使用 Amazon Identity and Access Management 控制访问 - Amazon Compute Optimizer
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Amazon Identity and Access Management 控制访问

您可以使用Amazon Identity and Access Management(IAM) 创建身份 (用户、组或角色),并为这些身份授予权限,以访问Amazon Compute Optimizer控制台和 API。

默认情况下,IAM 用户无权访问 Compute Optimizer 控制台和 API。通过将 IAM 策略附加到单一用户、一组用户或角色,您可为用户授予访问权限。有关更多信息,请参阅身份 (用户、组和角色)《IAM 用户指南》中的 IAM 策略概述.

创建 IAM 用户以后,您可以为这些用户提供单独的密码。然后,他们可以使用特定于账户的登录页面登录账户,并查看 Compute Optimizer 信息。有关更多信息,请参阅 用户如何登录您的 账户

重要

要查看 EC2 实例的推荐,IAM 用户必须具有ec2:DescribeInstances权限。要查看 EBS 卷的推荐,IAM 用户必须具有ec2:DescribeVolumes权限。要查看 Auto Scaling 群组的建议,IAM 用户必须具有autoscaling:DescribeAutoScalingGroupsautoscaling:DescribeAutoScalingInstances权限。要查看 Lambda 函数的建议,IAM 用户必须具有lambda:ListFunctionslambda:ListProvisionedConcurrencyConfigs权限。查看当前 CloudWatch Compute Optimizer 控制台中的指标数据,IAM 用户必须有cloudwatch:GetMetricData权限。

如果您想要授予权限的用户或组已拥有策略,则可将此处所示特定于 Compute Optimizer 的策略语句添加到该策略。

Compute OptimizerAmazon Organizations可信访问权限

当您选择使用组织的管理帐户并包括组织内的所有成员账户时,Compute Optimizer 的可信访问权限将在您的组织帐户中自动启用。这允许 Compute Optimizer 分析这些成员账户中的计算资源,并为他们生成建议。

每次您访问成员账户的推荐时,Compute Optimizer 都会验证您的组织帐户中是否启用了可信访问。如果您在选择加入后禁用 Compute Optimizer 可信访问权限,则 Compute Optimizer 会拒绝访问组织成员账户的推荐。此外,组织内的成员账户未选择加入 Compute Optimizer。要重新启用可信访问,请使用贵组织的管理帐户再次选择加入 Compute Optimizer,并包括组织内的所有成员账户。有关更多信息,请参阅 选择使用您的账户。有关 的更多信息Amazon Organizations可信访问权限,请参阅使用Amazon Organizations与其他一起Amazon服务中的Amazon Organizations用户指南.

选择加入Compute Optimizer 政策

以下策略声明授予选择加入Compute Optimizer的访问权限。该策略授予创建Compute Optimizer的服务相关角色的访问权限。必须使用此角色才能选择加入。有关更多信息,请参阅 对 Amazon Compute Optimizer 使用服务相关角色。它还授予更新Compute Optimizer 服务的注册状态的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" } ] }

授予独立Compute Optimizer 访问权限的策略Amazon账户

以下策略声明为独立版授予对 Compute Optimizer 的完全访问权限Amazon Web Services 账户. 有关管理推荐首选项的政策声明,请参阅授予管理 Compute Optimizer 推荐首选项的访问权限的策略.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

以下策略声明为独立版授予只读访问权限Amazon Web Services 账户.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

为组织的管理账户授予对 Compute Optimizer 访问权限的策略

以下政策声明为贵组织的管理账户授予对 Compute Optimizer 的完全访问权限。有关管理推荐首选项的政策声明,请参阅授予管理 Compute Optimizer 推荐首选项的访问权限的策略.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", "organizations:ListDelegatedAdministrators", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator ], "Resource": "*" } ] }

以下策略声明为组织的管理账户授予对 Compute Optimizer 的只读访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "ec2:DescribeInstances", "ec2:DescribeVolumes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListDelegatedAdministrators", ], "Resource": "*" } ] }

授予管理 Compute Optimizer 推荐首选项的访问权限的策略

以下政策声明授予查看和编辑推荐首选项的权限,例如增强型基础设施指标付费功能。有关更多信息,请参阅 激活推荐首选项

仅授予管理 EC2 实例推荐首选项的权限

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "Ec2Instance" } } } ] }

仅授予 Auto Scaling 组管理推荐首选项的权限

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "AutoScalingGroup" } } } ] }

拒绝访问Compute Optimizer 策略

以下策略声明拒绝对 Compute Optimizer 的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }