本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
策略範本清單
以下是可用的原則範本,以及套用至每個原則範本的權限。 AWS Serverless Application Model (AWS SAM) 將適當的資訊自動填入預留位置項目 (例如「 AWS 區域」和「帳戶 ID」)。
主題
- AcmGetCertificatePolicy
- AMIDescribePolicy
- AthenaQueryPolicy
- AWSSecretsManagerGetSecretValuePolicy
- AWSSecretsManagerRotationPolicy
- CloudFormationDescribeStacksPolicy
- CloudWatchDashboardPolicy
- CloudWatchDescribeAlarmHistoryPolicy
- CloudWatchPutMetricPolicy
- CodePipelineLambdaExecutionPolicy
- CodePipelineReadOnlyPolicy
- CodeCommitCrudPolicy
- CodeCommitReadPolicy
- ComprehendBasicAccessPolicy
- CostExplorerReadOnlyPolicy
- DynamoDBBackupFullAccessPolicy
- DynamoDBCrudPolicy
- DynamoDBReadPolicy
- DynamoDBReconfigurePolicy
- DynamoDBRestoreFromBackupPolicy
- DynamoDBStreamReadPolicy
- DynamoDBWritePolicy
- EC2CopyImagePolicy
- EC2DescribePolicy
- EcsRunTaskPolicy
- EFSWriteAccessPolicy
- EKSDescribePolicy
- ElasticMapReduceAddJobFlowStepsPolicy
- ElasticMapReduceCancelStepsPolicy
- ElasticMapReduceModifyInstanceFleetPolicy
- ElasticMapReduceModifyInstanceGroupsPolicy
- ElasticMapReduceSetTerminationProtectionPolicy
- ElasticMapReduceTerminateJobFlowsPolicy
- ElasticsearchHttpPostPolicy
- EventBridgePutEventsPolicy
- FilterLogEventsPolicy
- FirehoseCrudPolicy
- FirehoseWritePolicy
- KinesisCrudPolicy
- KinesisStreamReadPolicy
- KMSDecryptPolicy
- KMSEncryptPolicy
- LambdaInvokePolicy
- MobileAnalyticsWriteOnlyAccessPolicy
- OrganizationsListAccountsPolicy
- PinpointEndpointAccessPolicy
- PollyFullAccessPolicy
- RekognitionDetectOnlyPolicy
- RekognitionFacesManagementPolicy
- RekognitionFacesPolicy
- RekognitionLabelsPolicy
- RekognitionNoDataAccessPolicy
- RekognitionReadPolicy
- RekognitionWriteOnlyAccessPolicy
- Route53ChangeResourceRecordSetsPolicy
- S3CrudPolicy
- S3FullAccessPolicy
- S3ReadPolicy
- S3WritePolicy
- SageMakerCreateEndpointConfigPolicy
- SageMakerCreateEndpointPolicy
- ServerlessRepoReadWriteAccessPolicy
- SESBulkTemplatedCrudPolicy
- SESBulkTemplatedCrudPolicy_v2
- SESCrudPolicy
- SESEmailTemplateCrudPolicy
- SESSendBouncePolicy
- SNSCrudPolicy
- SNSPublishMessagePolicy
- SQSPollerPolicy
- SQSSendMessagePolicy
- SSMParameterReadPolicy
- SSMParameterWithSlashPrefixReadPolicy
- StepFunctionsExecutionPolicy
- TextractDetectAnalyzePolicy
- TextractGetResultPolicy
- TextractPolicy
- VPCAccessPolicy
AcmGetCertificatePolicy
授與讀取憑證的權限 AWS Certificate Manager。
"Statement": [ { "Effect": "Allow", "Action": [ "acm:GetCertificate" ], "Resource": { "Fn::Sub": [ "${certificateArn}", { "certificateArn": { "Ref": "CertificateArn" } } ] } } ]
AMIDescribePolicy
授予描述 Amazon 機器映像(AMI)的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": "*" } ]
AthenaQueryPolicy
授與執行 Athena 查詢的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:GetExecutionEngine", "athena:GetExecutionEngines", "athena:GetNamespace", "athena:GetCatalogs", "athena:GetNamespaces", "athena:GetTables", "athena:GetTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryResults", "athena:DeleteNamedQuery", "athena:GetNamedQuery", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResultsStream", "athena:ListNamedQueries", "athena:CreateNamedQuery", "athena:GetQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", "athena:GetWorkGroup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", { "workgroupName": { "Ref": "WorkGroupName" } } ] } } ]
AWSSecretsManagerGetSecretValuePolicy
授予取得指定密碼之密碼密 AWS Secrets Manager 碼值的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ]
AWSSecretsManagerRotationPolicy
授予旋轉密碼的權限 AWS Secrets Manager。
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]
CloudFormationDescribeStacksPolicy
授予描述 AWS CloudFormation 堆棧的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]
CloudWatchDashboardPolicy
授予將指標放置在 CloudWatch 儀表板上操作的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]
CloudWatchDescribeAlarmHistoryPolicy
授予描述 Amazon CloudWatch 警報歷史記錄的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmHistory" ], "Resource": "*" } ]
