazon Quick 帳戶中訂閱、建立使用者和管理 Active Directory 的政策。
此政策不會授予在 Amazon Quick 中建立 Pro 角色的許可。若要建立授予在 Amazon Quick 中訂閱 Pro 角色許可的政策,請參閱 [Amazon Quick 的 IAM 身分型政策:使用 IAM Identity Center (Pro 角色) 的企業版所有存取權](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples-all-access-enterprise-edition-sso-pro)。
此範例明確拒絕取消訂閱 Amazon Quick 的許可。
```
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
}
]
}
```
## Quick 的 IAM 身分型政策:具備 Active Directory 之 Enterprise Edition 的所有存取權
下列 Amazon Quick Enterprise Edition 範例顯示允許在使用 Active Directory 進行身分管理的 Amazon Quick 帳戶中訂閱、建立使用者和管理 Active Directory 的政策。此範例明確拒絕取消訂閱 Amazon Quick 的許可。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateAdmin",
"quicksight:Subscribe",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
```
## Quick: Active Directory 群組的 IAM 身分型政策
下列範例顯示允許 Amazon Quick Enterprise Edition 帳戶的 Active Directory 群組管理的 IAM 政策。
```
{
"Statement": [
{
"Action": [
"ds:DescribeTrusts",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
```
## 適用於 Quick 的 IAM 身分型政策:使用管理員資產管理主控台
下列範例所顯示的 IAM 政策允許存取管理員資產管理主控台。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:SearchGroups",
"quicksight:SearchUsers",
"quicksight:ListNamespaces",
"quicksight:DescribeAnalysisPermissions",
"quicksight:DescribeDashboardPermissions",
"quicksight:DescribeDataSetPermissions",
"quicksight:DescribeDataSourcePermissions",
"quicksight:DescribeFolderPermissions",
"quicksight:ListAnalyses",
"quicksight:ListDashboards",
"quicksight:ListDataSets",
"quicksight:ListDataSources",
"quicksight:ListFolders",
"quicksight:SearchAnalyses",
"quicksight:SearchDashboards",
"quicksight:SearchFolders",
"quicksight:SearchDatasets",
"quicksight:SearchDatasources",
"quicksight:UpdateAnalysisPermissions",
"quicksight:UpdateDashboardPermissions",
"quicksight:UpdateDataSetPermissions",
"quicksight:UpdateDataSourcePermissions",
"quicksight:UpdateFolderPermissions"
],
"Resource": "*"
}
]
}
```
## 適用於 Quick:使用管理員金鑰管理主控台的 IAM 身分型政策
下列範例所顯示的 IAM 政策允許存取管理員金鑰管理主控台。
```
{
"Version":"2012-10-17" ,
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration",
"quicksight:UpdateKeyRegistration",
"quicksight:ListKMSKeysForUser",
"kms:CreateGrant",
"kms:ListGrants",
"kms:ListAliases"
],
"Resource":"*"
}
]
}
```
從 Amazon Quick 主控台存取客戶受管金鑰需要 `"quicksight:ListKMSKeysForUser"`和 `"kms:ListAliases"`許可。使用 Amazon Quick 金鑰管理 APIs `"kms:ListAliases"` 不需要 `"quicksight:ListKMSKeysForUser"`和 。
若要指定希望使用者能夠存取的金鑰,請將您希望使用者存取的金鑰 ARN 新增至 `UpdateKeyRegistration` 條件,並使用 `quicksight:KmsKeyArns` 條件索引鍵。使用者僅能存取 `UpdateKeyRegistration` 中指定的金鑰。如需 Amazon Quick 支援的條件金鑰的詳細資訊,請參閱 [Amazon Quick 的條件金鑰](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html#amazonquicksight-policy-keys)。
以下範例授予註冊至 Amazon Quick 帳戶之所有 CMKs 的`Describe`許可,以及註冊至 Amazon Quick 帳戶的特定 CMKs 的`Update`許可。
```
{
"Version":"2012-10-17" ,
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*"
},
{
"Effect":"Allow",
"Action":[
"quicksight:UpdateKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*",
"Condition":{
"ForAllValues:StringEquals":{
"quicksight:KmsKeyArns":[
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1",
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2",
"..."
]
}
}
},
{
"Effect":"Allow",
"Action":[
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource":"arn:aws:kms:us-west-2:123456789012:key/*"
}
]
}
```
## AWS 資源 快速:企業版中的範圍政策
下列 Amazon Quick Enterprise Edition 範例顯示允許設定 AWS 資源預設存取權的政策,以及限定 AWS 資源許可的政策。
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Action": [
"quicksight:*IAMPolicyAssignment*",
"quicksight:AccountConfigurations"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```