本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS SAM 政策範本
AWS Serverless Application Model (AWS SAM) 可讓您從政策範本清單中選擇,將 Lambda 函數和 AWS Step Functions 狀態機器的許可範圍限定為應用程式使用的資源。
AWS SAM 中使用 AWS Serverless Application Repository 政策範本的應用程式不需要任何特殊的客戶確認,即可從 部署應用程式 AWS Serverless Application Repository。
若您希望申請增加新的政策範本,請執行以下動作:
1. 針對 AWS SAM GitHub 專案`develop`分支中的 policy\$1templates.json 來源檔案提交提取請求。您可以在 GitHub 網站上的 [policy\$1templates.json](https://github.com/aws/serverless-application-model/blob/develop/samtranslator/policy_templates_data/policy_templates.json) 中找到來源檔案。
1. 在 AWS SAM GitHub 專案中提交問題,其中包含提取請求的原因和請求的連結。使用此連結提交新問題:[AWS Serverless Application Model:問題](https://github.com/aws/serverless-application-model/issues/new)。
## 語法
對於您在 AWS SAM 範本檔案中指定的每個政策範本,您必須一律指定包含政策範本預留位置值的物件。如果政策範本不需要任何預留位置值,您必須指定空物件。
### YAML
```
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- PolicyTemplateName1: # Policy template with placeholder value
Key1: Value1
- PolicyTemplateName2: {} # Policy template with no placeholder value
```
**注意**
如果您已設定一般 IAM 政策或透過 Lambda 擁有受管政策,則可以設定政策範本而不使用空白物件。
## 範例
### 範例 1:帶有預留位置值的政策範本
以下範例顯示 [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) 政策範本應將 `QueueName` 視為資源。 AWS SAM 範本會擷取「`MyQueue`」Amazon SQS 佇列的名稱,您可以在相同的應用程式中建立該佇列,或請求該佇列做為應用程式的參數。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - SQSPollerPolicy:
9. QueueName:
10. !GetAtt MyQueue.QueueName
```
### 範例 2:無預留位置值的政策範本
以下範例包含 [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) 政策範本,其並無任何預留位置值。
**注意**
即使沒有預留位置值,您仍必須指定空物件,否則會產生錯誤。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - CloudWatchPutMetricPolicy: {}
```
### 範例 3:具有預留位置值和一般 IAM 政策的政策範本
下列範例包含 AmazonSQSFullAcess 政策和[DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy)政策範本。AmazonSQSFullAccess 政策是 IAM 政策而非 AWS SAM 政策,因此您不需要指定空物件,因為政策會直接傳遞給 CloudFormation。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - AmazonSQSFullAccess // IAM policy could be set without passing an empty object
9. - DynamoDBCrudPolicy: // SAM specific policy, has a defined structure
10. TableName:
11. !Ref SampleTable
```
## 政策範本資料表
以下是可用政策範本的資料表。
****
| 政策範本 | Description |
| --- | --- |
| [AcmGetCertificatePolicy](serverless-policy-template-list.md#acm-get-certificate-policy) | 授予從中讀取憑證的許可 AWS Certificate Manager。 |
| [AMIDescribePolicy](serverless-policy-template-list.md#ami-describe-policy) | 提供描述 Amazon Machine Image (AMIs許可。 |
| [AthenaQueryPolicy](serverless-policy-template-list.md#athena-query-policy) | 提供執行 Athena 查詢的許可。 |
| [AWSSecretsManagerGetSecretValuePolicy](serverless-policy-template-list.md#secrets-manager-get-secret-value-policy) | 准許取得指定 AWS Secrets Manager 秘密的秘密值。 |
| [AWSSecretsManagerRotationPolicy](serverless-policy-template-list.md#secrets-manager-rotation-policy) | 授予在其中輪換秘密的許可 AWS Secrets Manager。 |
| [CloudFormationDescribeStacksPolicy](serverless-policy-template-list.md#cloud-formation-describe-stacks-policy) | 提供描述 CloudFormation 堆疊的許可。 |
| [CloudWatchDashboardPolicy](serverless-policy-template-list.md#cloudwatch-dashboard-policy) | 授予在 CloudWatch 儀表板上操作指標的許可。 |
| [CloudWatchDescribeAlarmHistoryPolicy](serverless-policy-template-list.md#cloudwatch-describe-alarm-history-policy) | 提供描述 CloudWatch 警示歷史記錄的許可。 |
| [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) | 提供將指標傳送至 CloudWatch 的許可。 |
| [CodeCommitCrudPolicy](serverless-policy-template-list.md#codecommit-crud-policy) | 授予在特定 CodeCommit 儲存庫中create/read/update/刪除物件的許可。 |
| [CodeCommitReadPolicy](serverless-policy-template-list.md#codecommit-read-policy) | 准許讀取特定 CodeCommit 儲存庫中的物件。 |
| [CodePipelineLambdaExecutionPolicy](serverless-policy-template-list.md#code-pipeline-lambda-execution-policy) | 准許 CodePipeline 調用 Lambda 函數來報告任務的狀態。 |
| [CodePipelineReadOnlyPolicy](serverless-policy-template-list.md#code-pipeline-readonly-policy) | 提供讀取許可,以取得 CodePipeline 管道的詳細資訊。 |
| [ComprehendBasicAccessPolicy](serverless-policy-template-list.md#comprehend-basic-access-policy) | 提供偵測實體、金鑰片語、語言和情緒的許可。 |
| [CostExplorerReadOnlyPolicy](serverless-policy-template-list.md#cost-explorer-readonly-policy) | 為帳單歷史記錄的唯讀 Cost Explorer APIs提供唯讀許可。 |
| [DynamoDBBackupFullAccessPolicy](serverless-policy-template-list.md#ddb-back-full-policy) | 為資料表的 DynamoDB 隨需備份提供讀取和寫入許可。 |
