使用控制访问权限 Amazon Identity and Access Management - Amazon Compute Optimizer
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用控制访问权限 Amazon Identity and Access Management

您可以使用 Amazon Identity and Access Management (IAM) 创建身份(用户、群组或角色),并授予这些身份访问 Amazon Compute Optimizer 控制台和 API 的权限。

默认情况下,IAM 用户无权访问 Compute Optimizer 控制台和 API。通过将 IAM 策略附加到单一用户、一组用户或角色,可授予用户访问权限。有关更多信息,请参阅身份(用户、组和角色)以及《IAM 用户指南》中的 IAM 策略概述

创建 IAM 用户以后,您可以为这些用户提供单独的密码。然后,他们可以使用特定于账户的登录页面登录账户并查看 Compute Optimizer 信息。有关更多信息,请参阅用户如何登录您的账户

重要
  • 要查看针对 EC2 实例的建议,IAM 用户需要 ec2:DescribeInstances 权限。

  • 要查看针对 EBS 卷的建议,IAM 用户需要 ec2:DescribeVolumes 权限。

  • 要查看针对自动扩缩组的建议,IAM 用户需要 autoscaling:DescribeAutoScalingGroupsautoscaling:DescribeAutoScalingInstances 权限。

  • 要查看针对 Lambda 函数的建议,IAM 用户需要 lambda:ListFunctionslambda:ListProvisionedConcurrencyConfigs 权限。

  • 要查看针对 Fargate 上 Amazon ECS 服务的建议,IAM 用户需要 ecs:ListServicesecs:ListClusters 权限。

  • 要在 Compute Optimizer 控制台中查看当前 CloudWatch 指标数据,IAM 用户需要该cloudwatch:GetMetricData权限。

  • 要查看建议商用软件许可证,需要特定 Amazon EC2 实例角色和 IAM 用户权限。有关更多信息,请参阅启用商用软件许可证建议的策略

如果您想要授予权限的用户或组已拥有策略,则可将此处所示特定于 Compute Optimizer 的一条策略语句添加到该策略。

Compute Optimizer 和 Amazon Organizations 可信访问

当您选择加入组织的管理账户并包括组织内的所有成员账户时,您的组织账户中将自动启用 Compute Optimizer 的可信访问权限。这可使 Compute Optimizer 分析这些成员账户中的计算资源,并为其生成建议。

每次访问针对成员账户的建议时,Compute Optimizer 都会验证您的组织账户中是否已启用可信访问权限。如果您在选择加入后禁用 Compute Optimizer 可信访问权限,则 Compute Optimizer 会拒绝访问针对组织成员账户的建议。此外,组织内的成员账户不会选择加入 Compute Optimizer。要重新启用可信访问权限,请使用组织的管理账户再次选择加入 Compute Optimizer,并将组织内的所有成员账户包括在内。有关更多信息,请参阅 选择加入您的账户。有关 Amazon Organizations 可信访问的更多信息,请参阅《Amazon Organizations 用户指南》中的Amazon Organizations 与其他 Amazon 服务一起使用

选择加入 Compute Optimizer 的策略

以下策略语句将授予选择加入 Compute Optimizer 的权限。它授予为 Compute Optimizer 创建服务相关角色的权限。需要此角色才能选择加入。有关更多信息,请参阅 将服务相关角色用于 Amazon Compute Optimizer。它还授予更新 Compute Optimizer 服务的注册状态的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" } ] }

授予独立账户访问 Compute Optimizer 访问权限的策略 Amazon

以下策略语句将向独立 Amazon Web Services 账户授予对 Compute Optimizer 的完全访问权限。有关管理建议首选项的策略语句,请参阅授予管理 Compute Optimizer 建议首选项的权限的策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

以下策略语句将授予独立 Amazon Web Services 账户对 Compute Optimizer 的只读访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }

向组织管理账户授予对 Compute Optimizer 的访问权限的策略

以下策略语句将向组织的管理账户授予对 Compute Optimizer 的完全访问权限。有关管理建议首选项的策略语句,请参阅授予管理 Compute Optimizer 建议首选项的权限的策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", "organizations:ListDelegatedAdministrators", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "*" } ] }

以下策略语句将向组织的管理账户授予对 Compute Optimizer 的只读访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListDelegatedAdministrators" ], "Resource": "*" } ] }

授予管理 Compute Optimizer 建议首选项的权限的策略

以下策略语句将授予查看和编辑建议首选项(例如增强基础设施指标付费功能)的权限。有关更多信息,请参阅 建议首选项

仅向 EC2 实例授予管理建议首选项的权限

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "Ec2Instance" } } } ] }

仅向自动扩缩组授予管理建议首选项的权限

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "AutoScalingGroup" } } } ] }

启用商用软件许可证建议的策略

要让 Compute Optimizer 生成许可证建议,请附加以下 Amazon EC2 实例角色和策略。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue*" ], "Resource": "arn:aws:secretsmanager:*:*:secret:ApplicationInsights-*" } ] }

此外,要启用和接收许可证建议,请将以下 IAM 策略附加到您的用户、组或角色。有关更多信息,请参阅 A mazon CloudWatch 用户指南中的 IAM 政策

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "applicationinsights:*", "iam:CreateServiceLinkedRole", "iam:ListRoles", "resource-groups:ListGroups" ], "Effect": "Allow", "Resource": "*" } ] }

拒绝访问 Compute Optimizer 的策略

以下策略语句将拒绝访问 Compute Optimizer。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }