本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 IAM 策略允许访问组织视图
您可以使用以下 Amazon Identity and Access Management (IAM) 策略,允许您账户中的用户或角色访问 Amazon Trusted Advisor 中的组织视图。
例 :对组织视图的完全访问权限
以下策略允许完全访问组织视图功能。具备这些权限的用户可以执行以下操作:
-
启用和禁用组织视图
-
创建、查看和下载报告
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeCheckSummaries", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:DescribeServiceMetadata", "trustedadvisor:DescribeOrganizationAccounts", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" }, { "Sid": "CreateReportStatement", "Effect": "Allow", "Action": [ "trustedadvisor:GenerateReport" ], "Resource": "*" }, { "Sid": "ManageOrganizationalViewStatement", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Sid": "CreateServiceLinkedRoleStatement", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting" } ] }
例 :对组织视图的读取访问权限
以下策略允许对 Trusted Advisor 的组织视图进行只读访问。具有这些权限的用户只能查看和下载现有报告。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeCheckSummaries", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" } ] }
您还可以创建自己的 IAM 策略。有关更多信息,请参阅 IAM 用户指南 中的创建 IAM 策略。
注意
如果您在账户中启用了 Amazon CloudTrail,您的日志条目中可能会显示以下角色:
-
AWSServiceRoleForTrustedAdvisorReporting–Trusted Advisor 用于访问您组织中的账户的服务关联角色。 -
AWSServiceRoleForTrustedAdvisor–Trusted Advisor 用于访问您组织中的服务的服务关联角色。
有关服务相关角色的更多信息,请参阅 将服务相关角色用于 Trusted Advisor。