| [DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy) | 為 Amazon DynamoDB 資料表提供建立、讀取、更新和刪除許可。 |
| [DynamoDBReadPolicy](serverless-policy-template-list.md#dynamo-db-read-policy) | 為 DynamoDB 資料表提供唯讀許可。 |
| [DynamoDBReconfigurePolicy](serverless-policy-template-list.md#dynamo-db-reconfigure-policy) | 提供重新設定 DynamoDB 資料表的許可。 |
| [DynamoDBRestoreFromBackupPolicy](serverless-policy-template-list.md#ddb-restore-from-backup-policy) | 提供從備份還原 DynamoDB 資料表的許可。 |
| [DynamoDBStreamReadPolicy](serverless-policy-template-list.md#dynamo-db-stream-read-policy) | 提供描述和讀取 DynamoDB 串流和記錄的許可。 |
| [DynamoDBWritePolicy](serverless-policy-template-list.md#dynamo-db-write-policy) | 為 DynamoDB 資料表提供唯寫許可。 |
| [EC2CopyImagePolicy](serverless-policy-template-list.md#ec2-copy-image-policy) | 提供複製 Amazon EC2 映像的許可。 |
| [EC2DescribePolicy](serverless-policy-template-list.md#ec2-describe-policy) | 提供描述 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體的許可。 |
| [EcsRunTaskPolicy](serverless-policy-template-list.md#ecs-run-task-policy) | 提供為任務定義啟動新任務的許可。 |
| [EFSWriteAccessPolicy](serverless-policy-template-list.md#efs-write-access-policy) | 准許掛載具有寫入存取權的 Amazon EFS 檔案系統。 |
| [EKSDescribePolicy](serverless-policy-template-list.md#eks-describe-policy) | 提供描述或列出 Amazon EKS 叢集的許可。 |
| [ElasticMapReduceAddJobFlowStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-add-job-flows-policy) | 准許將新步驟新增至執行中的叢集。 |
| [ElasticMapReduceCancelStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-cancel-steps-policy) | 准許取消執行中叢集中的待處理步驟。 |
| [ElasticMapReduceModifyInstanceFleetPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-fleet-policy) | 准許列出叢集內執行個體機群的詳細資訊和修改容量。 |
| [ElasticMapReduceModifyInstanceGroupsPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-groups-policy) | 准許列出叢集內執行個體群組的詳細資訊和修改設定。 |
| [ElasticMapReduceSetTerminationProtectionPolicy](serverless-policy-template-list.md#elastic-map-reduce-set-termination-protection-policy) | 提供為叢集設定終止保護的許可。 |
| [ElasticMapReduceTerminateJobFlowsPolicy](serverless-policy-template-list.md#elastic-map-reduce-terminate-job-flows-policy) | 提供關閉叢集的許可。 |
| [ElasticsearchHttpPostPolicy](serverless-policy-template-list.md#elastic-search-http-post-policy) | 將 POST 許可提供給 Amazon OpenSearch Service。 |
| [EventBridgePutEventsPolicy](serverless-policy-template-list.md#eventbridge-put-events-policy) | 提供將事件傳送至 EventBridge 的許可。 |
| [FilterLogEventsPolicy](serverless-policy-template-list.md#filter-log-events-policy) | 提供從指定日誌群組篩選 CloudWatch Logs 事件的許可。 |
| [FirehoseCrudPolicy](serverless-policy-template-list.md#firehose-crud-policy) | 提供建立、寫入、更新和刪除 Firehose 交付串流的許可。 |
| [FirehoseWritePolicy](serverless-policy-template-list.md#firehose-write-policy) | 提供寫入 Firehose 交付串流的許可。 |
| [KinesisCrudPolicy](serverless-policy-template-list.md#kinesis-crud-policy) | 提供建立、發佈和刪除 Amazon Kinesis 串流的許可。 |
| [KinesisStreamReadPolicy](serverless-policy-template-list.md#kinesis-stream-read-policy) | 提供列出和讀取 Amazon Kinesis 串流的許可。 |
| [KMSDecryptPolicy](serverless-policy-template-list.md#kms-decrypt-policy) | 提供使用 AWS Key Management Service (AWS KMS) 金鑰解密的許可。 |
| [KMSEncryptPolicy](serverless-policy-template-list.md#kms-encrypt-policy) | 提供使用 AWS Key Management Service (AWS KMS) 金鑰加密的許可。 |
| [LambdaInvokePolicy](serverless-policy-template-list.md#lambda-invoke-policy) | 提供叫用 AWS Lambda 函數、別名或版本的許可。 |
| [MobileAnalyticsWriteOnlyAccessPolicy](serverless-policy-template-list.md#mobile-analytics-write-only-access-policy) | 提供僅寫入許可,以放置所有應用程式資源的事件資料。 |
| [OrganizationsListAccountsPolicy](serverless-policy-template-list.md#organizations-list-accounts-policy) | 提供唯讀許可,以列出子帳戶名稱和 IDs。 |
| [PinpointEndpointAccessPolicy](serverless-policy-template-list.md#pinpoint-endpoint-access-policy) | 准許取得和更新 Amazon Pinpoint 應用程式的端點。 |
| [PollyFullAccessPolicy](serverless-policy-template-list.md#polly-full-access-policy) | 提供 Amazon Polly 語彙資源的完整存取許可。 |
| [RekognitionDetectOnlyPolicy](serverless-policy-template-list.md#rekognition-detect-only-policy) | 提供偵測臉部、標籤和文字的許可。 |
| [RekognitionFacesManagementPolicy](serverless-policy-template-list.md#rekognition-face-management-policy) | 授予在 Amazon Rekognition 集合中新增、刪除和搜尋臉部的許可。 |
| [RekognitionFacesPolicy](serverless-policy-template-list.md#rekognition-faces-policy) | 提供許可來比較和偵測臉部和標籤。 |
| [RekognitionLabelsPolicy](serverless-policy-template-list.md#rekognition-labels-policy) | 提供偵測物件和管制標籤的許可。 |
| [RekognitionNoDataAccessPolicy](serverless-policy-template-list.md#rekognition-no-data-access-policy) | 提供許可來比較和偵測臉部和標籤。 |
| [RekognitionReadPolicy](serverless-policy-template-list.md#rekognition-read-policy) | 提供列出和搜尋臉部的許可。 |
| [RekognitionWriteOnlyAccessPolicy](serverless-policy-template-list.md#rekognition-write-only-access-policy) | 提供建立集合和索引臉部的許可。 |
| [Route53ChangeResourceRecordSetsPolicy](serverless-policy-template-list.md#route53-change-resource-record-sets-policy) | 提供在 Route 53 中變更資源紀錄集的許可。 |
| [S3CrudPolicy](serverless-policy-template-list.md#s3-crud-policy) | 提供建立、讀取、更新和刪除許可,以對 Amazon S3 儲存貯體中的物件採取行動。 |
| [S3FullAccessPolicy](serverless-policy-template-list.md#s3-full-access-policy) | 提供對 Amazon S3 儲存貯體中物件採取動作的完整存取許可。 |
| [S3ReadPolicy](serverless-policy-template-list.md#s3-read-policy) | 提供唯讀許可,以讀取 Amazon Simple Storage Service (Amazon S3) 儲存貯體中的物件。 |
| [S3WritePolicy](serverless-policy-template-list.md#s3-write-policy) | 提供將物件寫入 Amazon S3 儲存貯體的寫入許可。 |
| [SageMakerCreateEndpointConfigPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-config-policy) | 提供在 SageMaker AI 中建立端點組態的許可。 |
| [SageMakerCreateEndpointPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-policy) | 提供在 SageMaker AI 中建立端點的許可。 |
| [ServerlessRepoReadWriteAccessPolicy](serverless-policy-template-list.md#serverlessrepo-read-write-access-policy) | 授予在 AWS Serverless Application Repository 服務中建立和列出應用程式的許可。 |
| [SESBulkTemplatedCrudPolicy](serverless-policy-template-list.md#ses-bulk-templated-crud-policy) | 提供傳送電子郵件、範本電子郵件、範本大量電子郵件和驗證身分的許可。 |
| [SESBulkTemplatedCrudPolicy\$1v2](serverless-policy-template-list.md#ses-bulk-templated-crud-policy-v2) | 准許傳送 Amazon SES 電子郵件、範本電子郵件和範本大量電子郵件,以及驗證身分。 |
| [SESCrudPolicy](serverless-policy-template-list.md#ses-crud-policy) | 提供傳送電子郵件和驗證身分的許可。 |
| [SESEmailTemplateCrudPolicy](serverless-policy-template-list.md#ses-email-template-crud-policy) | 提供建立、取得、列出、更新和刪除 Amazon SES 電子郵件範本的許可。 |
| [SESSendBouncePolicy](serverless-policy-template-list.md#ses-send-bounce-policy) | 將 SendBounce 許可授予 Amazon Simple Email Service (Amazon SES身分。 |
| [SNSCrudPolicy](serverless-policy-template-list.md#sns-crud-policy) | 提供建立、發佈和訂閱 Amazon SNS 主題的許可。 |
| [SNSPublishMessagePolicy](serverless-policy-template-list.md#sqs-publish-message-policy) | 准許將訊息發佈至 Amazon Simple Notification Service (Amazon SNS) 主題。 |
| [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) | 提供輪詢 Amazon Simple Queue Service (Amazon SQS) 佇列的許可。 |
| [SQSSendMessagePolicy](serverless-policy-template-list.md#sqs-send-message-policy) | 提供將訊息傳送至 Amazon SQS 佇列的許可。 |
| [SSMParameterReadPolicy](serverless-policy-template-list.md#ssm-parameter-read-policy) | 准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱沒有斜線字首時,請使用 。 |
| [SSMParameterWithSlashPrefixReadPolicy](serverless-policy-template-list.md#ssm-parameter-slash-read-policy) | 准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱具有斜線字首時,請使用 。 |
| [StepFunctionsExecutionPolicy](serverless-policy-template-list.md#stepfunctions-execution-policy) | 提供啟動 Step Functions 狀態機器執行的許可。 |
| [TextractDetectAnalyzePolicy](serverless-policy-template-list.md#textract-detect-analyze-policy) | 提供使用 Amazon Textract 偵測和分析文件的存取權。 |
| [TextractGetResultPolicy](serverless-policy-template-list.md#textract-get-result-policy) | 提供從 Amazon Textract 偵測和分析文件的存取權。 |
| [TextractPolicy](serverless-policy-template-list.md#textract-policy) | 提供 Amazon Textract 的完整存取權。 |
| [VPCAccessPolicy](serverless-policy-template-list.md#vpc-access-policy) | 提供建立、刪除、描述和分離彈性網路介面的存取權。 |
## 疑難排解
### SAM CLI 錯誤:「必須為政策範本「」指定有效的參數值
執行 `sam build` 時,您會看到下列錯誤:
```
"Must specify valid parameter values for policy template ''"
```
這表示您在宣告沒有任何預留位置值的政策範本時,未傳遞空物件。
若要修正此問題,請宣告 政策,如下列 範例所示[CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy)。
```
1. MyFunction:
2. Policies:
3. - CloudWatchPutMetricPolicy: {}
```
# AWS SAM 政策範本清單
以下是可用的政策範本,以及套用至每個範本的許可。 AWS Serverless Application Model (AWS SAM) 會自動將適當的資訊填入預留位置項目 (例如 AWS 區域和帳戶 ID)。
**Topics**
+ [AcmGetCertificatePolicy](#acm-get-certificate-policy)
+ [AMIDescribePolicy](#ami-describe-policy)
+ [AthenaQueryPolicy](#athena-query-policy)
+ [AWSSecretsManagerGetSecretValuePolicy](#secrets-manager-get-secret-value-policy)
