使用 IAM 策略允许访问组织视图 - Amazon Web Services Support
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

使用 IAM 策略允许访问组织视图

您可以使用以下 Amazon Identity and Access Management (IAM) 策略,允许您账户中的用户或角色访问 Amazon Trusted Advisor 中的组织视图。

例 :对组织视图的完全访问权限

以下策略允许完全访问组织视图功能。具备这些权限的用户可以执行以下操作:

  • 启用组织视图。

  • 创建、查看和下载报告。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeCheckSummaries", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:DescribeServiceMetadata", "trustedadvisor:DescribeOrganizationAccounts", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" }, { "Sid": "MutatingStatement", "Effect": "Allow", "Action": [ "trustedadvisor:GenerateReport" ], "Resource": "*" }, { "Sid": "OnboardingStatement1", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Sid": "OnboardingStatement2", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting" } ] }

例 :对组织视图的读取访问权限

以下策略允许对 Trusted Advisor 的组织视图进行只读访问。具有这些权限的用户只能查看和下载现有报告。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeCheckSummaries", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" } ] }

您还可以创建自己的 IAM 策略。有关更多信息,请参阅 IAM 用户指南 中的创建 IAM 策略

注意

如果您在账户中启用了 Amazon CloudTrail,您的日志条目中可能会显示以下角色:

  • AWSServiceRoleForTrustedAdvisorReporting –Trusted Advisor 用于访问您组织中的账户的服务关联角色。

  • AWSServiceRoleForTrustedAdvisor –Trusted Advisor 用于访问您组织中的服务的服务关联角色。

有关服务相关角色的更多信息,请参阅 将服务相关角色用于 Trusted Advisor