CloudWatch 金丝雀所需的角色和权限

要查看 Canary 详细信息和 Canary 运行的结果，您必须以 IAM 用户身份登录，该用户将CloudWatchSyntheticsFullAccess或CloudWatchSyntheticsReadOnlyAccess已附加。要在控制台中读取所有 Synthetics 数据，您还需要 AmazonS3ReadOnlyAccess 和 CloudWatchReadOnlyAccess 策略。要查看 Canary 使用的源代码，您还需要 AWSLambdaReadOnlyAccess 策略。

要创建 Canary，您必须以 IAM 用户身份登录，该用户具有CloudWatchSyntheticsFullAccess策略或类似的权限集。要为 Canary 创建 IAM 角色，您还需要以下内联策略语句：


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:AttachRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*",
                "arn:aws:iam::*:policy/service-role/CloudWatchSyntheticsPolicy*"
            ]
        }
    ]
}

重要

通过向用户授予 iam:CreateRole、iam:CreatePolicy 和 iam:AttachRolePolicy 权限，用户将获得对 Amazon 账户的完全管理访问权限。例如，具有这些权限的用户可以创建一个对所有资源具有完全权限的策略，并将该策略附加到任何角色。请谨慎地为相关人员授予这些权限。

有关附加策略和向用户授予权限的信息，请参阅更改 IAM 用户的权限和为用户或角色嵌入内联策略。

Amazon管 CloudWatch 策略

要将权限添加到用户、组和角色，您可以更容易地使用Amazon托管策略而不是自己编写策略。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门，您可以使用我们的Amazon托管策略。这些策略涵盖了常见的使用案例，可在Amazonaccount. 有关的更多信息Amazon托管策略，请参阅 Amazon托管策略 Amazon《IAM 用户指南》中的托管策略。

Amazon服务维护和更新Amazon托管策略。您不能更改Amazon托管策略。服务偶尔会更改Amazon托管策略。此类更新会影响附加策略的所有身份（用户、组和角色）。

CloudWatch Synthetics 更新Amazon托管策略

查看有关更新的详细信息Amazon针对 CloudWatch Synthetics 的策略，因为此服务开始跟踪这些更改。有关此页面更改的自动警报，请订阅 CloudWatch 文档历史记录页面上的 RSS 源。

变更	描述	日期
从中删除了冗余操作CloudWatchSyntheticsFullAccess	CloudWatch Synthetics 删除了`s3:PutBucketEncryption`和`lambda:GetLayerVersionByArn`操作来自CloudWatchSyntheticsFullAccess策略，因为这些操作与策略中的其他权限是多余的。删除的操作不提供任何权限，并且策略授予的权限没有净更改。	2021 年 3 月 12 日
CloudWatch Synthetics 开始跟踪变化	CloudWatch Synthetics 开始跟踪其Amazon托管策略。	2021 年 3 月 10 日

CloudWatchSyntheticsFullAccess

以下是 CloudWatchSyntheticsFullAccess 策略的内容：


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "synthetics:*"
         ],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:CreateBucket",
            "s3:PutEncryptionConfiguration"
         ],
         "Resource":[
            "arn:aws:s3:::cw-syn-results-*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "iam:ListRoles",
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation",
            "xray:GetTraceSummaries",
            "xray:BatchGetTraces",
            "apigateway:GET"
         ],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject",
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::cw-syn-*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObjectVersion"
         ],
         "Resource":"arn:aws:s3:::aws-synthetics-library-*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "iam:PassRole"
         ],
         "Resource":[
            "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*"
         ],
         "Condition":{
            "StringEquals":{
               "iam:PassedToService":[
                  "lambda.amazonaws.com",
                  "synthetics.amazonaws.com"
               ]
            }
         }
      },
      {
         "Effect":"Allow",
         "Action":[
            "iam:GetRole"
         ],
         "Resource":[
            "arn:aws:iam::*:role/service-role/CloudWatchSyntheticsRole*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "cloudwatch:GetMetricData",
            "cloudwatch:GetMetricStatistics"
         ],
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "cloudwatch:PutMetricAlarm",
            "cloudwatch:DeleteAlarms"
         ],
         "Resource":[
            "arn:aws:cloudwatch:*:*:alarm:Synthetics-*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "cloudwatch:DescribeAlarms"
         ],
         "Resource":[
            "arn:aws:cloudwatch:*:*:alarm:*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "lambda:CreateFunction",
            "lambda:AddPermission",
            "lambda:PublishVersion",
            "lambda:UpdateFunctionConfiguration",
            "lambda:GetFunctionConfiguration"
         ],
         "Resource":[
            "arn:aws:lambda:*:*:function:cwsyn-*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "lambda:GetLayerVersion",
            "lambda:PublishLayerVersion"
         ],
         "Resource":[
            "arn:aws:lambda:*:*:layer:cwsyn-*",
            "arn:aws:lambda:*:*:layer:Synthetics:*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeSecurityGroups"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sns:ListTopics"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sns:CreateTopic",
            "sns:Subscribe",
            "sns:ListSubscriptionsByTopic"
         ],
         "Resource":[
            "arn:*:sns:*:*:Synthetics-*"
         ]
      }
   ]
}

CloudWatchSyntheticsReadOnlyAccess

以下是 CloudWatchSyntheticsReadOnlyAccess 策略的内容：


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "synthetics:Describe*",
                "synthetics:Get*",
                "synthetics:List*"
            ],
            "Resource": "*"
        }
    ]
}

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

使用 Synthetics 监控

创建金丝雀