本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Security Lake 的 受管政策
AWS 受管政策是由 AWS AWS .managed 政策建立和管理的獨立政策旨在為許多常見使用案例提供許可,以便您可以開始將許可指派給使用者、群組和角色。
請記住, AWS 受管政策可能不會授予特定使用案例的最低權限許可,因為這些許可可供所有 AWS 客戶使用。我們建議您定義使用案例專屬的客戶管理政策,以便進一步減少許可。
您無法變更 AWS 受管政策中定義的許可。如果 AWS 更新受管政策中 AWS 定義的許可,則更新會影響政策連接的所有主體身分 (使用者、群組和角色)。當新的 AWS 服務 啟動或新的API操作可用於現有 服務時, AWS 很有可能更新受 AWS 管政策。
如需詳細資訊,請參閱 IAM 使用者指南 中的 AWS 受管政策。
AWS 受管政策: AmazonSecurityLakeMetastoreManager
Amazon Security Lake 使用 AWS Lambda 函數來管理資料湖中的中繼資料。透過使用此功能,Security Lake 可以將包含您的資料和資料檔案的 Amazon Simple Storage Service (Amazon S3) 分割區索引至 AWS Glue Data Catalog 資料表。此受管政策包含 Lambda 函數將 S3 分割區和資料檔案索引至 AWS Glue 資料表的所有許可。
許可詳細資訊
此政策包含以下許可:
logs– 允許主體將 Lambda 函數的輸出記錄到 Amazon CloudWatch Logs。glue– 允許主體執行 AWS Glue 資料目錄資料表的特定寫入動作。這也允許 AWS Glue 爬蟲程式識別資料中的分割區。sqs– 允許主體執行特定讀取和寫入動作,以便在資料湖中新增或更新物件時傳送事件通知的 Amazon SQS佇列。s3– 允許委託人為包含您資料的 Amazon S3 儲存貯體執行特定的讀取和寫入動作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowWriteLambdaLogs", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*", "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowGlueManage", "Effect": "Allow", "Action": [ "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetTable", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:catalog" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowToReadFromSqs", "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataReadWrite", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataCleanup", "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AWS 受管政策: AmazonSecurityLakePermissionsBoundary
Amazon Security Lake 會為第三方自訂來源建立IAM角色,以將資料寫入資料湖,以及為第三方自訂訂閱者建立角色以取用來自資料湖的資料,並在建立這些角色時使用此政策來定義其許可的界限。您不需要採取動作即可使用此政策。如果資料湖使用客戶受管 AWS KMS 金鑰加密,kms:Decrypt並新增kms:GenerateDataKey許可。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsForSecurityLake", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsForSecurityLake", "Effect": "Deny", "NotAction": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsNotOnSecurityLakeBucket", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation" ], "NotResource": [ "arn:aws:s3:::aws-security-data-lake*" ] }, { "Sid": "DenyActionsNotOnSecurityLakeSQS", "Effect": "Deny", "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*" }, { "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringNotLike": { "kms:ViaService": [ "s3.*.amazonaws.com", "sqs.*.amazonaws.com" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:s3:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::aws-security-data-lake*" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:sqs:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:sqs:arn": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ] } } } ] }
AWS 受管政策: AmazonSecurityLakeAdministrator
您可以在主體為其帳戶啟用 Amazon Security Lake 之前,將AmazonSecurityLakeAdministrator政策連接至主體。此政策授予管理許可,允許主體完整存取所有 Security Lake 動作。然後委託人可以加入 Security Lake,然後在 Security Lake 中設定來源和訂閱者。
此政策包含 Security Lake 管理員可以透過 Security Lake 在其他 服務上執行 AWS 的動作。
此AmazonSecurityLakeAdministrator政策不支援建立 Security Lake 所需的公用程式角色,以管理 Amazon S3 跨區域複寫、在 中註冊新資料分割區 AWS Glue、對新增至自訂來源的資料執行 Glue 爬蟲程式,或通知HTTPS端點訂閱者新資料。您可以如 中所述提前建立這些角色Amazon Security Lake 入門。
除了 AmazonSecurityLakeAdministrator 受管政策之外,Security Lake 需要加入和組態函數的lakeformation:PutDataLakeSettings許可。 PutDataLakeSettings 允許 將IAM主體設定為帳戶中所有區域 Lake Formation 資源的管理員。此角色必須連接 iam:CreateRole permission以及 AmazonSecurityLakeAdministrator政策。
Lake Formation 管理員可以完整存取 Lake Formation 主控台,並控制初始資料組態和存取許可。Security Lake 會將啟用 Security Lake 和AmazonSecurityLakeMetaStoreManager角色 (或其他指定角色) 的主體指派為 Lake Formation 管理員,以便他們可以建立資料表、更新資料表結構描述、註冊新的分割區,以及在資料表上設定許可。您必須在 Security Lake 管理員使用者或角色的政策中包含下列許可:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutLakeFormationSettings", "Effect": "Allow", "Action": "lakeformation:PutDatalakeSettings", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } } ] }
許可詳細資訊
此政策包含以下許可。
-
securitylake– 允許主體完整存取所有 Security Lake 動作。 -
organizations– 允許委託人從 AWS Organizations 擷取有關組織中帳戶的資訊。如果帳戶屬於組織,則這些許可允許 Security Lake 主控台顯示帳戶名稱和帳戶號碼。 -
iam– 允許主體為 Security Lake、 AWS Lake Formation和 建立服務連結角色 Amazon EventBridge,作為啟用這些服務的必要步驟。也允許建立和編輯訂閱者和自訂來源角色的政策,這些角色的許可僅限於AmazonSecurityLakePermissionsBoundary政策允許的許可。 -
ram– 允許委託人設定 Lake Formation型查詢,由訂閱者存取 Security Lake 來源。 -
s3– 允許主體建立和管理 Security Lake 儲存貯體,並讀取這些儲存貯體的內容。 -
lambda– 允許主體管理 Lambda 用於在 AWS 來源交付和跨區域複寫之後更新 AWS Glue 資料表分割區的 。 -
glue– 允許主體建立和管理 Security Lake 資料庫和資料表。 -
lakeformation– 允許主體管理 Security Lake 資料表的 Lake Formation 許可。 -
events– 允許主體管理用來通知訂閱者 Security Lake 來源中新資料的規則。 -
sqs– 允許主體建立和管理用於通知訂閱者 Security Lake 來源中新資料的 Amazon SQS 佇列。 -
kms– 允許主體授予 Security Lake 使用客戶受管金鑰寫入資料的存取權。 -
secretsmanager– 允許主體管理用來透過HTTPS端點通知訂閱者 Security Lake 來源中新資料的秘密。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsWithAnyResource", "Effect": "Allow", "Action": [ "securitylake:*", "organizations:DescribeOrganization", "organizations:ListDelegatedServicesForAccount", "organizations:ListAccounts", "iam:ListRoles", "ram:GetResourceShareAssociations" ], "Resource": "*" }, { "Sid": "AllowActionsWithAnyResourceViaSecurityLake", "Effect": "Allow", "Action": [ "glue:CreateCrawler", "glue:StopCrawlerSchedule", "lambda:CreateEventSourceMapping", "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:RegisterResource", "lakeformation:RevokePermissions", "lakeformation:GetDatalakeSettings", "events:ListConnections", "events:ListApiDestinations", "iam:GetRole", "iam:ListAttachedRolePolicies", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowManagingSecurityLakeS3Buckets", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketNotification", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutBucketVersioning", "s3:PutReplicationConfiguration", "s3:PutLifecycleConfiguration", "s3:ListBucket", "s3:PutObject", "s3:GetBucketNotification" ], "Resource": "arn:aws:s3:::aws-security-data-lake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaCreateFunction", "Effect": "Allow", "Action": [ "lambda:CreateFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaAddPermission", "Effect": "Allow", "Action": [ "lambda:AddPermission" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringEquals": { "lambda:Principal": "securitylake.amazonaws.com" } } }, { "Sid": "AllowGlueActions", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase", "glue:CreateTable", "glue:GetTable" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowEventBridgeActions", "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule", "events:CreateApiDestination", "events:CreateConnection", "events:UpdateConnection", "events:UpdateApiDestination", "events:DeleteConnection", "events:DeleteApiDestination", "events:ListTargetsByRule", "events:RemoveTargets", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/AmazonSecurityLake*", "arn:aws:events:*:*:rule/SecurityLake*", "arn:aws:events:*:*:api-destination/AmazonSecurityLake*", "arn:aws:events:*:*:connection/AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowSQSActions", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:GetQueueURL", "sqs:AddPermission", "sqs:GetQueueAttributes", "sqs:DeleteQueue" ], "Resource": [ "arn:aws:sqs:*:*:SecurityLake*", "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowKmsCmkGrantForSecurityLake", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringLike": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::aws-security-data-lake*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "GenerateDataKey", "RetireGrant", "Decrypt" ] } } }, { "Sid": "AllowEnablingQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "ram:ResourceArn": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:UpdateResourceShare", "ram:GetResourceShares", "ram:DisassociateResourceShare", "ram:DeleteResourceShare" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": "LakeFormation*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringCredentialsForSubscriberNotification", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/AmazonSecurityLake-*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsLambdaArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationS3Arn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:s3:::aws-security-data-lake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerGlueArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:subscriber/*" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationEventsArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:events:*:*:rule/AmazonSecurityLake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowOnboardingToSecurityLakeDependencies", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": [ "arn:aws:iam::*:role/aws-service-role/securitylake.amazonaws.com/AWSServiceRoleForSecurityLake", "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "arn:aws:iam::*:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations" ], "Condition": { "StringLike": { "iam:AWSServiceName": [ "securitylake.amazonaws.com", "lakeformation.amazonaws.com", "apidestinations.events.amazonaws.com" ] } } }, { "Sid": "AllowRolePolicyActionsforSubscibersandSources", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AmazonSecurityLakePermissionsBoundary" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowRegisterS3LocationInLakeFormation", "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:GetRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowIAMActionsByResource", "Effect": "Allow", "Action": [ "iam:ListRolePolicies", "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "S3ReadAccessToSecurityLakes", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::aws-security-data-lake-*" }, { "Sid": "S3ReadAccessToSecurityLakeMetastoreObject", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::security-lake-meta-store-manager-*" }, { "Sid": "S3ResourcelessReadOnly", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:ListAccessPoints", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }
AWS 受管政策: SecurityLakeServiceLinkedRole
您無法將SecurityLakeServiceLinkedRole受管政策連接至IAM實體。此政策會連接至服務連結角色,允許 Security Lake 代表您執行動作。如需詳細資訊,請參閱Security Lake 的服務連結角色。
AWS 受管政策: AWS GlueServiceRole
AWS GlueServiceRole 受管政策會叫用 AWS Glue 爬蟲程式,並允許 AWS Glue 爬取自訂來源資料並識別分割區中繼資料。在資料目錄中建立和更新資料表時,需要此中繼資料。
如需詳細資訊,請參閱從 Security Lake 中的自訂來源收集資料。
AWS 受管政策的安全湖更新
檢視自此服務開始追蹤這些變更以來,Security Lake 受 AWS 管政策更新的詳細資訊。如需此頁面變更的自動提醒,請訂閱 Security Lake 文件歷史記錄頁面上的RSS摘要。
| 變更 | 描述 | 日期 |
|---|---|---|
|
Amazon Security Lake 的服務連結角色 – 更新至現有的服務連結角色許可 |
我們已將 AWS WAF 動作新增至政策的 AWS 受管 |
2024 年 5 月 22 日 |
|
Security Lake 已將SID動作新增至政策。 |
2024 年 5 月 13 日 |
|
|
AmazonSecurityLakeMetastoreManager – 更新現有政策 |
Security Lake 已更新政策以新增中繼資料清除動作,可讓您刪除資料湖中的中繼資料。 |
2024 年 3 月 27 日 |
|
AmazonSecurityLakeAdministrator – 更新現有政策 |
Security Lake 已更新政策,以允許 新 |
2024 年 2 月 23 日 |
|
Security Lake 新增了新的受管政策,授予 Security Lake 管理資料湖中中繼資料的許可。 |
2024 年 1 月 23 日 |
|
|
Security Lake 新增了新的受管政策,授予主體對所有 Security Lake 動作的完整存取權。 |
2023 年 5 月 30 日 |
|
|
Security Lake 開始追蹤變更 |
Security Lake 開始追蹤其 AWS 受管政策的變更。 |
2022 年 11 月 29 日 |