+ [AWSSecretsManagerRotationPolicy](#secrets-manager-rotation-policy)
+ [CloudFormationDescribeStacksPolicy](#cloud-formation-describe-stacks-policy)
+ [CloudWatchDashboardPolicy](#cloudwatch-dashboard-policy)
+ [CloudWatchDescribeAlarmHistoryPolicy](#cloudwatch-describe-alarm-history-policy)
+ [CloudWatchPutMetricPolicy](#cloudwatch-put-metric-policy)
+ [CodePipelineLambdaExecutionPolicy](#code-pipeline-lambda-execution-policy)
+ [CodePipelineReadOnlyPolicy](#code-pipeline-readonly-policy)
+ [CodeCommitCrudPolicy](#codecommit-crud-policy)
+ [CodeCommitReadPolicy](#codecommit-read-policy)
+ [ComprehendBasicAccessPolicy](#comprehend-basic-access-policy)
+ [CostExplorerReadOnlyPolicy](#cost-explorer-readonly-policy)
+ [DynamoDBBackupFullAccessPolicy](#ddb-back-full-policy)
+ [DynamoDBCrudPolicy](#dynamo-db-crud-policy)
+ [DynamoDBReadPolicy](#dynamo-db-read-policy)
+ [DynamoDBReconfigurePolicy](#dynamo-db-reconfigure-policy)
+ [DynamoDBRestoreFromBackupPolicy](#ddb-restore-from-backup-policy)
+ [DynamoDBStreamReadPolicy](#dynamo-db-stream-read-policy)
+ [DynamoDBWritePolicy](#dynamo-db-write-policy)
+ [EC2CopyImagePolicy](#ec2-copy-image-policy)
+ [EC2DescribePolicy](#ec2-describe-policy)
+ [EcsRunTaskPolicy](#ecs-run-task-policy)
+ [EFSWriteAccessPolicy](#efs-write-access-policy)
+ [EKSDescribePolicy](#eks-describe-policy)
+ [ElasticMapReduceAddJobFlowStepsPolicy](#elastic-map-reduce-add-job-flows-policy)
+ [ElasticMapReduceCancelStepsPolicy](#elastic-map-reduce-cancel-steps-policy)
+ [ElasticMapReduceModifyInstanceFleetPolicy](#elastic-map-reduce-modify-instance-fleet-policy)
+ [ElasticMapReduceModifyInstanceGroupsPolicy](#elastic-map-reduce-modify-instance-groups-policy)
+ [ElasticMapReduceSetTerminationProtectionPolicy](#elastic-map-reduce-set-termination-protection-policy)
+ [ElasticMapReduceTerminateJobFlowsPolicy](#elastic-map-reduce-terminate-job-flows-policy)
+ [ElasticsearchHttpPostPolicy](#elastic-search-http-post-policy)
+ [EventBridgePutEventsPolicy](#eventbridge-put-events-policy)
+ [FilterLogEventsPolicy](#filter-log-events-policy)
+ [FirehoseCrudPolicy](#firehose-crud-policy)
+ [FirehoseWritePolicy](#firehose-write-policy)
+ [KinesisCrudPolicy](#kinesis-crud-policy)
+ [KinesisStreamReadPolicy](#kinesis-stream-read-policy)
+ [KMSDecryptPolicy](#kms-decrypt-policy)
+ [KMSEncryptPolicy](#kms-encrypt-policy)
+ [LambdaInvokePolicy](#lambda-invoke-policy)
+ [MobileAnalyticsWriteOnlyAccessPolicy](#mobile-analytics-write-only-access-policy)
+ [OrganizationsListAccountsPolicy](#organizations-list-accounts-policy)
+ [PinpointEndpointAccessPolicy](#pinpoint-endpoint-access-policy)
+ [PollyFullAccessPolicy](#polly-full-access-policy)
+ [RekognitionDetectOnlyPolicy](#rekognition-detect-only-policy)
+ [RekognitionFacesManagementPolicy](#rekognition-face-management-policy)
+ [RekognitionFacesPolicy](#rekognition-faces-policy)
+ [RekognitionLabelsPolicy](#rekognition-labels-policy)
+ [RekognitionNoDataAccessPolicy](#rekognition-no-data-access-policy)
+ [RekognitionReadPolicy](#rekognition-read-policy)
+ [RekognitionWriteOnlyAccessPolicy](#rekognition-write-only-access-policy)
+ [Route53ChangeResourceRecordSetsPolicy](#route53-change-resource-record-sets-policy)
+ [S3CrudPolicy](#s3-crud-policy)
+ [S3FullAccessPolicy](#s3-full-access-policy)
+ [S3ReadPolicy](#s3-read-policy)
+ [S3WritePolicy](#s3-write-policy)
+ [SageMakerCreateEndpointConfigPolicy](#sagemaker-create-endpoint-config-policy)
+ [SageMakerCreateEndpointPolicy](#sagemaker-create-endpoint-policy)
+ [ServerlessRepoReadWriteAccessPolicy](#serverlessrepo-read-write-access-policy)
+ [SESBulkTemplatedCrudPolicy](#ses-bulk-templated-crud-policy)
+ [SESBulkTemplatedCrudPolicy\$1v2](#ses-bulk-templated-crud-policy-v2)
+ [SESCrudPolicy](#ses-crud-policy)
+ [SESEmailTemplateCrudPolicy](#ses-email-template-crud-policy)
+ [SESSendBouncePolicy](#ses-send-bounce-policy)
+ [SNSCrudPolicy](#sns-crud-policy)
+ [SNSPublishMessagePolicy](#sqs-publish-message-policy)
+ [SQSPollerPolicy](#sqs-poller-policy)
+ [SQSSendMessagePolicy](#sqs-send-message-policy)
+ [SSMParameterReadPolicy](#ssm-parameter-read-policy)
+ [SSMParameterWithSlashPrefixReadPolicy](#ssm-parameter-slash-read-policy)
+ [StepFunctionsExecutionPolicy](#stepfunctions-execution-policy)
+ [TextractDetectAnalyzePolicy](#textract-detect-analyze-policy)
+ [TextractGetResultPolicy](#textract-get-result-policy)
+ [TextractPolicy](#textract-policy)
+ [VPCAccessPolicy](#vpc-access-policy)
## AcmGetCertificatePolicy
授予從中讀取憑證的許可 AWS Certificate Manager。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:GetCertificate"
],
"Resource": {
"Fn::Sub": [
"${certificateArn}",
{
"certificateArn": {
"Ref": "CertificateArn"
}
}
]
}
}
]
```
## AMIDescribePolicy
提供描述 Amazon Machine Image (AMIs許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages"
],
"Resource": "*"
}
]
```
## AthenaQueryPolicy
提供執行 Athena 查詢的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListWorkGroups",
"athena:GetExecutionEngine",
"athena:GetExecutionEngines",
"athena:GetNamespace",
"athena:GetCatalogs",
"athena:GetNamespaces",
"athena:GetTables",
"athena:GetTable"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:DeleteNamedQuery",
"athena:GetNamedQuery",
"athena:ListQueryExecutions",
"athena:StopQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListNamedQueries",
"athena:CreateNamedQuery",
"athena:GetQueryExecution",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:GetWorkGroup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
{
"workgroupName": {
"Ref": "WorkGroupName"
}
}
]
}
}
]
```
## AWSSecretsManagerGetSecretValuePolicy
准許取得指定秘密的 AWS Secrets Manager 秘密值。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": {
"Fn::Sub": [
"${secretArn}",
{
"secretArn": {
"Ref": "SecretArn"
}
}
]
}
}
]
```
## AWSSecretsManagerRotationPolicy
授予在其中輪換秘密的許可 AWS Secrets Manager。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*"
},
"Condition": {
"StringEquals": {
"secretsmanager:resource/AllowRotationLambdaArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
}
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword"
],
"Resource": "*"
}
]
```
## CloudFormationDescribeStacksPolicy
提供描述 CloudFormation 堆疊的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
}
}
]
```
## CloudWatchDashboardPolicy
授予在 CloudWatch 儀表板上操作指標的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:PutDashboard",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
```
## CloudWatchDescribeAlarmHistoryPolicy
提供描述 Amazon CloudWatch 警示歷史記錄的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmHistory"
],
"Resource": "*"
}
]
```
## CloudWatchPutMetricPolicy
提供將指標傳送至 CloudWatch 的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
```
## CodePipelineLambdaExecutionPolicy
提供 叫用 Lambda 函數 AWS CodePipeline 以報告任務狀態的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:PutJobSuccessResult",
"codepipeline:PutJobFailureResult"
],
"Resource": "*"
}
]
```
## CodePipelineReadOnlyPolicy
提供讀取許可,以取得 CodePipeline 管道的詳細資訊。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:ListPipelineExecutions"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}",
{
"pipelinename": {
"Ref": "PipelineName"
}
}
]
}
}
]
```
## CodeCommitCrudPolicy
授予在特定 CodeCommit 儲存庫中建立、讀取、更新和刪除物件的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush",
"codecommit:CreateBranch",
"codecommit:DeleteBranch",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:UpdateDefaultBranch",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:CreateUnreferencedMergeCommit",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:CreatePullRequest",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay",
"codecommit:PostCommentForPullRequest",
"codecommit:UpdatePullRequestDescription",
"codecommit:UpdatePullRequestStatus",
"codecommit:UpdatePullRequestTitle",
"codecommit:DeleteFile",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:PutFile",
"codecommit:DeleteCommentContent",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:PostCommentForComparedCommit",
"codecommit:PostCommentReply",
"codecommit:UpdateComment",
"codecommit:BatchGetCommits",
"codecommit:CreateCommit",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:UpdateRepositoryDescription",
"codecommit:ListTagsForResource",
"codecommit:TagResource",
"codecommit:UntagResource",
"codecommit:GetRepositoryTriggers",
"codecommit:PutRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## CodeCommitReadPolicy
准許讀取特定 CodeCommit 儲存庫中的物件。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:BatchGetCommits",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:ListTagsForResource",
