Amazon Web Services适用于 Amazon Trusted Advisor 的托管策略 - Amazon Web Services Support
AWSTrustedAdvisorPriorityFullAccess AWSTrustedAdvisorPriorityReadOnlyAccess AWSTrustedAdvisorServiceRolePolicy AWSTrustedAdvisorReportingServiceRolePolicy 策略更新
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

Amazon Web Services适用于 Amazon Trusted Advisor 的托管策略

Trusted Advisor 具有以下 Amazon Web Services 托管策略。

Amazon托管策略:AWSTrustedAdvisorPriorityFullAccess

AWSTrustedAdvisorPriorityFullAccess 策略授予对 Trusted Advisor Priority 的完全访问权限。此策略还允许用户将 Trusted Advisor 添加为具有 Amazon Organizations 受信任服务,并为 Trusted Advisor Priority 指定委派管理员帐户。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的账户和组织。

  • 描述 Trusted Advisor Priority 的已识别风险。这些权限允许您下载和更新风险状态。

  • 描述 Trusted Advisor Priority 电子邮件通知的配置。这些权限允许您配置电子邮件通知,并为委派管理员禁用这些通知。

  • 设置 Trusted Advisor 以便您的账户可以启用 Amazon Organizations。

在第二条语句中,此策略包含 organizations 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 列出您为了使用 Organizations 以启用的 Amazon Web Services。

在第三条语句中,此策略包含 organizations 的以下权限:

  • 列出 Trusted Advisor Priority 的委派管理员。

  • 启用和禁用 Organizations 的受信任访问。

在第四条语句中,此策略包含 iam 的以下权限:

  • 创建 AWSServiceRoleForTrustedAdvisorReporting 服务相关角色。

在第五条语句中,此策略包含 organizations 的以下权限:

  • 允许您注册和注销 Trusted Advisor Priority 的委派管理员。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "trustedadvisor:DescribeAccount*",
                "trustedadvisor:DescribeOrganization",
                "trustedadvisor:DescribeRisk*",
                "trustedadvisor:DownloadRisk",
                "trustedadvisor:UpdateRiskStatus",
                "trustedadvisor:DescribeNotificationConfigurations",
                "trustedadvisor:UpdateNotificationConfigurations",
                "trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin",
                "trustedadvisor:SetOrganizationAccess"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListDelegatedAdministrators",
                "organizations:EnableAWSServiceAccess",
                "organizations:DisableAWSServiceAccess"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "organizations:ServicePrincipal": [
                        "reporting.trustedadvisor.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:RegisterDelegatedAdministrator",
                "organizations:DeregisterDelegatedAdministrator"
            ],
            "Resource": "arn:aws:organizations::*:*",
            "Condition": {
                "StringEquals": {
                    "organizations:ServicePrincipal": [
                        "reporting.trustedadvisor.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Amazon托管策略:AWSTrustedAdvisorPriorityReadOnlyAccess

AWSTrustedAdvisorPriorityReadOnlyAccess 策略授予 Trusted Advisor Priority 包括查看委派管理员帐户在内的权限。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 描述 Trusted Advisor Priority 的已识别风险并允许您下载这些风险。

  • 描述 Trusted Advisor Priority 电子邮件通知的配置。

在第二条和第三条语句中,此策略包含 organizations 的以下权限:

  • 使用 Organizations 描述您的组织。

  • 列出您为了使用 Organizations 以启用的 Amazon Web Services。

  • 列出 Trusted Advisor Priority 的委派管理员

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "trustedadvisor:DescribeAccount*",
                "trustedadvisor:DescribeOrganization",
                "trustedadvisor:DescribeRisk*",
                "trustedadvisor:DownloadRisk",
                "trustedadvisor:DescribeNotificationConfigurations"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListDelegatedAdministrators"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "organizations:ServicePrincipal": [
                        "reporting.trustedadvisor.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Amazon 托管策略:AWSTrustedAdvisorServiceRolePolicy

此策略附加到 AWSServiceRoleForTrustedAdvisor 服务相关角色。此角色允许服务相关角色为您执行操作。您不能将 AWSTrustedAdvisorServiceRolePolicy 附加到您的 Amazon Identity and Access Management(IAM)实体。有关更多信息,请参阅将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色访问 Amazon Web Services。这些权限允许 Trusted Advisor 的检查来评估您的账户。

