本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Amazon 安全湖的受管政策
受 AWS 管理的策略是由建立和管理的獨立策略 AWS。 AWS 受管理的策略旨在為許多常見使用案例提供權限,以便您可以開始將權限指派給使用者、群組和角色。
請記住, AWS 受管理的政策可能不會為您的特定使用案例授與最低權限權限,因為這些權限可供所有 AWS 客戶使用。我們建議您定義使用案例專屬的客戶管理政策,以便進一步減少許可。
您無法變更受 AWS 管理策略中定義的權限。如果 AWS 更新 AWS 受管理原則中定義的權限,則此更新會影響附加原則的所有主體識別 (使用者、群組和角色)。 AWS 當新的啟動或新 AWS 服務 的 API 操作可用於現有服務時,最有可能更新 AWS 受管理策略。
如需詳細資訊,請參閱《IAM 使用者指南》中的 AWS 受管政策。
AWS 受管理的策略: AmazonSecurityLakeMetastoreManager
Amazon 安全湖使用 AWS Lambda 函數來管理資料湖中的中繼資料。透過使用此功能,Security Lake 可以將包含您的資料和資料檔案的 Amazon 簡單儲存服務 (Amazon S3) 分區編入資 AWS Glue 料目錄表格的索引。此受管政策包含 Lambda 函數的所有許可,可將 S3 分割區和資料檔案索引到資料 AWS Glue 表中。
許可詳細資訊
此政策包含以下許可:
logs
— 允許校長將 Lambda 函數的輸出記錄到 Amazon CloudWatch 日誌。glue
— 允許主參與者對「 AWS Glue 資料目錄」表格執行特定寫入動作。這也可讓 AWS Glue 搜尋器識別資料中的分割區。sqs
— 允許主體對 Amazon SQS 佇列執行特定的讀取和寫入動作,這些佇列會在物件新增至資料湖或更新物件時傳送事件通知。s3
— 允許主體對包含您資料的 Amazon S3 儲存貯體執行特定的讀取和寫入動作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowWriteLambdaLogs", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*", "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowGlueManage", "Effect": "Allow", "Action": [ "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetTable", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:catalog" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowToReadFromSqs", "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataReadWrite", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataCleanup", "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AWS 受管理的策略: AmazonSecurityLakePermissionsBoundary
Amazon Security Lake 會為第三方自訂來源建立 IAM 角色,以將資料寫入資料湖,並讓第三方自訂訂閱者使用資料湖中的資料,並在建立這些角色時使用此政策來定義其許可的界限。您不需要採取行動即可使用此原則。如果使用客戶管理的 AWS KMS 金鑰加密資料湖,kms:Decrypt
並新增kms:GenerateDataKey
權限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsForSecurityLake", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsForSecurityLake", "Effect": "Deny", "NotAction": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsNotOnSecurityLakeBucket", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation" ], "NotResource": [ "arn:aws:s3:::aws-security-data-lake*" ] }, { "Sid": "DenyActionsNotOnSecurityLakeSQS", "Effect": "Deny", "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*" }, { "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringNotLike": { "kms:ViaService": [ "s3.*.amazonaws.com", "sqs.*.amazonaws.com" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:s3:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::aws-security-data-lake*" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:sqs:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:sqs:arn": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ] } } } ] }
AWS 受管理的策略: AmazonSecurityLakeAdministrator
您可以將AmazonSecurityLakeAdministrator
政策附加到主體,然後才能為其帳戶啟用 Amazon 安全湖。此原則會授與允許主體完整存取所有 Security Lake 動作的管理權限。然後,主體可以上線到安全湖,然後在安全湖中設定來源和訂閱者。
此原則包括 Security Lake 系統管理員可透過安全性湖泊在其他 AWS 服務上執行的動作。
該AmazonSecurityLakeAdministrator
政策不支援建立 Security Lake 管理 Amazon S3 跨區域複寫、在 AWS Glue中註冊新資料分區、對新增至自訂來源的資料執行 Glue 爬蟲程式,或通知 HTTPS 端點訂閱者有關新資料的公用程式角色。您可以提前建立這些角色,如中所述開始使用 Amazon 安全湖。
除了AmazonSecurityLakeAdministrator
受管理的原則之外,Security Lake 還需要上線和設定功能的lakeformation:PutDataLakeSettings
權限。 PutDataLakeSettings
允許將 IAM 主體設定為帳戶中所有區域 Lake Formation 資源的管理員。此角色必須iam:CreateRole permission
具有附加AmazonSecurityLakeAdministrator
原則。
Lake Form 管理員擁有對 Lake Formation 控制台的完全訪問權限,並控制初始數據配置和訪問權限。Security Lake 會將啟用 Security Lake 和AmazonSecurityLakeMetaStoreManager
角色 (或其他指定角色) 的主體指派為 Lake Formation 管理員,以便他們可以建立資料表、更新資料表結構描述、註冊新分割區,以及設定資料表的權限。您必須在 Security Lake 系統管理員使用者或角色的原則中包含下列權限:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutLakeFormationSettings", "Effect": "Allow", "Action": "lakeformation:PutDatalakeSettings", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } } ] }
許可詳細資訊
此政策包含以下許可。
-
securitylake
— 允許主參與者完整存取所有安全湖動作。 -
organizations
— 允許主參與者從「組 Organ AWS izations」擷取有關組織中帳號的資訊。如果帳戶屬於某個組織,則這些權限允許 Security Lake 主控台顯示帳戶名稱和帳號。 -
iam
— 允許主參與者建立 Security Lake、和的服務連結角色 AWS Lake Formation Amazon EventBridge,作為啟用這些服務時的必要步驟。此外,還允許建立和編輯訂戶和自訂來源角色的原則,而這些角色的權限僅限於AmazonSecurityLakePermissionsBoundary
原則所允許的內容。 -
ram
— 允許主參與者設定訂閱者對 Security Lake 來源的 Lake Formation基礎查詢存取。 -
s3
— 允許主參與者建立和管理 Security Lake 值區,以及讀取這些值區的內容。 -
lambda
— 可讓主參與者管理在 AWS 來源傳遞和跨區域複寫之後 Lambda 用來更新 AWS Glue 表格分割區的項目。 -
glue
— 可讓主參與者建立及管理 Security Lake 資料庫與表格。 -
lakeformation
— 允許主參與者管理「安全性湖泊」表格的 Lake Formation 權限。 -
events
— 可讓主參與者管理用來通知訂閱者 Security Lake 來源中新資料的規則。 -
sqs
— 允許主參與者建立和管理 Amazon SQS 佇列,該佇列可用來通知訂閱者 Security Lake 來源中的新資料。 -
kms
— 允許主體授與 Security Lake 使用客戶管理的金鑰寫入資料的存取權。 -
secretsmanager
— 允許主體透過 HTTPS 端點管理用來通知訂閱者安全湖來源中新資料的密碼。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsWithAnyResource", "Effect": "Allow", "Action": [ "securitylake:*", "organizations:DescribeOrganization", "organizations:ListDelegatedServicesForAccount", "organizations:ListAccounts", "iam:ListRoles", "ram:GetResourceShareAssociations" ], "Resource": "*" }, { "Sid": "AllowActionsWithAnyResourceViaSecurityLake", "Effect": "Allow", "Action": [ "glue:CreateCrawler", "glue:StopCrawlerSchedule", "lambda:CreateEventSourceMapping", "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:RegisterResource", "lakeformation:RevokePermissions", "lakeformation:GetDatalakeSettings", "events:ListConnections", "events:ListApiDestinations", "iam:GetRole", "iam:ListAttachedRolePolicies", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowManagingSecurityLakeS3Buckets", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketNotification", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutBucketVersioning", "s3:PutReplicationConfiguration", "s3:PutLifecycleConfiguration", "s3:ListBucket", "s3:PutObject", "s3:GetBucketNotification" ], "Resource": "arn:aws:s3:::aws-security-data-lake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaCreateFunction", "Effect": "Allow", "Action": [ "lambda:CreateFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaAddPermission", "Effect": "Allow", "Action": [ "lambda:AddPermission" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringEquals": { "lambda:Principal": "securitylake.amazonaws.com" } } }, { "Sid": "AllowGlueActions", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase", "glue:CreateTable", "glue:GetTable" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowEventBridgeActions", "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule", "events:CreateApiDestination", "events:CreateConnection", "events:UpdateConnection", "events:UpdateApiDestination", "events:DeleteConnection", "events:DeleteApiDestination", "events:ListTargetsByRule", "events:RemoveTargets", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/AmazonSecurityLake*", "arn:aws:events:*:*:rule/SecurityLake*", "arn:aws:events:*:*:api-destination/AmazonSecurityLake*", "arn:aws:events:*:*:connection/AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowSQSActions", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:GetQueueURL", "sqs:AddPermission", "sqs:GetQueueAttributes", "sqs:DeleteQueue" ], "Resource": [ "arn:aws:sqs:*:*:SecurityLake*", "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowKmsCmkGrantForSecurityLake", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringLike": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::aws-security-data-lake*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "GenerateDataKey", "RetireGrant", "Decrypt" ] } } }, { "Sid": "AllowEnablingQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "ram:ResourceArn": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:UpdateResourceShare", "ram:GetResourceShares", "ram:DisassociateResourceShare", "ram:DeleteResourceShare" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": "LakeFormation*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringCredentialsForSubscriberNotification", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/AmazonSecurityLake-*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsLambdaArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationS3Arn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:s3:::aws-security-data-lake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerGlueArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:subscriber/*" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationEventsArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:events:*:*:rule/AmazonSecurityLake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowOnboardingToSecurityLakeDependencies", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": [ "arn:aws:iam::*:role/aws-service-role/securitylake.amazonaws.com/AWSServiceRoleForSecurityLake", "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "arn:aws:iam::*:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations" ], "Condition": { "StringLike": { "iam:AWSServiceName": [ "securitylake.amazonaws.com", "lakeformation.amazonaws.com", "apidestinations.events.amazonaws.com" ] } } }, { "Sid": "AllowRolePolicyActionsforSubscibersandSources", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AmazonSecurityLakePermissionsBoundary" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowRegisterS3LocationInLakeFormation", "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:GetRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowIAMActionsByResource", "Effect": "Allow", "Action": [ "iam:ListRolePolicies", "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "S3ReadAccessToSecurityLakes", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::aws-security-data-lake-*" }, { "Sid": "S3ReadAccessToSecurityLakeMetastoreObject", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::security-lake-meta-store-manager-*" }, { "Sid": "S3ResourcelessReadOnly", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:ListAccessPoints", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }
AWS 受管理的策略: SecurityLakeServiceLinkedRole
您無法將受SecurityLakeServiceLinkedRole
管政策附加到 IAM 實體。此原則附加至服務連結角色,可讓 Security Lake 代表您執行動作。如需詳細資訊,請參閱 Amazon 安全湖的服務連結角色。
AWS 受管理的策略: AWS GlueService角色
AWS GlueServiceRole
受管理的原則會叫用爬行 AWS Glue 者程式,並允許 AWS Glue 編目自訂來源資料並識別分割區中繼資料。此中繼資料對於在「資料目錄」中建立和更新表格是必要的。
如需詳細資訊,請參閱 從自訂來源收集資料。
AWS 受管理原則的安全性湖泊更新
檢視有關 Security Lake AWS 受管理原則更新的詳細資料,因為此服務開始追蹤這些變更。如需有關此頁面變更的自動警示,請訂閱安全湖文件歷史記錄頁面上的 RSS 摘要。
變更 | 描述 | 日期 |
---|---|---|
Amazon 安全湖的服務連結角色 — 更新為現有服務連結角色許可 |
我們已將 AWS WAF 動作新增至原則的 AWS 受管理 |
2024年5月22 日 |
安全湖將 SID 動作新增至原則。 |
2024年5月13日 |
|
AmazonSecurityLakeMetastoreManager – 更新現有政策 |
Security Lake 已更新原則,以新增中繼資料清理動作,可讓您刪除資料湖中的中繼資料。 |
2024年3月27日 |
AmazonSecurityLakeAdministrator – 更新現有政策 |
Security Lake 已更新原則以允許使 |
2024年2月23 日 |
Security Lake 新增了一項新的受管理政策,授予 Security Lake 管理資料湖中繼資料的權限。 |
2024 年 1 月 23 日 |
|
Security Lake 新增了一項新的受管理政策,可授與主體對所有 Security Lake 動作的完整存取權。 |
2023 年 5 月 30 日 |
|
安全湖開始跟踪更改 |
安全湖開始追蹤其 AWS 受管理原則的變更。 |
2022 年 11 月 29 日 |