"codecommit:GetRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## ComprehendBasicAccessPolicy
提供偵測實體、金鑰片語、語言和情緒的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"comprehend:BatchDetectKeyPhrases",
"comprehend:DetectDominantLanguage",
"comprehend:DetectEntities",
"comprehend:BatchDetectEntities",
"comprehend:DetectKeyPhrases",
"comprehend:DetectSentiment",
"comprehend:BatchDetectDominantLanguage",
"comprehend:BatchDetectSentiment"
],
"Resource": "*"
}
]
```
## CostExplorerReadOnlyPolicy
為帳單歷史記錄的唯讀 AWS Cost Explorer (Cost Explorer) APIs提供唯讀許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetTags"
],
"Resource": "*"
}
]
```
## DynamoDBBackupFullAccessPolicy
為資料表的 DynamoDB 隨需備份提供讀取和寫入許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:DescribeContinuousBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteBackup",
"dynamodb:DescribeBackup",
"dynamodb:ListBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBCrudPolicy
為 Amazon DynamoDB 資料表提供建立、讀取、更新和刪除許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ConditionCheckItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReadPolicy
為 DynamoDB 資料表提供唯讀許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReconfigurePolicy
提供重新設定 DynamoDB 資料表的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateTable"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBRestoreFromBackupPolicy
提供從備份還原 DynamoDB 資料表的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:RestoreTableFromBackup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBStreamReadPolicy
提供描述和讀取 DynamoDB 串流和記錄的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}",
{
"tableName": {
"Ref": "TableName"
},
"streamName": {
"Ref": "StreamName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:ListStreams"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBWritePolicy
為 DynamoDB 資料表提供唯寫許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## EC2CopyImagePolicy
提供複製 Amazon EC2 映像的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CopyImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}",
{
"imageId": {
"Ref": "ImageId"
}
}
]
}
}
]
```
## EC2DescribePolicy
提供描述 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
```
## EcsRunTaskPolicy
提供為任務定義啟動新任務的許可。
```
"Statement": [
{
"Action": [
"ecs:RunTask"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}",
{
"taskDefinition": {
"Ref": "TaskDefinition"
}
}
]
},
"Effect": "Allow"
}
]
```
## EFSWriteAccessPolicy
准許掛載具有寫入存取權的 Amazon EFS 檔案系統。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}",
{
"FileSystem": {
"Ref": "FileSystem"
}
}
]
},
"Condition": {
"StringEquals": {
"elasticfilesystem:AccessPointArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}",
{
"AccessPoint": {
"Ref": "AccessPoint"
}
}
]
}
}
}
}
]
```
## EKSDescribePolicy
提供描述或列出 Amazon Elastic Kubernetes Service (Amazon EKS) 叢集的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
```
## ElasticMapReduceAddJobFlowStepsPolicy
准許將新步驟新增至執行中的叢集。
```
"Statement": [
{
"Action": "elasticmapreduce:AddJobFlowSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceCancelStepsPolicy
准許取消執行中叢集中的待處理步驟。
```
"Statement": [
{
"Action": "elasticmapreduce:CancelSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceFleetPolicy
准許列出叢集內執行個體機群的詳細資訊和修改容量。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceFleet",
"elasticmapreduce:ListInstanceFleets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceGroupsPolicy
授予許可,以列出叢集內執行個體群組的詳細資訊和修改設定。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceGroups",
"elasticmapreduce:ListInstanceGroups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceSetTerminationProtectionPolicy
提供為叢集設定終止保護的許可。
```
"Statement": [
{
"Action": "elasticmapreduce:SetTerminationProtection",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceTerminateJobFlowsPolicy
提供關閉叢集的許可。
```
"Statement": [
{
"Action": "elasticmapreduce:TerminateJobFlows",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticsearchHttpPostPolicy
提供 POST 和 PUT 許可給 Amazon OpenSearch Service。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*",
{
"domainName": {
"Ref": "DomainName"
}
}
]
}
}
]
```
## EventBridgePutEventsPolicy
提供將事件傳送至 Amazon EventBridge 的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": "events:PutEvents",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}",
