使用 IAM 策略允许访问组织视图 - Amazon Web Services Support
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 IAM 策略允许访问组织视图

您可以使用以下命令Amazon Identity and Access Management(IAM) 策略,允许您账户中的用户或角色访问Amazon Trusted Advisor.

例 :对组织视图的完全访问权限

以下策略允许完全访问组织视图功能。具备这些权限的用户可以:

  • 启用组织视图。

  • 创建、查看和下载报告。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:DescribeServiceMetadata", "trustedadvisor:DescribeOrganizationAccounts", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" }, { "Sid": "MutatingStatement", "Effect": "Allow", "Action": [ "trustedadvisor:GenerateReport" ], "Resource": "*" }, { "Sid": "OnboardingStatement1", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Sid": "OnboardingStatement2", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting" } ] }

例 :对组织视图的读取访问权限

以下策略允许对组织视图进行只读访问。Trusted Advisor. 具有这些权限的用户只能查看和下载现有报告。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" } ] }

您还可以创建自己的 IAM 策略。有关更多信息,请参阅 。创建 IAM 策略中的IAM 用户指南.

注意

如果您已启用Amazon CloudTrail,您的日志条目中可能会显示以下角色:

  • AWSServiceRoleForTrustedAdvisorReporting— 服务相关角色Trusted Advisor用于访问您组织中的账户。

  • AWSServiceRoleForTrustedAdvisor— 服务相关角色Trusted Advisor用于访问您组织中的服务。

有关服务相关角色的更多信息,请参阅将服务相关角色用于 Trusted Advisor