本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# Amazon MQ 的 API 身份验证和授权
<a name="security-api-authentication-authorization"></a>

亚马逊 MQ 使用标准 Amazon 请求签名进行 API 身份验证。有关更多信息，请参阅 *Amazon Web Services 一般参考* 中的[签署 Amazon API 请求](https://docs.amazonaws.cn/general/latest/gr/signing_aws_api_requests.html)。

**注意**  
目前，Amazon MQ 不支持使用基于资源的权限或基于资源的策略执行 IAM 身份验证。

要授权 Amazon 用户使用代理、配置和用户，您必须编辑您的 IAM 策略权限。

**Topics**
+ [要创建 Amazon MQ 代理所需的 IAM 权限](#security-permissions-required-to-create-broker)
+ [Amazon MQ REST API 权限参考](#security-api-permissions-reference)
+ [Amazon MQ 附加权限参考](#security-amq-additional-permissions)
+ [Amazon MQ API 操作的资源级权限](#security-supported-iam-actions-resources)

## 要创建 Amazon MQ 代理所需的 IAM 权限
<a name="security-permissions-required-to-create-broker"></a>

要创建代理，您必须使用 `AmazonMQFullAccess` IAM 策略或在 IAM 策略中包含以下 EC2 权限。

以下自定义策略包含两个语句（其中一个为条件语句），可授予用于操作 Amazon MQ 创建 ActiveMQ 代理所需的资源的权限。

**重要**  
要允许 Amazon MQ 代表您在您的账户中创建弹性网络接口（ENI），`ec2:CreateNetworkInterface` 操作是必需的。
`ec2:CreateNetworkInterfacePermission` 操作授权 Amazon MQ 将 ENI 附加到 ActiveMQ 代理。
`ec2:AuthorizedService` 条件键确保 ENI 权限只能授予给 Amazon MQ 服务账户。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [{
        "Action": [
            "mq:*",
            "[ec2:CreateNetworkInterface](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html)",
            "[ec2:DeleteNetworkInterface](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DeleteNetworkInterface.html)",
            "[ec2:DetachNetworkInterface](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DetachNetworkInterface.html)",
            "[ec2:DescribeInternetGateways](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeInternetGateways.html)",
            "[ec2:DescribeNetworkInterfaces](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html)",
            "[ec2:DescribeRouteTables](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeRouteTables.html)",
            "[ec2:DescribeSecurityGroups](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)",
            "[ec2:DescribeSubnets](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeSubnets.html)",
            "[ec2:DescribeVpcs](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeVpcs.html)"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },{
        "Action": [
            "[ec2:CreateNetworkInterfacePermission](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_CreateNetworkInterfacePermission.html)",
            "[ec2:DeleteNetworkInterfacePermission](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DeleteNetworkInterfacePermission.html)",
            "[ec2:DescribeNetworkInterfacePermissions](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeNetworkInterfacePermissions.html)"
        ],
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "[ec2:AuthorizedService](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-ec2_AuthorizedService)": "mq.amazonaws.com"
            }
        }
    }]
}
```

------

有关更多信息，请参阅[第 2 步：创建用户并获取您的 Amazon 证书](amazon-mq-setting-up.md#create-iam-user)和[永远不要修改或删除 Amazon MQ 弹性网络接口](best-practices-activemq.md#never-modify-delete-elastic-network-interface)。

## Amazon MQ REST API 权限参考
<a name="security-api-permissions-reference"></a>

下表列出了 Amazon MQ REST APIs 和相应的 IAM 权限。


**亚马逊 MQ REST APIs 和所需权限**  

| 亚马逊 MQ REST APIs | 所需权限 | 
| --- | --- | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-brokers.html#CreateBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-brokers.html#CreateBroker) | mq:CreateBroker | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configurations.html#CreateConfiguration](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configurations.html#CreateConfiguration) | mq:CreateConfiguration | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#CreateTags](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#CreateTags) | mq:CreateTags | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#CreateUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#CreateUser) | mq:CreateUser | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DeleteBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DeleteBroker) | mq:DeleteBroker | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#DeleteUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#DeleteUser) | mq:DeleteUser | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DescribeBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DescribeBroker) | mq:DescribeBroker | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#DescribeConfiguration](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#DescribeConfiguration) | mq:DescribeConfiguration | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#DescribeConfigurationRevision](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#DescribeConfigurationRevision) | mq:DescribeConfigurationRevision | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/brokers-broker-id-users-username.html#DescribeUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/brokers-broker-id-users-username.html#DescribeUser) | mq:DescribeUser | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-brokers.html#ListBrokers](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-brokers.html#ListBrokers) | mq:ListBrokers | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#rest-api-configuration-revisions-methods-get](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#rest-api-configuration-revisions-methods-get) | mq:ListConfigurationRevisions | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configurations.html#ListConfigurations](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configurations.html#ListConfigurations) | mq:ListConfigurations | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#ListTags](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#ListTags) | mq:ListTags | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-users.html#ListUsers](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-users.html#ListUsers) | mq:ListUsers | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#RebootBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#RebootBroker) | mq:RebootBroker  | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#UpdateBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#UpdateBroker) | mq:UpdateBroker | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#UpdateConfiguration](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#UpdateConfiguration) | mq:UpdateConfiguration | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#UpdateUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#UpdateUser) | mq:UpdateUser | 

## Amazon MQ 附加权限参考
<a name="security-amq-additional-permissions"></a>

下表列出了 Amazon MQ API 以及特定功能（例如 OAuth 2.0 身份验证）所需的其他 IAM 权限。


| Amazon MQ REST API | 权限 | 说明 | 
| --- | --- | --- | 
| [UpdateBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/brokers-broker-id.html#UpdateBroker) | mq:UpdateBrokerAccessConfiguration |  需要此权限以更新关联代理配置中的认证和授权选项。有关更多信息，请参阅 [OAuth 适用于 RabbitMQ 的亚马逊 MQ 的 2.0 身份验证和授权](oauth-for-amq-for-rabbitmq.md)。  | 

## Amazon MQ API 操作的资源级权限
<a name="security-supported-iam-actions-resources"></a>

术语*资源级权限*指的是能够指定允许用户对哪些资源执行操作的能力。Amazon MQ 部分支持资源级权限。对于某些 Amazon MQ 操作，您可以控制何时允许用户执行操作（基于必须满足的条件）或是允许用户使用的特定资源。

下表描述了当前支持资源级权限的 Amazon MQ API 操作，以及每个操作支持的资源 ARNs、资源和条件密钥。

**重要**  
如果某一 Amazon MQ API 操作未在此表中列出，则表示它不支持资源级权限。如果 Amazon MQ API 操作不支持资源级权限，则您可以向用户授予使用该操作的权限，但是必须为策略语句的资源元素指定 \$1 通配符。


| API 操作 | 资源类型（\$1 为必需） | 
| --- | --- | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configurations.html#CreateConfiguration](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configurations.html#CreateConfiguration) | [配置\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#CreateTags](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#CreateTags) | [代理](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies)、[配置](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#CreateUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#CreateUser) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DeleteBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DeleteBroker) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#DeleteUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#DeleteUser) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DescribeBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#DescribeBroker) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#DescribeConfiguration](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#DescribeConfiguration) | [配置\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#DescribeConfigurationRevision](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revision.html#DescribeConfigurationRevision) | [配置\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/brokers-broker-id-users-username.html#DescribeUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/brokers-broker-id-users-username.html#DescribeUser) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#ListConfigurationRevisions](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#ListConfigurationRevisions) | [配置\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#ListConfigurationRevisions](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html#ListConfigurationRevisions) | [配置\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#ListTags](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/tags-resource-arn.html#ListTags) | [代理](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies)、[配置](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-users.html#ListUsers](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-users.html#ListUsers) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#RebootBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker-reboot.html#RebootBroker) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#UpdateBroker](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-broker.html#UpdateBroker) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#UpdateConfiguration](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-configuration.html#UpdateConfiguration) | [配置\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) | 
| [https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#UpdateUser](https://docs.amazonaws.cn/amazon-mq/latest/api-reference/rest-api-user.html#UpdateUser) | [代理\$1](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_amazonmq.html#amazonmq-resources-for-iam-policies) |