CloudWatch Canary 的必需角色和权限 - Amazon CloudWatch
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

如果我们为英文版本指南提供翻译,那么如果存在任何冲突,将以英文版本指南为准。在提供翻译时使用机器翻译。

CloudWatch Canary 的必需角色和权限

要查看 Canary 详细信息和 Canary 运行的结果,您必须以附加了 CloudWatchSyntheticsFullAccessCloudWatchSyntheticsReadOnlyAccess 的 IAM 用户身份登录。要在控制台中读取所有 Synthetics 数据,您还需要 AmazonS3ReadOnlyAccessCloudWatchReadOnlyAccess 策略。要查看 Canary 使用的源代码,您还需要 AWSLambdaReadOnlyAccess 策略。

要创建 Canary,您必须以具有 CloudWatchSyntheticsFullAccess 策略或类似权限集的 IAM 用户身份登录。要为 Canary 创建 IAM 角色,您还需要以下内联策略语句: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:AttachRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*",
                "arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*"
            ]
        }
    ]
}
重要

通过向用户授予 iam:CreateRoleiam:CreatePolicyiam:AttachRolePolicy 权限,用户将获得对 AWS 账户的完全管理访问权限。例如,具有这些权限的用户可以创建一个对所有资源具有完全权限的策略,并将该策略附加到任何角色。请谨慎地为相关人员授予这些权限。

有关附加策略和向用户授予权限的信息,请参阅更改 IAM 用户的权限为用户或角色嵌入内联策略

CloudWatchSyntheticsFullAccess

以下是 CloudWatchSyntheticsFullAccess 策略的内容: 

{ 
   "Version":"2012-10-17",
   "Statement":[ 
      { 
         "Effect":"Allow",
         "Action":[ 
            "synthetics:*"
         ],
         "Resource":"*"
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "s3:CreateBucket",
            "s3:PutBucketEncryption",
            "s3:PutEncryptionConfiguration"
         ],
         "Resource":[ 
            "arn:aws:s3:::cw-syn-results-*"
         ]
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "iam:ListRoles",
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation"
         ],
         "Resource":"*"
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "s3:GetObject",
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::cw-syn-*"
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "s3:GetObjectVersion"
         ],
         "Resource":"arn:aws:s3:::aws-synthetics-library-*"
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "iam:PassRole"
         ],
         "Resource":[ 
            "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*"
         ],
         "Condition":{ 
            "StringEquals":{ 
               "iam:PassedToService":[ 
                  "lambda.amazonaws.com",
                  "synthetics.amazonaws.com"
               ]
            }
         }
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "iam:GetRole"
         ],
         "Resource":[ 
         "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*"
         ]
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "cloudwatch:GetMetricData",
            "cloudwatch:GetMetricStatistics"
         ],
         "Resource":"*"
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "cloudwatch:PutMetricAlarm",
            "cloudwatch:DeleteAlarms"
         ],
         "Resource":[ 
            "arn:aws:cloudwatch:*:*:alarm:Synthetics-*"
         ]
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "cloudwatch:DescribeAlarms"
         ],
         "Resource":[ 
            "arn:aws:cloudwatch:*:*:alarm:*"
         ]
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "lambda:CreateFunction",
            "lambda:AddPermission",
            "lambda:PublishVersion",
            "lambda:UpdateFunctionConfiguration"
         ],
         "Resource":[ 
            "arn:aws:lambda:*:*:function:cwsyn-*"
         ]
      },
      { 
         "Effect":"Allow",
         "Action":[ 
            "lambda:GetLayerVersionByArn",
            "lambda:GetLayerVersion",
            "lambda:PublishLayerVersion"
         ],
         "Resource":[ 
            "arn:aws:lambda:*:*:layer:cwsyn-*",
            "arn:aws:lambda:*:*:layer:Synthetics:*"
         ]
      }
   ]
}

CloudWatchSyntheticsReadOnlyAccess

以下是 CloudWatchSyntheticsReadOnlyAccess 策略的内容: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "synthetics:Describe*",
                "synthetics:Get*"
            ],
            "Resource": "*"
        }
    ]
}