Amazon Web Services 的托管策略 Amazon Trusted Advisor - Amazon Web Services Support
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Web Services 的托管策略 Amazon Trusted Advisor

Trusted Advisor 具有以下 Amazon Web Services 托管策略。

Amazon 托管策略:AWSTrustedAdvisorPriorityFullAccess

这些区域有:AWSTrustedAdvisorPriorityFullAccess策略授予对 “ Trusted Advisor 优先级” 的完全访问权限。此策略还允许用户添加为可信服务, Amazon Organizations 并允许用户 Trusted Advisor 为 P Trusted Advisor riority 指定委派管理员帐户。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的账户和组织。

  • 描述 Trusted Advisor 优先级中已识别的风险。这些权限允许您下载和更新风险状态。

  • 描述您的 Trusted Advisor 优先电子邮件通知配置。这些权限允许您配置电子邮件通知,并为委派管理员禁用这些通知。

  • 进行设置, Trusted Advisor 以便您的账户可以启用 Amazon Organizations。

在第二条语句中,此策略包含 organizations 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 列出您允许使用 Organizations 的。 Amazon Web Services 服务

在第三条语句中,此策略包含 organizations 的以下权限:

  • 列出 Trusted Advisor 优先级的委派管理员。

  • 启用和禁用 Organizations 的受信任访问。

在第四条语句中,此策略包含 iam 的以下权限:

  • 创建 AWSServiceRoleForTrustedAdvisorReporting 服务相关角色。

在第五条语句中,此策略包含 organizations 的以下权限:

  • 允许您注册和注销 Trusted Advisor Priority 的委派管理员。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSTrustedAdvisorPriorityFullAccess", "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:UpdateRiskStatus", "trustedadvisor:DescribeNotificationConfigurations", "trustedadvisor:UpdateNotificationConfigurations", "trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Sid": "AllowAccessForOrganization", "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Sid": "AllowListDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators", "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } }, { "Sid": "AllowCreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting", "Condition": { "StringLike": { "iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com" } } }, { "Sid": "AllowRegisterDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws:organizations::*:*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }

Amazon 托管策略:AWSTrustedAdvisorPriorityReadOnlyAccess

这些区域有:AWSTrustedAdvisorPriorityReadOnlyAccess策略向 P Trusted Advisor riority 授予只读权限,包括查看委派管理员帐户的权限。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 描述从 P Trusted Advisor riority 中识别出的风险并允许您下载它们。

  • 描述 Trusted Advisor 优先电子邮件通知的配置。

在第二条和第三条语句中,此策略包含 organizations 的以下权限:

  • 使用 Organizations 描述您的组织。

  • 列出您允许使用 Organizations 的。 Amazon Web Services 服务

  • 列出 Trusted Advisor 优先级的委派管理员

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess", "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:DescribeNotificationConfigurations" ], "Resource": "*" }, { "Sid": "AllowAccessForOrganization", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Sid": "AllowListDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }

Amazon 托管策略:AWSTrustedAdvisorServiceRolePolicy

此策略附加到 AWSServiceRoleForTrustedAdvisor 服务相关角色。此角色允许服务相关角色为您执行操作。你无法附上 AWSTrustedAdvisorServiceRolePolicy给你的 Amazon Identity and Access Management (IAM) 实体。有关更多信息,请参阅 将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色访问 Amazon Web Services 服务。这些权限允许通过检查 Trusted Advisor 来评估您的账户。

