本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon QuickSight 的 IAM 政策範例
本章節會提供可與 Amazon QuickSight 搭配使用的 IAM 政策範例。
Amazon QuickSight 的 IAM 身分型政策
本章節會說明可與 Amazon QuickSight 搭配使用的身分型政策範例。
主題
- QuickSight IAM 主控台管理的 IAM 身分型政策
- Amazon QuickSight 的 IAM 身分型政策:儀表板
- Amazon QuickSight 的 IAM 身分型政策:命名空間
- Amazon QuickSight 的 IAM 身分型政策:自訂許可
- Amazon QuickSight 的 IAM 身分型政策:自訂電子郵件報告範本
- Amazon QuickSight 的 IAM 身分型政策:使用 QuickSight 受管使用者建立企業帳戶
- Amazon QuickSight 的 IAM 身分型政策:建立使用者
- Amazon QuickSight 的 IAM 身分型政策:建立和管理群組
- Amazon QuickSight 的 IAM 身分型政策:標準版的所有存取權
- Amazon QuickSight 的 IAM 身分型政策:使用 IAM Identity Center (Pro 角色) 進行企業版的所有存取
- Amazon QuickSight 的 IAM 身分型政策:企業版的所有存取權 (使用 IAM Identity Center)
- Amazon QuickSight 的 IAM 身分型政策:企業版的所有存取權 (使用 Active Directory)
- Amazon QuickSight 的 IAM 身分型政策:Active Directory 群組
- Amazon QuickSight 的 IAM 身分型政策:使用管理員資產管理主控台
- Amazon QuickSight 的 IAM 身分型政策:使用管理員金鑰管理主控台
- AWS 資源 Amazon QuickSight:Enterprise Edition 中的範圍政策
QuickSight IAM 主控台管理的 IAM 身分型政策
下列範例所顯示的 IAM 許可為執行 QuickSight IAM 主控台管理動作所需的。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog" ], "Resource": [ "*" ] } ] }
Amazon QuickSight 的 IAM 身分型政策:儀表板
下列範例所顯示的 IAM 政策允許為特定儀表板啟用儀表板共用和內嵌功能。
{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89", "Effect": "Allow" } ] }
Amazon QuickSight 的 IAM 身分型政策:命名空間
下列範例所顯示的 IAM 政策允許 QuickSight 管理員建立或刪除命名空間。
正在建立命名空間
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "ds:DescribeDirectories", "quicksight:CreateNamespace" ], "Resource": "*" } ] }
刪除命名空間
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:DescribeDirectories", "quicksight:DeleteNamespace" ], "Resource": "*" } ] }
Amazon QuickSight 的 IAM 身分型政策:自訂許可
下列範例所顯示的 IAM 政策允許 QuickSight 管理員或開發人員管理自訂許可。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:*CustomPermissions" ], "Resource": "*" } ] }
下列範例顯示授予與上一範例中所示相同許可的另一種方法。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:CreateCustomPermissions", "quicksight:DescribeCustomPermissions", "quicksight:ListCustomPermissions", "quicksight:UpdateCustomPermissions", "quicksight:DeleteCustomPermissions" ], "Resource": "*" } ] }
Amazon QuickSight 的 IAM 身分型政策:自訂電子郵件報告範本
下列範例所顯示的政策允許在 QuickSight 中檢視、更新和建立電子郵件報告範本,以及取得 Amazon Simple Email Service 身分的驗證屬性。此政策可讓 QuickSight 管理員建立和更新自訂電子郵件報告範本,並確認他們想要傳送電子郵件報告的任何自訂電子郵件地址都是 SES 中的已驗證身分。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight: DescribeAccountCustomization", "quicksight: CreateAccountCustomization", "quicksight: UpdateAccountCustomization", "quicksight: DescribeEmailCustomizationTemplate", "quicksight: CreateEmailCustomizationTemplate", "quicksight: UpdateEmailCustomizationTemplate", "ses: GetIdentityVerificationAttributes" ], "Resource": "*" } ] }
Amazon QuickSight 的 IAM 身分型政策:使用 QuickSight 受管使用者建立企業帳戶
下列範例顯示允許 QuickSight 管理員使用 QuickSight 受管使用者建立企業版 QuickSight QuickSight 帳戶的政策。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory" ], "Resource": [ "*" ] } ] }
Amazon QuickSight 的 IAM 身分型政策:建立使用者
下列範例所顯示的政策僅允許建立 Amazon QuickSight 使用者。如果是 quicksight:CreateReader、quicksight:CreateUser 和 quicksight:CreateAdmin,您能將許可限制在 "Resource":
"arn:aws:quicksight::。對於本指南中敘述的所有其他許可,請使用 <YOUR_AWS_ACCOUNTID>:user/${aws:userid}""Resource":
"*"。您指定的資源會限制特定資源的許可範圍。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}" } ] }
Amazon QuickSight 的 IAM 身分型政策:建立和管理群組
下列範例所顯示的政策允許 QuickSight 管理員或開發人員建立和管理群組。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:ListGroups", "quicksight:CreateGroup", "quicksight:SearchGroups", "quicksight:ListGroupMemberships", "quicksight:CreateGroupMembership", "quicksight:DeleteGroupMembership", "quicksight:DescribeGroupMembership", "quicksight:ListUsers" ], "Resource": "*" } ] }
Amazon QuickSight 的 IAM 身分型政策:標準版的所有存取權
Amazon QuickSight 標準版的下列範例顯示了一項政策,即允許訂閱及建立作者和讀者。本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateUser", "quicksight:DescribeAccountSubscription", "quicksight:Subscribe" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
Amazon QuickSight 的 IAM 身分型政策:使用 IAM Identity Center (Pro 角色) 進行企業版的所有存取
下列 Amazon QuickSight Enterprise Edition 範例顯示政策,允許 QuickSight 使用者訂閱 QuickSight、建立使用者,以及管理 QuickSight 帳戶中與 IAM Identity Center 整合的 Active Directory。
此政策也允許使用者訂閱 QuickSight Pro 角色,以授予對 QuickSight Generative BI 功能中的 QuickSight的存取權。如需 Amazon QuickSight 中 Pro 角色的詳細資訊,請參閱 開始使用 Generative BI。
本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "iam:CreateServiceLinkedRole", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "sso:ListApplications", "sso:GetSharedSsoConfiguration", "sso:PutApplicationAssignmentConfiguration", "sso:PutApplicationAccessScope", "sso:GetSSOStatus", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:DisableAWSServiceAccess", "organizations:EnableAWSServiceAccess", "user-subscriptions:CreateClaim", "user-subscriptions:UpdateClaim", "user-subscriptions:ListClaims", "user-subscriptions:ListUserSubscriptions", "user-subscriptions:DeleteClaim", "sso-directory:DescribeUsers", "sso-directory:DescribeGroups", "sso-directory:SearchGroups", "sso-directory:SearchUsers", "sso-directory:DescribeGroup", "sso-directory:DescribeUser", "sso-directory:DescribeDirectory", "signin:ListTrustedIdentityPropagationApplicationsForConsole", "signin:CreateTrustedIdentityPropagationApplicationForConsole", "q:CreateAssignment", "q:DeleteAssignment" ], "Resource": [ "*" ] } ] }
Amazon QuickSight 的 IAM 身分型政策:企業版的所有存取權 (使用 IAM Identity Center)
Amazon QuickSight 企業版的下列範例顯示了一項政策,即允許在與 IAM Identity Center 整合的 QuickSight 帳戶中訂閱、建立使用者和管理 Active Directory。
此政策不會授予在 QuickSight 中建立 Pro 角色的許可。若要建立授予在 QuickSight 中訂閱 Pro 角色許可的政策,請參閱 Amazon QuickSight 的 IAM 身分型政策:使用 IAM Identity Center (Pro 角色) 進行企業版的所有存取。
本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization" ], "Resource": [ "*" ] } ] }
Amazon QuickSight 的 IAM 身分型政策:企業版的所有存取權 (使用 Active Directory)
Amazon QuickSight 企業版的下列範例顯示了一項政策,即允許在使用 Active Directory 進行身分管理的 QuickSight 帳戶中訂閱、建立使用者和管理 Active Directory。本範例會明確拒絕取消訂閱 Amazon QuickSight 的許可。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateAdmin", "quicksight:Subscribe", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
Amazon QuickSight 的 IAM 身分型政策:Active Directory 群組
下列範例所顯示的 IAM 政策允許 Amazon QuickSight 企業版帳戶管理 Active Directory 群組。
{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }
Amazon QuickSight 的 IAM 身分型政策:使用管理員資產管理主控台
下列範例所顯示的 IAM 政策允許存取管理員資產管理主控台。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:SearchGroups", "quicksight:SearchUsers", "quicksight:ListNamespaces", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeFolderPermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListFolders", "quicksight:SearchAnalyses", "quicksight:SearchDashboards", "quicksight:SearchFolders", "quicksight:SearchDatasets", "quicksight:SearchDatasources", "quicksight:UpdateAnalysisPermissions", "quicksight:UpdateDashboardPermissions", "quicksight:UpdateDataSetPermissions", "quicksight:UpdateDataSourcePermissions", "quicksight:UpdateFolderPermissions" ], "Resource": "*" } ] }
Amazon QuickSight 的 IAM 身分型政策:使用管理員金鑰管理主控台
下列範例所顯示的 IAM 政策允許存取管理員金鑰管理主控台。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration", "quicksight:UpdateKeyRegistration", "quicksight:ListKMSKeysForUser", "kms:CreateGrant", "kms:ListGrants", "kms:ListAliases" ], "Resource":"*" } ] }
從 QuickSight 主控台存取客戶受管金鑰時,需要 "quicksight:ListKMSKeysForUser"和 "kms:ListAliases"許可。 "quicksight:ListKMSKeysForUser" "kms:ListAliases"不需要使用 QuickSight 金鑰管理 APIs。
若要指定您希望使用者能夠存取的金鑰,請新增您希望使用者使用 UpdateKeyRegistration 條件quicksight:KmsKeyArns金鑰存取條件的金鑰 ARNs。使用者只能存取 中指定的金鑰UpdateKeyRegistration。如需 QuickSight 支援的條件金鑰的詳細資訊,請參閱 Amazon QuickSight 的條件金鑰。
以下範例會授予所有已註冊至 QuickSight 帳戶CMKs 的Describe許可,以及註冊至 QuickSight 帳戶之特定 CMKs 的Update許可。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*" }, { "Effect":"Allow", "Action":[ "quicksight:UpdateKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*", "Condition":{ "ForAllValues:StringEquals":{ "quicksight:KmsKeyArns":[ "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1", "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2", "..." ] } } }, { "Effect":"Allow", "Action":[ "kms:CreateGrant", "kms:ListGrants" ], "Resource":"arn:aws:kms:us-west-2:123456789012:key/*" } ] }
AWS 資源 Amazon QuickSight:Enterprise Edition 中的範圍政策
下列 Amazon QuickSight Enterprise Edition 範例顯示允許設定 AWS 資源預設存取權的政策,以及針對資源的許可 AWS 範圍政策。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:*IAMPolicyAssignment*", "quicksight:AccountConfigurations" ], "Effect": "Allow", "Resource": "*" } ] }