{
"eventBusName": {
"Ref": "EventBusName"
}
}
]
}
}
]
```
## FilterLogEventsPolicy
提供從指定日誌群組篩選 CloudWatch Logs 事件的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*",
{
"logGroupName": {
"Ref": "LogGroupName"
}
}
]
}
}
]
```
## FirehoseCrudPolicy
提供建立、寫入、更新和刪除 Firehose 交付串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
"firehose:UpdateDestination"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## FirehoseWritePolicy
提供寫入 Firehose 交付串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## KinesisCrudPolicy
提供建立、發佈和刪除 Amazon Kinesis 串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:AddTagsToStream",
"kinesis:CreateStream",
"kinesis:DecreaseStreamRetentionPeriod",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetShardIterator",
"kinesis:IncreaseStreamRetentionPeriod",
"kinesis:ListTagsForStream",
"kinesis:MergeShards",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:SplitShard",
"kinesis:RemoveTagsFromStream"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KinesisStreamReadPolicy
提供列出和讀取 Amazon Kinesis 串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeLimits"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*"
}
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KMSDecryptPolicy
提供使用 AWS Key Management Service (AWS KMS) 金鑰解密的許可。請注意, `keyId` 必須是 AWS KMS 金鑰 ID,而不是金鑰別名。
```
"Statement": [
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## KMSEncryptPolicy
提供使用 AWS KMS 金鑰加密的許可。請注意,keyId 必須是 AWS KMS 金鑰 ID,而不是金鑰別名。
```
"Statement": [
{
"Action": "kms:Encrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## LambdaInvokePolicy
提供叫用 AWS Lambda 函數、別名或版本的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
]
```
## MobileAnalyticsWriteOnlyAccessPolicy
提供僅寫入許可,以放置所有應用程式資源的事件資料。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents"
],
"Resource": "*"
}
]
```
## OrganizationsListAccountsPolicy
提供唯讀許可,以列出子帳戶名稱和 IDs。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
]
```
## PinpointEndpointAccessPolicy
准許取得和更新 Amazon Pinpoint 應用程式的端點。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:GetEndpoint",
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:UpdateEndpointsBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*",
{
"pinpointApplicationId": {
"Ref": "PinpointApplicationId"
}
}
]
}
}
]
```
## PollyFullAccessPolicy
提供 Amazon Polly 語彙資源的完整存取許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"polly:GetLexicon",
"polly:DeleteLexicon"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}",
{
"lexiconName": {
"Ref": "LexiconName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"polly:DescribeVoices",
"polly:ListLexicons",
"polly:PutLexicon",
"polly:SynthesizeSpeech"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*"
}
]
}
]
```
## RekognitionDetectOnlyPolicy
提供偵測臉部、標籤和文字的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels",
"rekognition:DetectText"
],
"Resource": "*"
}
]
```
## RekognitionFacesManagementPolicy
提供在 Amazon Rekognition 集合中新增、刪除和搜尋臉部的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:IndexFaces",
"rekognition:DeleteFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage",
"rekognition:ListFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionFacesPolicy
提供許可來比較和偵測臉部和標籤。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces"
],
"Resource": "*"
}
]
```
## RekognitionLabelsPolicy
提供偵測物件和管制標籤的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": "*"
}
]
```
## RekognitionNoDataAccessPolicy
提供許可來比較和偵測臉部和標籤。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionReadPolicy
提供列出和搜尋臉部的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:ListCollections",
"rekognition:ListFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionWriteOnlyAccessPolicy
提供建立集合和索引臉部的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CreateCollection",
"rekognition:IndexFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## Route53ChangeResourceRecordSetsPolicy
提供在 Route 53 中變更資源紀錄集的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}",
{
"HostedZoneId": {
"Ref": "HostedZoneId"
}
}
]
}
}
]
```
## S3CrudPolicy
提供建立、讀取、更新和刪除許可,以對 Amazon S3 儲存貯體中的物件採取行動。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3FullAccessPolicy
