本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Amazon 安全湖的受管政策
受 AWS 管理的策略是由建立和管理的獨立策略 AWS。 AWS 受管理的策略旨在為許多常見使用案例提供權限,以便您可以開始將權限指派給使用者、群組和角色。
請記住, AWS 受管理的政策可能不會為您的特定使用案例授與最低權限權限,因為這些權限可供所有 AWS 客戶使用。我們建議您定義使用案例專屬的客戶管理政策,以便進一步減少許可。
您無法變更受 AWS 管理策略中定義的權限。如果 AWS 更新 AWS 受管理原則中定義的權限,則此更新會影響附加原則的所有主體識別 (使用者、群組和角色)。 AWS 當新的啟動或新 AWS 服務 的 API 操作可用於現有服務時,最有可能更新 AWS 受管理策略。
如需詳細資訊,請參閱《IAM 使用者指南》中的 AWS 受管政策。
AWS 受管理的策略: AmazonSecurityLakeMetastoreManager
Amazon 安全湖使用 AWS Lambda 函數來管理資料湖中的中繼資料。透過使用此功能,Security Lake 可以將包含您的資料和資料檔案的 Amazon 簡單儲存服務 (Amazon S3) 分區編入資 AWS Glue 料目錄表格的索引。此受管政策包含 Lambda 函數的所有許可,可將 S3 分割區和資料檔案索引到資料 AWS Glue 表中。
許可詳細資訊
此政策包含以下許可:
logs— 允許校長將 Lambda 函數的輸出記錄到 Amazon CloudWatch 日誌。glue— 允許主參與者對「 AWS Glue 資料目錄」表格執行特定寫入動作。這也可讓 AWS Glue 搜尋器識別資料中的分割區。sqs— 允許主體對 Amazon SQS 佇列執行特定的讀取和寫入動作,這些佇列會在物件新增至資料湖或更新物件時傳送事件通知。s3— 允許主體對包含您資料的 Amazon S3 儲存貯體執行特定的讀取和寫入動作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowWriteLambdaLogs", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*", "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowGlueManage", "Effect": "Allow", "Action": [ "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetTable", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:catalog" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowToReadFromSqs", "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:GetQueueAttributes" ], "Resource": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataReadWrite", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMetaDataCleanup", "Effect": "Allow", "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AWS 受管理的策略: AmazonSecurityLakePermissionsBoundary
Amazon Security Lake 會為第三方自訂來源建立 IAM 角色,以將資料寫入資料湖,並讓第三方自訂訂閱者使用資料湖中的資料,並在建立這些角色時使用此政策來定義其許可的界限。您不需要採取行動即可使用此原則。如果使用客戶管理的 AWS KMS 金鑰加密資料湖,kms:Decrypt並新增kms:GenerateDataKey權限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsForSecurityLake", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsForSecurityLake", "Effect": "Deny", "NotAction": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation", "kms:Decrypt", "kms:GenerateDataKey", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" }, { "Sid": "DenyActionsNotOnSecurityLakeBucket", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutObject", "s3:GetBucketLocation" ], "NotResource": [ "arn:aws:s3:::aws-security-data-lake*" ] }, { "Sid": "DenyActionsNotOnSecurityLakeSQS", "Effect": "Deny", "Action": [ "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*" }, { "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringNotLike": { "kms:ViaService": [ "s3.*.amazonaws.com", "sqs.*.amazonaws.com" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:s3:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::aws-security-data-lake*" ] } } }, { "Sid": "DenyActionsNotOnSecurityLakeKMSForS3SQS", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:sqs:arn": "false" }, "StringNotLikeIfExists": { "kms:EncryptionContext:aws:sqs:arn": [ "arn:aws:sqs:*:*:AmazonSecurityLake*" ] } } } ] }
AWS 受管理的策略: AmazonSecurityLakeAdministrator
您可以將AmazonSecurityLakeAdministrator政策附加到主體,然後才能為其帳戶啟用 Amazon 安全湖。此原則會授與允許主體完整存取所有 Security Lake 動作的管理權限。然後,主體可以上線到安全湖,然後在安全湖中設定來源和訂閱者。
此原則包括 Security Lake 系統管理員可透過安全性湖泊在其他 AWS 服務上執行的動作。
該AmazonSecurityLakeAdministrator政策不支援建立 Security Lake 管理 Amazon S3 跨區域複寫、在 AWS Glue中註冊新資料分區、對新增至自訂來源的資料執行 Glue 爬蟲程式,或通知 HTTPS 端點訂閱者有關新資料的公用程式角色。您可以提前建立這些角色,如中所述開始使用 Amazon 安全湖。
除了AmazonSecurityLakeAdministrator受管理的原則之外,Security Lake 還需要上線和設定功能的lakeformation:PutDataLakeSettings權限。 PutDataLakeSettings允許將 IAM 主體設定為帳戶中所有區域 Lake Formation 資源的管理員。此角色必須iam:CreateRole permission具有附加AmazonSecurityLakeAdministrator原則。
Lake Form 管理員擁有對 Lake Formation 控制台的完全訪問權限,並控制初始數據配置和訪問權限。Security Lake 會將啟用 Security Lake 和AmazonSecurityLakeMetaStoreManager角色 (或其他指定角色) 的主體指派為 Lake Formation 管理員,以便他們可以建立資料表、更新資料表結構描述、註冊新分割區,以及設定資料表的權限。您必須在 Security Lake 系統管理員使用者或角色的原則中包含下列權限:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutLakeFormationSettings", "Effect": "Allow", "Action": "lakeformation:PutDatalakeSettings", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } } ] }