CloudWatchPutMetricPolicy
授予將指標傳送至的權限 CloudWatch。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]
CodePipelineLambdaExecutionPolicy
授與叫用的 Lambda 函數的權限, AWS CodePipeline 以報告工作狀態。
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ]
CodePipelineReadOnlyPolicy
授予讀取權限以取得 CodePipeline 管線的詳細資料。
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:ListPipelineExecutions" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": { "Ref": "PipelineName" } } ] } } ]
CodeCommitCrudPolicy
授與在特定 CodeCommit存放庫中建立、讀取、更新和刪除物件的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:MergeBranchesByFastForward", "codecommit:MergeBranchesBySquash", "codecommit:MergeBranchesByThreeWay", "codecommit:UpdateDefaultBranch", "codecommit:BatchDescribeMergeConflicts", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:CreatePullRequest", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:MergePullRequestByFastForward", "codecommit:MergePullRequestBySquash", "codecommit:MergePullRequestByThreeWay", "codecommit:PostCommentForPullRequest", "codecommit:UpdatePullRequestDescription", "codecommit:UpdatePullRequestStatus", "codecommit:UpdatePullRequestTitle", "codecommit:DeleteFile", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:PutFile", "codecommit:DeleteCommentContent", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:PostCommentForComparedCommit", "codecommit:PostCommentReply", "codecommit:UpdateComment", "codecommit:BatchGetCommits", "codecommit:CreateCommit", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:UpdateRepositoryDescription", "codecommit:ListTagsForResource", "codecommit:TagResource", "codecommit:UntagResource", "codecommit:GetRepositoryTriggers", "codecommit:PutRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
CodeCommitReadPolicy
授與讀取特定 CodeCommit 存放庫中物件的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:BatchDescribeMergeConflicts", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:BatchGetCommits", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:ListTagsForResource", "codecommit:GetRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
ComprehendBasicAccessPolicy
授予偵測實體、關鍵片語、語言和情緒的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]
CostExplorerReadOnlyPolicy
將帳單歷史記錄的唯讀 AWS Cost Explorer (Cost Explorer) API 授與唯讀權限。
"Statement": [ { "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues", "ce:GetReservationCoverage", "ce:GetReservationPurchaseRecommendation", "ce:GetReservationUtilization", "ce:GetTags" ], "Resource": "*" } ]
DynamoDBBackupFullAccessPolicy
為表格授與 DynamoDB 隨需備份的讀取和寫入權限。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBCrudPolicy
將建立、讀取、更新和刪除權限授予 Amazon DynamoDB 表格。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReadPolicy
為 DynamoDB 資料表提供唯讀權限。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem", "dynamodb:DescribeTable" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReconfigurePolicy
授與重新設定 DynamoDB 表格的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:UpdateTable" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBRestoreFromBackupPolicy
授與從備份還原 DynamoDB 資料表的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBStreamReadPolicy
授予描述和讀取 DynamoDB 串流和記錄的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBWritePolicy
將唯寫權限授與 DynamoDB 表格。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
EC2CopyImagePolicy
授予複製 Amazon EC2 映像的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]
EC2DescribePolicy
授予描述亞馬遜彈性運算雲 (Amazon EC2) 執行個體的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]
EcsRunTaskPolicy
授與啟動任務定義新任務的權限。
"Statement": [ { "Action": [ "ecs:RunTask" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}", { "taskDefinition": { "Ref": "TaskDefinition" } } ] }, "Effect": "Allow" } ]
EFSWriteAccessPolicy
授與使用寫入存取權來掛接 Amazon EFS 檔案系統的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}", { "FileSystem": { "Ref": "FileSystem" } } ] }, "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}", { "AccessPoint": { "Ref": "AccessPoint" } } ] } } } } ]
