Amazon Web Services 的托管策略 Amazon Trusted Advisor - Amazon Web Services Support
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Web Services 的托管策略 Amazon Trusted Advisor

Trusted Advisor 具有以下 Amazon Web Services 托管策略。

Amazon 托管策略:AWSTrustedAdvisorPriorityFullAccess

AWSTrustedAdvisorPriorityFullAccess政策授予对 “ Trusted Advisor 优先级” 的完全访问权限。此策略还允许用户添加为可信服务, Amazon Organizations 并允许用户 Trusted Advisor 为 P Trusted Advisor riority 指定委派管理员帐户。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的账户和组织。

  • 描述 Trusted Advisor 优先级中已识别的风险。这些权限允许您下载和更新风险状态。

  • 描述您的 Trusted Advisor 优先电子邮件通知配置。这些权限允许您配置电子邮件通知,并为委派管理员禁用这些通知。

  • 进行设置, Trusted Advisor 以便您的账户可以启用 Amazon Organizations。

在第二条语句中,此策略包含 organizations 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 列出您允许使用 Organizations 的。 Amazon Web Services

在第三条语句中,此策略包含 organizations 的以下权限:

  • 列出 Trusted Advisor 优先级的委派管理员。

  • 启用和禁用 Organizations 的受信任访问。

在第四条语句中,此策略包含 iam 的以下权限:

  • 创建 AWSServiceRoleForTrustedAdvisorReporting 服务相关角色。

在第五条语句中,此策略包含 organizations 的以下权限:

  • 允许您注册和注销 Trusted Advisor Priority 的委派管理员。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSTrustedAdvisorPriorityFullAccess", "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:UpdateRiskStatus", "trustedadvisor:DescribeNotificationConfigurations", "trustedadvisor:UpdateNotificationConfigurations", "trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Sid": "AllowAccessForOrganization", "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Sid": "AllowListDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators", "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } }, { "Sid": "AllowCreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting", "Condition": { "StringLike": { "iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com" } } }, { "Sid": "AllowRegisterDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws:organizations::*:*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }

Amazon 托管策略:AWSTrustedAdvisorPriorityReadOnlyAccess

AWSTrustedAdvisorPriorityReadOnlyAccess策略向 P Trusted Advisor riority 授予只读权限,包括查看委派管理员账户的权限。

权限详细信息

在第一条语句中,此策略包含 trustedadvisor 的以下权限:

  • 描述您的 Trusted Advisor 账户和组织。

  • 描述从 P Trusted Advisor riority 中识别出的风险并允许您下载它们。

  • 描述 Trusted Advisor 优先电子邮件通知的配置。

在第二条和第三条语句中,此策略包含 organizations 的以下权限:

  • 使用 Organizations 描述您的组织。

  • 列出您允许使用 Organizations 的。 Amazon Web Services

  • 列出 Trusted Advisor 优先级的委派管理员

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess", "Effect": "Allow", "Action": [ "trustedadvisor:DescribeAccount*", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeRisk*", "trustedadvisor:DownloadRisk", "trustedadvisor:DescribeNotificationConfigurations" ], "Resource": "*" }, { "Sid": "AllowAccessForOrganization", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Sid": "AllowListDelegatedAdministrators", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "reporting.trustedadvisor.amazonaws.com" ] } } } ] }

Amazon 托管策略:AWSTrustedAdvisorServiceRolePolicy

此策略附加到 AWSServiceRoleForTrustedAdvisor 服务相关角色。此角色允许服务相关角色为您执行操作。您不能将 AWSTrustedAdvisorServiceRolePolicy 附加到您的 Amazon Identity and Access Management (IAM)实体。有关更多信息,请参阅将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色访问 Amazon Web Services。这些权限允许通过检查 Trusted Advisor 来评估您的账户。