許可詳細資訊
此政策包含以下許可。
-
securitylake— 允許主參與者完整存取所有安全湖動作。 -
organizations— 允許主參與者從「組 Organ AWS izations」擷取有關組織中帳號的資訊。如果帳戶屬於某個組織,則這些權限允許 Security Lake 主控台顯示帳戶名稱和帳號。 -
iam— 允許主參與者建立 Security Lake、和的服務連結角色 AWS Lake Formation Amazon EventBridge,作為啟用這些服務時的必要步驟。此外,還允許建立和編輯訂戶和自訂來源角色的原則,而這些角色的權限僅限於AmazonSecurityLakePermissionsBoundary原則所允許的內容。 -
ram— 允許主參與者設定訂閱者對 Security Lake 來源的 Lake Formation基礎查詢存取。 -
s3— 允許主參與者建立和管理 Security Lake 值區,以及讀取這些值區的內容。 -
lambda— 可讓主參與者管理在 AWS 來源傳遞和跨區域複寫之後 Lambda 用來更新 AWS Glue 表格分割區的項目。 -
glue— 可讓主參與者建立及管理 Security Lake 資料庫與表格。 -
lakeformation— 允許主參與者管理「安全性湖泊」表格的 Lake Formation 權限。 -
events— 可讓主參與者管理用來通知訂閱者 Security Lake 來源中新資料的規則。 -
sqs— 允許主參與者建立和管理 Amazon SQS 佇列,該佇列可用來通知訂閱者 Security Lake 來源中的新資料。 -
kms— 允許主體授與 Security Lake 使用客戶管理的金鑰寫入資料的存取權。 -
secretsmanager— 允許主體透過 HTTPS 端點管理用來通知訂閱者安全湖來源中新資料的密碼。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowActionsWithAnyResource", "Effect": "Allow", "Action": [ "securitylake:*", "organizations:DescribeOrganization", "organizations:ListDelegatedServicesForAccount", "organizations:ListAccounts", "iam:ListRoles", "ram:GetResourceShareAssociations" ], "Resource": "*" }, { "Sid": "AllowActionsWithAnyResourceViaSecurityLake", "Effect": "Allow", "Action": [ "glue:CreateCrawler", "glue:StopCrawlerSchedule", "lambda:CreateEventSourceMapping", "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:RegisterResource", "lakeformation:RevokePermissions", "lakeformation:GetDatalakeSettings", "events:ListConnections", "events:ListApiDestinations", "iam:GetRole", "iam:ListAttachedRolePolicies", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowManagingSecurityLakeS3Buckets", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketNotification", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutBucketVersioning", "s3:PutReplicationConfiguration", "s3:PutLifecycleConfiguration", "s3:ListBucket", "s3:PutObject", "s3:GetBucketNotification" ], "Resource": "arn:aws:s3:::aws-security-data-lake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaCreateFunction", "Effect": "Allow", "Action": [ "lambda:CreateFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowLambdaAddPermission", "Effect": "Allow", "Action": [ "lambda:AddPermission" ], "Resource": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringEquals": { "lambda:Principal": "securitylake.amazonaws.com" } } }, { "Sid": "AllowGlueActions", "Effect": "Allow", "Action": [ "glue:CreateDatabase", "glue:GetDatabase", "glue:CreateTable", "glue:GetTable" ], "Resource": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowEventBridgeActions", "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule", "events:CreateApiDestination", "events:CreateConnection", "events:UpdateConnection", "events:UpdateApiDestination", "events:DeleteConnection", "events:DeleteApiDestination", "events:ListTargetsByRule", "events:RemoveTargets", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/AmazonSecurityLake*", "arn:aws:events:*:*:rule/SecurityLake*", "arn:aws:events:*:*:api-destination/AmazonSecurityLake*", "arn:aws:events:*:*:connection/AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowSQSActions", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:GetQueueURL", "sqs:AddPermission", "sqs:GetQueueAttributes", "sqs:DeleteQueue" ], "Resource": [ "arn:aws:sqs:*:*:SecurityLake*", "arn:aws:sqs:*:*:AmazonSecurityLake*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowKmsCmkGrantForSecurityLake", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" }, "StringLike": { "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::aws-security-data-lake*" }, "ForAllValues:StringEquals": { "kms:GrantOperations": [ "GenerateDataKey", "RetireGrant", "Decrypt" ] } } }, { "Sid": "AllowEnablingQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "ram:ResourceArn": [ "arn:aws:glue:*:*:catalog", "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringQueryBasedSubscribers", "Effect": "Allow", "Action": [ "ram:UpdateResourceShare", "ram:GetResourceShares", "ram:DisassociateResourceShare", "ram:DeleteResourceShare" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": "LakeFormation*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowConfiguringCredentialsForSubscriberNotification", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/AmazonSecurityLake-*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForUpdatingGluePartitionsLambdaArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManager", "arn:aws:iam::*:role/service-role/AmazonSecurityLakeMetaStoreManagerV2" ], "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", "arn:aws:lambda:*:*:function:AmazonSecurityLake*" ] }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCrossRegionReplicationS3Arn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeS3ReplicationRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:s3:::aws-security-data-lake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:data-lake/default" } } }, { "Sid": "AllowPassRoleForCustomSourceCrawlerGlueArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeCustomDataGlueCrawler*", "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationSecLakeArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:securitylake:*:*:subscriber/*" } } }, { "Sid": "AllowPassRoleForSubscriberNotificationEventsArn", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/service-role/AmazonSecurityLakeSubscriberEventBridge", "Condition": { "StringEquals": { "iam:PassedToService": "events.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": "arn:aws:events:*:*:rule/AmazonSecurityLake*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowOnboardingToSecurityLakeDependencies", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": [ "arn:aws:iam::*:role/aws-service-role/securitylake.amazonaws.com/AWSServiceRoleForSecurityLake", "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "arn:aws:iam::*:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations" ], "Condition": { "StringLike": { "iam:AWSServiceName": [ "securitylake.amazonaws.com", "lakeformation.amazonaws.com", "apidestinations.events.amazonaws.com" ] } } }, { "Sid": "AllowRolePolicyActionsforSubscibersandSources", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AmazonSecurityLakePermissionsBoundary" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowRegisterS3LocationInLakeFormation", "Effect": "Allow", "Action": [ "iam:PutRolePolicy", "iam:GetRolePolicy" ], "Resource": "arn:aws:iam::*:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "AllowIAMActionsByResource", "Effect": "Allow", "Action": [ "iam:ListRolePolicies", "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/AmazonSecurityLake*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "securitylake.amazonaws.com" } } }, { "Sid": "S3ReadAccessToSecurityLakes", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::aws-security-data-lake-*" }, { "Sid": "S3ReadAccessToSecurityLakeMetastoreObject", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::security-lake-meta-store-manager-*" }, { "Sid": "S3ResourcelessReadOnly", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:ListAccessPoints", "s3:ListAllMyBuckets" ], "Resource": "*" } ] }
AWS 受管理的策略: SecurityLakeServiceLinkedRole
您無法將受SecurityLakeServiceLinkedRole管政策附加到 IAM 實體。此原則附加至服務連結角色,可讓 Security Lake 代表您執行動作。如需詳細資訊,請參閱 Amazon 安全湖的服務連結角色。
AWS 受管理的策略: AWS GlueService角色
AWS GlueServiceRole受管理的原則會叫用爬行 AWS Glue 者程式,並允許 AWS Glue 編目自訂來源資料並識別分割區中繼資料。此中繼資料對於在「資料目錄」中建立和更新表格是必要的。
如需詳細資訊,請參閱 從自訂來源收集資料。
AWS 受管理原則的安全性湖泊更新
檢視有關 Security Lake AWS 受管理原則更新的詳細資料,因為此服務開始追蹤這些變更。如需有關此頁面變更的自動警示,請訂閱安全湖文件歷史記錄頁面上的 RSS 摘要。
| 變更 | 描述 | 日期 |
|---|---|---|
|
Amazon 安全湖的服務連結角色 — 更新為現有服務連結角色許可 |
我們已將 AWS WAF 動作新增至原則的 AWS 受管理 |
2024年5月22 日 |
|
安全湖將 SID 動作新增至原則。 |
2024年5月13日 |
|
|
AmazonSecurityLakeMetastoreManager – 更新現有政策 |
Security Lake 已更新原則,以新增中繼資料清理動作,可讓您刪除資料湖中的中繼資料。 |
2024年3月27日 |
|
AmazonSecurityLakeAdministrator – 更新現有政策 |
Security Lake 已更新原則以允許使 |
2024年2月23 日 |
|
Security Lake 新增了一項新的受管理政策,授予 Security Lake 管理資料湖中繼資料的權限。 |
2024 年 1 月 23 日 |
|
|
Security Lake 新增了一項新的受管理政策,可授與主體對所有 Security Lake 動作的完整存取權。 |
2023 年 5 月 30 日 |
|
|
安全湖開始跟踪更改 |
安全湖開始追蹤其 AWS 受管理原則的變更。 |
2022 年 11 月 29 日 |