提供對 Amazon S3 儲存貯體中物件採取動作的完整存取許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3ReadPolicy
提供唯讀許可,以讀取 Amazon Simple Storage Service (Amazon S3) 儲存貯體中的物件。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:GetLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3WritePolicy
提供將物件寫入 Amazon S3 儲存貯體的寫入許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## SageMakerCreateEndpointConfigPolicy
提供在 SageMaker AI 中建立端點組態的許可。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpointConfig"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}",
{
"endpointConfigName": {
"Ref": "EndpointConfigName"
}
}
]
},
"Effect": "Allow"
}
]
```
## SageMakerCreateEndpointPolicy
提供在 SageMaker AI 中建立端點的許可。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpoint"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}",
{
"endpointName": {
"Ref": "EndpointName"
}
}
]
},
"Effect": "Allow"
}
]
```
## ServerlessRepoReadWriteAccessPolicy
提供在 AWS Serverless Application Repository (AWS SAM) 服務中建立和列出應用程式的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"serverlessrepo:CreateApplication",
"serverlessrepo:CreateApplicationVersion",
"serverlessrepo:GetApplication",
"serverlessrepo:ListApplications",
"serverlessrepo:ListApplicationVersions"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*"
}
]
}
]
```
## SESBulkTemplatedCrudPolicy
准許傳送 Amazon SES 電子郵件、範本電子郵件和範本大量電子郵件,以及驗證身分。
**注意**
`ses:SendTemplatedEmail` 動作需要範本 ARN。請改用 `SESBulkTemplatedCrudPolicy_v2`。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESBulkTemplatedCrudPolicy\$1v2
准許傳送 Amazon SES 電子郵件、範本電子郵件和範本大量電子郵件,以及驗證身分。
```
"Statement": [
{
"Action": [
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:template/${templateName}",
{
"templateName": {
"Ref": "TemplateName"
}
}
]
}
]
},
{
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:VerifyEmailIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
```
## SESCrudPolicy
提供傳送電子郵件和驗證身分的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESEmailTemplateCrudPolicy
提供建立、取得、列出、更新和刪除 Amazon SES 電子郵件範本的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:CreateTemplate",
"ses:GetTemplate",
"ses:ListTemplates",
"ses:UpdateTemplate",
"ses:DeleteTemplate",
"ses:TestRenderTemplate"
],
"Resource": "*"
}
]
```
## SESSendBouncePolicy
將 SendBounce 許可授予 Amazon Simple Email Service (Amazon SES身分。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendBounce"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SNSCrudPolicy
提供建立、發佈和訂閱 Amazon SNS 主題的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:ListSubscriptionsByTopic",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SNSPublishMessagePolicy
准許將訊息發佈至 Amazon Simple Notification Service (Amazon SNS) 主題。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SQSPollerPolicy
提供輪詢 Amazon Simple Queue Service (Amazon SQS) 佇列的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SQSSendMessagePolicy
提供將訊息傳送至 Amazon SQS 佇列的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:SendMessage*"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SSMParameterReadPolicy
准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱沒有斜線字首時,請使用 。
**注意**
如果您不是使用預設金鑰,則還需要 `KMSDecryptPolicy`政策。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## SSMParameterWithSlashPrefixReadPolicy
准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱具有斜線字首時,請使用 。
**注意**
如果您不是使用預設金鑰,則還需要 `KMSDecryptPolicy`政策。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## StepFunctionsExecutionPolicy
提供啟動 Step Functions 狀態機器執行的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
{
"stateMachineName": {
"Ref": "StateMachineName"
}
}
]
}
}
]
```
## TextractDetectAnalyzePolicy
提供使用 Amazon Textract 偵測和分析文件的存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:DetectDocumentText",
"textract:StartDocumentTextDetection",
"textract:StartDocumentAnalysis",
"textract:AnalyzeDocument"
],
"Resource": "*"
}
]
```
## TextractGetResultPolicy
提供從 Amazon Textract 偵測和分析文件的存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:GetDocumentTextDetection",
"textract:GetDocumentAnalysis"
],
"Resource": "*"
}
]
```
## TextractPolicy
提供 Amazon Textract 的完整存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:*"
],
"Resource": "*"
}
]
```
## VPCAccessPolicy
提供建立、刪除、描述和分離彈性網路介面的存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface"
],
"Resource": "*"
}
]
```