权限详细信息

该策略包含以下权限。

  • Auto Scaling – 描述 Amazon EC2 Auto Scaling 账户配额和资源

  • cloudformation— 描述 Amazon CloudFormation (CloudFormation) 账户配额和堆栈

  • cloudfront— 描述亚马逊的 CloudFront 分布

  • cloudtrail— 描述 Amazon CloudTrail (CloudTrail) 路径

  • dynamodb – 描述 Amazon DynamoDB 账户配额和资源

  • ec2 – 描述 Amazon Elastic Compute Cloud (Amazon EC2) 账户配额和资源

  • elasticloadbalancing - 描述弹性负载均衡(ELB)账户配额和资源

  • iam – 获取 IAM 资源,如证书、密码策略和证书

  • kinesis – 描述 Amazon Kinesis (Kinesis) 账户配额

  • rds – 描述 Amazon Relational Database Service (Amazon RDS) 资源

  • redshift – 描述 Amazon Redshift 资源

  • route53 – 描述 Amazon Route 53 账户配额和资源

  • s3 – 描述 Amazon Simple Storage Service (Amazon S3) 资源

  • ses – 获取 Amazon Simple Email Service (Amazon SES) 发送配额

  • sqs – 列出 Amazon Simple Queue Service (Amazon SQS) 队列

  • cloudwatch— 获取 Amazon CloudWatch 事件(CloudWatch 事件)指标统计数据

  • ce – 获取 Cost Explorer 服务 (Cost Explorer) 建议

  • route53resolver— 获取 Amazon Route 53 Resolver 解析器端点和资源

  • kafka – 获取 Amazon Managed Streaming for Apache Kafka 资源

  • ecs— 获取 Amazon ECS 资源

  • outposts— 获取 Amazon Outposts 资源

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "ce:GetReservationPurchaseRecommendation", "ce:GetSavingsPlansPurchaseRecommendation", "cloudformation:DescribeAccountLimits", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetTrail", "cloudtrail:ListTrails", "cloudtrail:GetEventSelectors", "cloudwatch:GetMetricStatistics", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeReservedInstances", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeInternetGateways", "ec2:DescribeImages", "ec2:DescribeVolumes", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeRegions", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DescribeLaunchTemplateVersions", "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions" "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetServerCertificate", "iam:ListServerCertificates", "kinesis:DescribeLimits", "kafka:ListClustersV2", "kafka:ListNodes", "outposts:GetOutpost", "outposts:ListAssets", "outposts:ListOutposts", "rds:DescribeAccountAttributes", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultParameters", "rds:DescribeEvents", "rds:DescribeOptionGroupOptions", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribeReservedDBInstances", "rds:DescribeReservedDBInstancesOfferings", "rds:ListTagsForResource", "redshift:DescribeClusters", "redshift:DescribeReservedNodeOfferings", "redshift:DescribeReservedNodes", "route53:GetAccountLimit", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53resolver:ListResolverEndpoints", "route53resolver:ListResolverEndpointIpAddresses", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetLifecycleConfiguration", "s3:ListBucket", "s3:ListAllMyBuckets", "ses:GetSendQuota", "sqs:ListQueues" ], "Resource": "*" } ] }

Amazon 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy

此策略附加到AWSServiceRoleForTrustedAdvisorReporting服务相关角色,该角色 Trusted Advisor 允许对组织视图功能执行操作。您不能将 AWSTrustedAdvisorReportingServiceRolePolicy 附加到您的 IAM 实体。有关更多信息,请参阅将服务相关角色用于 Trusted Advisor

此策略授予管理权限,允许服务相关角色执行 Amazon Organizations 操作。

权限详细信息

该策略包含以下权限。

  • organizations – 描述您的组织并列出服务访问权限、账户、父级、子级和组织单位

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListDelegatedAdministrators", "organizations:ListOrganizationalUnitsForParent", "organizations:ListChildren", "organizations:ListParents", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount" ], "Effect": "Allow", "Resource": "*" } ] }

对 Amazon 托管式策略的 Trusted Advisor 更新

查看有关这些服务开始跟踪这些更改之前 Amazon Web Services Support 和之 Trusted Advisor 后的 Amazon 托管策略更新的详细信息。要获得有关此页面更改的自动提示,请订阅 文档历史记录 页面上的 RSS 源。

下表描述了自 2021 年 8 月 10 日以来 Trusted Advisor 托管策略的重要更新。

Trusted Advisor
更改 描述 日期

AWSTrustedAdvisorServiceRolePolicy

更新现有政策。

Trusted Advisor 添加了新的操作来授予cloudtrail:GetTrailcloudtrail:ListTrailscloudtrail:GetEventSelectorsoutposts:GetOutpostoutposts:ListAssetsoutposts:ListOutposts权限。

2024 年 1 月 18 日

AWSTrustedAdvisorPriorityFullAccess

更新现有政策。

Trusted Advisor 更新了AWSTrustedAdvisorPriorityFullAccess Amazon 托管策略以包含语句 ID。

2023 年 12 月 6 日

AWSTrustedAdvisorPriorityReadOnlyAccess

更新现有政策。

Trusted Advisor 更新了AWSTrustedAdvisorPriorityReadOnlyAccess Amazon 托管策略以包含语句 ID。

2023 年 12 月 6 日

AWSTrustedAdvisorServiceRolePolicy – 更新了现有策略

Trusted Advisor 添加了新的操作来授予ec2:DescribeRegionss3:GetLifecycleConfigurationecs:DescribeTaskDefinitionecs:ListTaskDefinitions权限。

2023 年 11 月 9 日

AWSTrustedAdvisorServiceRolePolicy – 更新了现有策略

Trusted Advisor 在加入新的弹性检查中添加了新的 IAM 操作route53resolver:ListResolverEndpointsroute53resolver:ListResolverEndpointIpAddressesec2:DescribeSubnets、、kafka:ListClustersV2kafka:ListNodes

2023 年 9 月 14 日

AWSTrustedAdvisorReportingServiceRolePolicy

附加到 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting服务相关角色的托管策略的 V2

将 Trusted Advisor AWSServiceRoleForTrustedAdvisorReporting服务相关角色的 Amazon 托管策略升级到 V2。V2 将再添加一个 IAM 操作 organizations:ListDelegatedAdministrators

2023 年 2 月 28 日

AWSTrustedAdvisorPriorityFullAccessAWSTrustedAdvisorPriorityReadOnlyAccess

的新 Amazon 托管策略 Trusted Advisor

Trusted Advisor 添加了两个新的托管策略,您可以使用它们来控制对 Priority 的 Trusted Advisor 访问权限。

2022 年 8 月 17 日

AWSTrustedAdvisorServiceRolePolicy – 更新了现有策略

Trusted Advisor 添加了新的操作来授予DescribeTargetGroupsGetAccountPublicAccessBlock权限。

Auto Scaling 组运行状况检查需要 DescribeTargetGroup 权限,以检索附加到 Auto Scaling 组的非经典负载均衡器。

Amazon S3 存储桶权限检查需要 GetAccountPublicAccessBlock 权限以检索 Amazon Web Services 账户 的阻止公有访问设置。

2021 年 8 月 10 日

已发布的更改日志

Trusted Advisor 开始跟踪其 Amazon 托管策略的更改。

2021 年 8 月 10 日