权限详细信息

该策略包含以下权限。

  • accessanalyzer— 描述 Amazon Identity and Access Management Access Analyzer 资源

  • Auto Scaling— 描述 Amazon A EC2 uto Scaling 账户配额和资源

  • cloudformation— 描述 Amazon CloudFormation (CloudFormation) 账户配额和堆栈

  • cloudfront— 描述亚马逊的 CloudFront 分布

  • cloudtrail— 描述 Amazon CloudTrail (CloudTrail) 路径

  • dynamodb – 描述 Amazon DynamoDB 账户配额和资源

  • dynamodbaccelerator— 描述 DynamoDB 加速器资源

  • ec2— 描述亚马逊弹性计算云 (AmazonEC2) 账户配额和资源

  • elasticloadbalancing— 描述 Elastic Load Balancing (ELB) 账户配额和资源

  • iam— 获取IAM资源,例如证书、密码策略和证书

  • networkfirewall— 描述 Amazon Network Firewall 资源

  • kinesis – 描述 Amazon Kinesis (Kinesis) 账户配额

  • rds— 描述亚马逊关系数据库服务 (AmazonRDS) 资源

  • redshift – 描述 Amazon Redshift 资源

  • route53 – 描述 Amazon Route 53 账户配额和资源

  • s3 – 描述 Amazon Simple Storage Service (Amazon S3) 资源

  • ses— 获取亚马逊简单电子邮件服务 (AmazonSES) 发送配额

  • sqs— 列出亚马逊简单队列服务 (AmazonSQS) 队列

  • cloudwatch— 获取 Amazon CloudWatch 事件(CloudWatch 事件)指标统计数据

  • ce – 获取 Cost Explorer 服务 (Cost Explorer) 建议

  • route53resolver— 获取 Amazon Route 53 Resolver 解析器端点和资源

  • kafka – 获取 Amazon Managed Streaming for Apache Kafka 资源

  • ecs— 获取 Amazon ECS 资源

  • outposts— 获取 Amazon Outposts 资源

{ "Version": "2012-10-17", "Statement": [ { "Sid" : "TrustedAdvisorServiceRolePermissions", "Effect": "Allow", "Action": [ "access-analyzer:ListAnalyzers" "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "ce:GetReservationPurchaseRecommendation", "ce:GetSavingsPlansPurchaseRecommendation", "cloudformation:DescribeAccountLimits", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetTrail", "cloudtrail:ListTrails", "cloudtrail:GetEventSelectors", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "dax:DescribeClusters", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeReservedInstances", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeInternetGateways", "ec2:DescribeImages", "ec2:DescribeNatGateways", "ec2:DescribeVolumes", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSnapshots", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:GetManagedPrefixListEntries", "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions" "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetServerCertificate", "iam:ListServerCertificates", "iam:ListSAMLProviders", "kinesis:DescribeLimits", "kafka:DescribeClusterV2", "kafka:ListClustersV2", "kafka:ListNodes", "network-firewall:ListFirewalls", "network-firewall:DescribeFirewall", "outposts:GetOutpost", "outposts:ListAssets", "outposts:ListOutposts", "rds:DescribeAccountAttributes", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultParameters", "rds:DescribeEvents", "rds:DescribeOptionGroupOptions", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribeReservedDBInstances", "rds:DescribeReservedDBInstancesOfferings", "rds:ListTagsForResource", "redshift:DescribeClusters", "redshift:DescribeReservedNodeOfferings", "redshift:DescribeReservedNodes", "route53:GetAccountLimit", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53resolver:ListResolverEndpoints", "route53resolver:ListResolverEndpointIpAddresses", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetLifecycleConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "ses:GetSendQuota", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" } ] }

Amazon 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy

此策略附加到AWSServiceRoleForTrustedAdvisorReporting服务相关角色,该角色 Trusted Advisor 允许对组织视图功能执行操作。你无法附上 AWSTrustedAdvisorReportingServiceRolePolicy给你的IAM实体。有关更多信息,请参阅 将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色执行 Amazon Organizations 操作。

权限详细信息

该策略包含以下权限。

  • organizations – 描述您的组织并列出服务访问权限、账户、父级、子级和组织单位

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListDelegatedAdministrators", "organizations:ListOrganizationalUnitsForParent", "organizations:ListChildren", "organizations:ListParents", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount" ], "Effect": "Allow", "Resource": "*" } ] }