EKSDescribePolicy
授予描述或列出 Amazon Elastic Kubernetes Service (Amazon EKS) 叢集的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ]
ElasticMapReduceAddJobFlowStepsPolicy
授與將新步驟新增至執行中叢集的權限。
"Statement": [ { "Action": "elasticmapreduce:AddJobFlowSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceCancelStepsPolicy
授與取消擱置中步驟或執行中叢集中步驟的權限。
"Statement": [ { "Action": "elasticmapreduce:CancelSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceModifyInstanceFleetPolicy
授與列出叢集中執行個體叢集的詳細資料和修改容量的權限。
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceFleet", "elasticmapreduce:ListInstanceFleets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceModifyInstanceGroupsPolicy
授與列出叢集中執行個體群組的詳細資料和修改設定的權限。
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceSetTerminationProtectionPolicy
授與設定叢集終止保護的權限。
"Statement": [ { "Action": "elasticmapreduce:SetTerminationProtection", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceTerminateJobFlowsPolicy
授與關閉叢集的權限。
"Statement": [ { "Action": "elasticmapreduce:TerminateJobFlows", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticsearchHttpPostPolicy
給 POST 和 PUT 權限 Amazon OpenSearch 服務。
"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost", "es:ESHttpPut" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": { "Ref": "DomainName" } } ] } } ]
EventBridgePutEventsPolicy
授予將事件發送到 Amazon 的許可 EventBridge。
"Statement": [ { "Effect": "Allow", "Action": "events:PutEvents", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}", { "eventBusName": { "Ref": "EventBusName" } } ] } } ]
FilterLogEventsPolicy
授與從指定 CloudWatch 記錄群組篩選記錄事件的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "logs:FilterLogEvents" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": { "Ref": "LogGroupName" } } ] } } ]
FirehoseCrudPolicy
授予建立、寫入、更新和刪除 Firehose 傳送串流的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
FirehoseWritePolicy
授予寫入 Firehose 交付串流的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
KinesisCrudPolicy
授予建立、發佈和刪除 Amazon Kinesis 串流的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
KinesisStreamReadPolicy
授予列出和讀取 Amazon Kinesis 串流的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
KMSDecryptPolicy
授予使用 AWS Key Management Service (AWS KMS) 金鑰進行解密的權限。請注意,keyId必須是 AWS KMS 金鑰 ID,而不是金鑰別名。
"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
KMSEncryptPolicy
授予使用密 AWS KMS 鑰進行加密的權限。請注意,keyID 必須是 AWS KMS 金鑰 ID,而不是金鑰別名。
"Statement": [ { "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
LambdaInvokePolicy
授與叫用 AWS Lambda 函數、別名或版本的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]
MobileAnalyticsWriteOnlyAccessPolicy
提供唯寫權限,以便為所有應用程式資源放置事件資料。
"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]
OrganizationsListAccountsPolicy
授與列出子帳號名稱和 ID 的唯讀權限。
"Statement": [ { "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" } ]
PinpointEndpointAccessPolicy
授予取得和更新 Amazon 精確應用程式端點的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]
PollyFullAccessPolicy
授予對 Amazon Polly 詞典資源的完全訪問權限。
"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]
RekognitionDetectOnlyPolicy
授予檢測臉部,標籤和文本的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ]
RekognitionFacesManagementPolicy
授予在 Amazon Rekognition 集合中新增、刪除和搜尋臉孔的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:IndexFaces", "rekognition:DeleteFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage", "rekognition:ListFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionFacesPolicy
授予比較和檢測臉部和標籤的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": "*" } ]
RekognitionLabelsPolicy
授予檢測對象和協調標籤的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]
RekognitionNoDataAccessPolicy
授予比較和檢測臉部和標籤的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionReadPolicy
授予列出和搜索面孔的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionWriteOnlyAccessPolicy
授予建立集合和索引臉孔的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
Route53ChangeResourceRecordSetsPolicy
