使用 Evidently 的 IAM policy
重要
终止支持通知:2025 年 10 月 16 日,Amazon 将停止对 CloudWatch Evidently 的支持。2025 年 10 月 16 日之后,您将无法再访问 Evidently 控制台或 Evidently 资源。
要完全管理 CloudWatch Evidently,您必须以具有以下权限的 IAM 用户或角色的身份登录:
AmazonCloudWatchEvidentlyFullAccess 策略
ResourceGroupsandTagEditorReadOnlyAccess 策略
此外,为能够创建在 Amazon S3 或 CloudWatch Logs 中存储评估事件的项目,您需要以下权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:DeleteLogDelivery", "logs:DescribeResourcePolicies", "logs:PutResourcePolicy" ], "Resource": [ "*" ] } ] }
CloudWatch RUM 集成的其他权限
此外,如果您打算管理与 Amazon CloudWatch RUM 集成的 Evidently 启动或实验,并使用 CloudWatch RUM 指标进行监控,您需要 AmazonCloudWatchRUMFullAccess 策略。要创建 IAM 角色以授予 CloudWatch RUM Web 客户端向 CloudWatch RUM 发送数据的权限,您需要以下权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/service-role/CloudWatchRUMEvidentlyRole-*", "arn:aws:iam::*:policy/service-role/CloudWatchRUMEvidentlyPolicy-*" ] } ] }
对 Evidently 的只读访问权限
对于需要查看 Evidently 数据但不需要创建 Evidently 资源的其他用户,您可以授予 AmazonCloudWatchEvidentlyReadOnlyAccess 策略。