本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 Amazon Identity and Access Management 控制访问
您可以使用Amazon Identity and Access Management (IAM) 创建身份(用户、群组或角色),并授予这些身份访问Amazon Compute Optimizer控制台和 API 的权限。
默认情况下,IAM 用户无权访问 Compute Optimizer 控制台和 API。您可以通过将 IAM 策略附加到单个用户、一组用户或一个角色来授予用户访问权限。有关角色(用户、组和角色的身份)和 IAM 策略概述,请参阅 IAM 用户指南中的 IAM 策略概述。
创建 IAM 用户以后,您可以为这些用户提供单独的密码。然后,他们可以使用账户特定的登录页面Compute Optimizer,您可以使用账户特定的登录页面。有关更多信息,请参阅 用户如何登录您的 账户。
-
要查看 EC2 实例的建议,IAM 用户需要
ec2:DescribeInstances权限。 -
要查看 EBS 卷的建议,IAM 用户需要
ec2:DescribeVolumes权限。 -
要查看针对 Auto Scaling 群组的建议,IAM 用户需要
autoscaling:DescribeAutoScalingGroups和autoscaling:DescribeAutoScalingInstances权限。 -
要查看有关 Lambda 函数的建议,IAM 用户需要
lambda:ListFunctions和lambda:ListProvisionedConcurrencyConfigs权限。 -
要在 Fargate 上查看 Amazon ECS 服务的建议,IAM 用户需要
ecs:ListServices和ecs:ListClusters权限。 -
要在 Compute Optimizer 控制台中查看当前 CloudWatch 指标数据,IAM 用户需要
cloudwatch:GetMetricData权限。
如果您要向其授予权限的用户或组已经有策略,则可以将此处所示的 Compute Optimizer 特定策略声明之一添加到该策略中。
Compute OptimizerAmazon Organizations 可信访问
当您选择使用组织的管理帐户并包括组织内的所有成员帐户时,Compute Optimizer 的可信访问权限将在您的组织帐户中自动启用。这允许 Computimizer 分析这些成员账户中的计算资源,并为其生成建议。
每次您访问成员帐户的推荐时,Compute Optimizer 都会验证您的组织帐户中是否启用了可信访问。如果您在选择启用后禁用 Computimizer 可信访问,Compute Optimizer 会拒绝访问您组织成员账户的推荐。此外,组织内的成员账户未选择加入 Compute Optimizer。要重新启用可信访问,请使用您组织的管理帐户再次选择加入 Compute Optimizer,并将组织内的所有成员帐户包括在内。有关更多信息,请参阅选择加入您的账户:有关Amazon Organizations可信访问的更多信息,请参阅《Amazon Organizations用户指南》中的Amazon Organizations与其他Amazon服务一起使用。
选择加入Compute Optimizer 政策
以下政策相关角色的权限,您可选择加入 Compute Optimizer。它授予对相关角色的相关角色的相关角色的角色的权限。需要此角色才能选择加入。有关更多信息,请参阅对 Amazon Compute Optimizer 使用服务相关角色:它还授予更新 Compute Optimizer 服务的注册状态的访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} }, { "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" }, { "Effect": "Allow", "Action": "compute-optimizer:UpdateEnrollmentStatus", "Resource": "*" }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" } ] }
为独立Amazon账户授予对Compute Optimizer 访问权限的策略
以下政策声明授予独立版Compute Optimizer 完全访问权限Amazon Web Services 账户。有关管理推荐首选项的政策声明,请参阅授予管理 Compute Optimizer 推荐偏好设置的访问权限的策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
以下策略声明授予对 Compute Optimizer 的只读访问权限Amazon Web Services 账户。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:DescribeRecommendationExportJobs", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData" ], "Resource": "*" } ] }
为组织管理账户授予对 Compute Optimizer 访问权限的策略
以下政策声明授予您组织管理账户对 Compute Optimizer 的完全访问权限。有关管理推荐首选项的政策声明,请参阅授予管理 Compute Optimizer 推荐偏好设置的访问权限的策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:*", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:EnableAWSServiceAccess", "organizations:ListDelegatedAdministrators", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator ], "Resource": "*" } ] }
以下政策声明授予组织管理账户对 Compute Optimizer 的只读访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:GetEnrollmentStatus", "compute-optimizer:GetEnrollmentStatusesForOrganization", "compute-optimizer:GetRecommendationSummaries", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEC2RecommendationProjectedMetrics", "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ecs:ListServices", "ecs:ListClusters", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "lambda:ListFunctions", "lambda:ListProvisionedConcurrencyConfigs", "cloudwatch:GetMetricData", "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListDelegatedAdministrators", ], "Resource": "*" } ] }
授予管理 Compute Optimizer 推荐偏好设置的访问权限的策略
以下政策声明授予查看和编辑推荐首选项的权限,例如增强型基础设施指标付费功能。有关更多信息,请参阅激活推荐首选项:
仅授予管理 EC2 实例推荐首选项的访问权限
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "Ec2Instance" } } } ] }
仅授予 Auto Scaling 群组管理推荐首选项的访问权限
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "compute-optimizer:DeleteRecommendationPreferences", "compute-optimizer:GetEffectiveRecommendationPreferences", "compute-optimizer:GetRecommendationPreferences", "compute-optimizer:PutRecommendationPreferences" ], "Resource": "*", "Condition" : { "StringEquals" : { "compute-optimizer:ResourceType" : "AutoScalingGroup" } } } ] }
拒绝访问Compute Optimizer 政策
以下政策声明拒绝访问Compute Optimizer。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "compute-optimizer:*", "Resource": "*" } ] }