授予在 Route 53 中變更資源記錄集的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}", { "HostedZoneId": { "Ref": "HostedZoneId" } } ] } } ]
S3CrudPolicy
授予建立、讀取、更新和刪除權限,以便對 Amazon S3 儲存貯體中的物件執行動作。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3FullAccessPolicy
授予對 Amazon S3 儲存貯體中物件執行動作的完整存取權限。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3ReadPolicy
授予讀取 Amazon Simple Storage Service (Amazon S3) 儲存貯體中物件的唯讀權限。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3WritePolicy
授予將物件寫入 Amazon S3 儲存貯體的寫入權限。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
SageMakerCreateEndpointConfigPolicy
授與在中建立端點組態的權限 SageMaker。
"Statement": [ { "Action": [ "sagemaker:CreateEndpointConfig" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}", { "endpointConfigName": { "Ref": "EndpointConfigName" } } ] }, "Effect": "Allow" } ]
SageMakerCreateEndpointPolicy
授與在中建立端點的權限 SageMaker。
"Statement": [ { "Action": [ "sagemaker:CreateEndpoint" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}", { "endpointName": { "Ref": "EndpointName" } } ] }, "Effect": "Allow" } ]
ServerlessRepoReadWriteAccessPolicy
授予在 AWS Serverless Application Repository (AWS SAM) 服務中建立及列出應用程式的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]
SESBulkTemplatedCrudPolicy
授予傳送 Amazon SES 電子郵件、範本化電子郵件和範本化大量電子郵件的權限,以及驗證身分。
注意
此動ses:SendTemplatedEmail作需要範本 ARN。請改用 SESBulkTemplatedCrudPolicy_v2。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SESBulkTemplatedCrudPolicy_v2
授予傳送 Amazon SES 電子郵件、範本化電子郵件和範本化大量電子郵件的權限,以及驗證身分。
"Statement": [ { "Action": [ "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:template/${templateName}", { "templateName": { "Ref": "TemplateName" } } ] } ] }, { "Action": [ "ses:GetIdentityVerificationAttributes", "ses:VerifyEmailIdentity" ], "Effect": "Allow", "Resource": "*" } ]
SESCrudPolicy
授予發送電子郵件和驗證身份的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SESEmailTemplateCrudPolicy
授予建立、取得、列出、更新和刪除 Amazon SES 電子郵件範本的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:CreateTemplate", "ses:GetTemplate", "ses:ListTemplates", "ses:UpdateTemplate", "ses:DeleteTemplate", "ses:TestRenderTemplate" ], "Resource": "*" } ]
SESSendBouncePolicy
SendBounce 授予亞馬遜簡易電子郵件服務 (Amazon SES) 身分識別的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SNSCrudPolicy
授予建立、發佈和訂閱 Amazon SNS 主題的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]
SNSPublishMessagePolicy
授予將訊息發佈至亞馬遜簡單通知服務 (Amazon SNS) 主題的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]
SQSPollerPolicy
授予輪詢 Amazon Simple Queue Service (Amazon SQS) 佇列的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
SQSSendMessagePolicy
授予將訊息傳送至 Amazon SQS 佇列的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
SSMParameterReadPolicy
授予從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數的權限,以便在此帳戶中載入機密。當參數名稱沒有斜線前綴時使用。
注意
如果您不使用預設金鑰,您也需要原KMSDecryptPolicy則。
"Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": { "Ref": "ParameterName" } } ] } } ]
SSMParameterWithSlashPrefixReadPolicy
授予從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數的權限,以便在此帳戶中載入機密。當參數名稱具有斜線前綴時使用。
注意
如果您不使用預設金鑰,您也需要原KMSDecryptPolicy則。
"Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${parameterName}", { "parameterName": { "Ref": "ParameterName" } } ] } } ]
StepFunctionsExecutionPolicy
授予啟動 Step Functions 狀態機器執行的權限。
"Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": { "Ref": "StateMachineName" } } ] } } ]
TextractDetectAnalyzePolicy
允許訪問以檢測和分析使用亞馬遜文本提取的文檔。
"Statement": [ { "Effect": "Allow", "Action": [ "textract:DetectDocumentText", "textract:StartDocumentTextDetection", "textract:StartDocumentAnalysis", "textract:AnalyzeDocument" ], "Resource": "*" } ]
TextractGetResultPolicy
允許從 Amazon Textract 獲取檢測到和分析的文檔的訪問權限。
"Statement": [ { "Effect": "Allow", "Action": [ "textract:GetDocumentTextDetection", "textract:GetDocumentAnalysis" ], "Resource": "*" } ]
TextractPolicy
可以完全訪問 Amazon Textract。
"Statement": [ { "Effect": "Allow", "Action": [ "textract:*" ], "Resource": "*" } ]
VPCAccessPolicy
提供建立、刪除、描述和卸離彈性網路介面的存取權。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]