权限详细信息

此策略包含以下权限。

  • Auto Scaling – 描述 Amazon EC2 Auto Scaling 账户配额和资源

  • cloudformation – 描述 Amazon CloudFormation (CloudFormation) 账户配额和堆栈

  • cloudfront – 描述 Amazon CloudFront 分配

  • cloudtrail – 描述 Amazon CloudTrail (CloudTrail) 跟踪

  • dynamodb – 描述 Amazon DynamoDB 账户配额和资源

  • ec2 – 描述 Amazon Elastic Compute Cloud (Amazon EC2) 账户配额和资源

  • elasticloadbalancing - 描述弹性负载均衡(ELB)账户配额和资源

  • iam – 获取 IAM 资源,如证书、密码策略和证书

  • kinesis – 描述 Amazon Kinesis (Kinesis) 账户配额

  • rds – 描述 Amazon Relational Database Service (Amazon RDS) 资源

  • redshift – 描述 Amazon Redshift 资源

  • route53 – 描述 Amazon Route 53 账户配额和资源

  • s3 – 描述 Amazon Simple Storage Service (Amazon S3) 资源

  • ses – 获取 Amazon Simple Email Service (Amazon SES) 发送配额

  • sqs – 列出 Amazon Simple Queue Service (Amazon SQS) 队列

  • cloudwatch – 获取 Amazon CloudWatch Events (CloudWatch Events) 指标统计数据

  • ce – 获取 Cost Explorer 服务 (Cost Explorer) 建议

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAccountLimits",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "cloudformation:DescribeAccountLimits",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudfront:ListDistributions",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:DescribeAddresses",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeImages",
                "ec2:DescribeVolumes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "kinesis:DescribeLimits",
                "rds:DescribeAccountAttributes",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEvents",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "redshift:DescribeClusters",
                "redshift:DescribeReservedNodeOfferings",
                "redshift:DescribeReservedNodes",
                "route53:GetAccountLimit",
                "route53:GetHealthCheck",
                "route53:GetHostedZone",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:GetBucketPublicAccessBlock",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "ses:GetSendQuota",
                "sqs:ListQueues",
                "cloudwatch:GetMetricStatistics",
                "ce:GetReservationPurchaseRecommendation",
                "ce:GetSavingsPlansPurchaseRecommendation"
            ],
            "Resource": "*"
        }
    ]
}

Amazon 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy

此策略附加到 AWSServiceRoleForTrustedAdvisorReporting 服务相关角色,使 Trusted Advisor 能够执行组织视图功能的操作。您不能将 AWSTrustedAdvisorReportingServiceRolePolicy 附加到您的 IAM 实体。有关更多信息,请参阅将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色执行 Amazon Organizations 操作。

权限详细信息

此策略包含以下权限。

  • organizations – 描述您的组织并列出服务访问权限、账户、父级、子级和组织单位

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribeAccount"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

对 Amazon 托管式策略的 Trusted Advisor 更新

查看有关 Amazon Web Services Support 和 Trusted Advisor 的 Amazon 托管策略更新的详细信息(从这些服务开始跟踪这些更改开始)。要获得有关此页面更改的自动提示,请订阅 文档历史记录 页面上的 RSS 源。

下表介绍了自 2021 年 8 月 10 日以来对 Trusted Advisor 托管式策略的重要更新。

Trusted Advisor
更改 说明 日期

AWSTrustedAdvisorPriorityFullAccessAWSTrustedAdvisorPriorityReadOnlyAccess

用于 Trusted Advisor 的新 Amazon 托管策略

Trusted Advisor 添加了两个新的托管策略,您可以使用这些策略来控制对 Trusted Advisor Priority 的访问权限。

2022 年 8 月 17 日

AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新

Trusted Advisor 添加了新的操作来授予 DescribeTargetGroupsGetAccountPublicAccessBlock 权限。

Auto Scaling 组运行状况检查需要 DescribeTargetGroup 权限,以检索附加到 Auto Scaling 组的非经典负载均衡器。

Amazon S3 存储桶权限检查需要 GetAccountPublicAccessBlock 权限以检索 Amazon Web Services 账户 的阻止公有访问设置。

 2021 年 8 月 10 日

已发布的更改日志

Trusted Advisor 托管策略的更改日志。

 2021 年 8 月 10 日