对 Amazon 托管式策略的Trusted Advisor 更新

查看有关这些服务开始跟踪这些更改之前 Amazon Web Services Support 和之 Trusted Advisor 后的 Amazon 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订RSS阅该文档历史记录页面上的订阅源。

下表描述了自 2021 年 8 月 10 日以来 Trusted Advisor 托管策略的重要更新。

Trusted Advisor
更改 描述 日期

AWSTrustedAdvisorServiceRolePolicy

更新为现有策略。

Trusted Advisor 添加了新的操作来授予elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeRules权限。

2024 年 10 月 30 日

AWSTrustedAdvisorServiceRolePolicy

更新为现有策略。

Trusted Advisor 添加了新的操作来授予access-analyzer:ListAnalyzerscloudwatch:ListMetricsdax:DescribeClustersec2:DescribeNatGatewaysec2:DescribeRouteTablesec2:DescribeVpcEndpointsec2:GetManagedPrefixListEntrieselasticloadbalancing:DescribeTargetHealthiam:ListSAMLProviderskafka:DescribeClusterV2network-firewall:ListFirewallsnetwork-firewall:DescribeFirewallsqs:GetQueueAttributes权限。

2024 年 6 月 11 日

AWSTrustedAdvisorServiceRolePolicy

更新为现有策略。

Trusted Advisor 添加了新的操作来授予cloudtrail:GetTrailcloudtrail:ListTrailscloudtrail:GetEventSelectorsoutposts:GetOutpostoutposts:ListAssetsoutposts:ListOutposts权限。

2024 年 1 月 18 日

AWSTrustedAdvisorPriorityFullAccess

更新为现有策略。

Trusted Advisor 更新了AWSTrustedAdvisorPriorityFullAccess Amazon 托管策略以包含声明IDs。

2023 年 12 月 6 日

AWSTrustedAdvisorPriorityReadOnlyAccess

更新为现有策略。

Trusted Advisor 更新了AWSTrustedAdvisorPriorityReadOnlyAccess Amazon 托管策略以包含声明IDs。

2023 年 12 月 6 日

AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新

Trusted Advisor 添加了新的操作来授予ec2:DescribeRegionss3:GetLifecycleConfigurationecs:DescribeTaskDefinitionecs:ListTaskDefinitions权限。

2023 年 11 月 9 日

AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新

Trusted Advisor 在加入新的弹性检查中kafka:ListNodes添加了新的IAM操作route53resolver:ListResolverEndpointsroute53resolver:ListResolverEndpointIpAddressesec2:DescribeSubnets、、kafka:ListClustersV2和。

2023 年 9 月 14 日

AWSTrustedAdvisorReportingServiceRolePolicy

附加到 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting服务相关角色的托管策略的 V2

将 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting服务相关角色的 Amazon 托管策略升级到 V2。V2 将再添加一个动作 IAM organizations:ListDelegatedAdministrators

2023 年 2 月 28 日

AWSTrustedAdvisorPriorityFullAccessAWSTrustedAdvisorPriorityReadOnlyAccess

的新 Amazon 托管策略 Trusted Advisor

Trusted Advisor 添加了两个新的托管策略,您可以使用它们来控制对 Priority 的 Trusted Advisor 访问权限。

2022 年 8 月 17 日

AWSTrustedAdvisorServiceRolePolicy – 对现有策略的更新

Trusted Advisor 添加了新的操作来授予DescribeTargetGroupsGetAccountPublicAccessBlock权限。

Auto Scaling 组运行状况检查需要 DescribeTargetGroup 权限,以检索附加到 Auto Scaling 组的非经典负载均衡器。

Amazon S3 存储桶权限检查需要 GetAccountPublicAccessBlock 权限以检索 Amazon Web Services 账户的阻止公有访问设置。

2021 年 8 月 10 日

已发布的更改日志

Trusted Advisor 开始跟踪其 Amazon 托管策略的更改。

2021 年 8 月 10 日