使用 IAM 策略以允许访问组织视图 - AWS Support
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 IAM 策略以允许访问组织视图

您可以使用以下 AWS Identity and Access Management (IAM) 策略允许账户中的用户或角色访问 AWS Trusted Advisor 中的组织视图。

例 :对组织视图的完全访问权限

以下策略允许对组织视图功能进行完全访问。具有这些权限的用户可以执行以下操作:

  • 启用组织视图。

  • 创建、查看和下载报告。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:DescribeServiceMetadata", "trustedadvisor:DescribeOrganizationAccounts", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" }, { "Sid": "MutatingStatement", "Effect": "Allow", "Action": [ "trustedadvisor:GenerateReport" ], "Resource": "*" }, { "Sid": "OnboardingStatement1", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "trustedadvisor:SetOrganizationAccess" ], "Resource": "*" }, { "Sid": "OnboardingStatement2", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting" } ] }

例 :对组织视图的读取访问权限

以下策略允许对 Trusted Advisor 的组织视图进行只读访问。具有这些权限的用户只能查看和下载现有报告。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStatement", "Effect": "Allow", "Action": [ "organizations:ListAccountsForParent", "organizations:ListAccounts", "organizations:ListRoots", "organizations:DescribeOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAWSServiceAccessForOrganization", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks", "trustedadvisor:DescribeAccountAccess", "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeReports", "trustedadvisor:ListAccountsForParent", "trustedadvisor:ListRoots", "trustedadvisor:ListOrganizationalUnitsForParent" ], "Resource": "*" } ] }

您还可以创建自己的 IAM 策略。有关更多信息,请参阅 中的IAM创建 策略。IAM 用户指南

注意

如果您在账户中启用了 AWS CloudTrail,则以下角色可显示在您的日志条目中:

  • AWSServiceRoleForTrustedAdvisorReporting – 用于访问组织中的账户的服务相关角色。Trusted Advisor

  • AWSServiceRoleForTrustedAdvisor – 用于访问组织中的服务的服务相关角色。Trusted Advisor

有关服务相关角色的更多信息,请参阅对 Trusted Advisor 使用服务相关角色