适用于 AWS Config 的 AWS 托管策略 - AWS Config
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

适用于 AWS Config 的 AWS 托管策略

要将权限添加到用户、组和角色,使用 AWS 托管策略比自己编写策略更轻松。它需要时间和专业知识创建 IAM 客户托管策略,它们仅为您的团队提供所需的权限。要快速入门,您可以使用 AWS 托管策略。这些策略涵盖常见使用案例,可在您的 AWS 账户中使用。有关 AWS 托管策略的更多信息,请参阅AWS 托管策略中的IAM 用户指南

AWS 服务维护和更新 AWS 托管策略。您不能更改 AWS 托管策略中的权限。服务偶尔会向 AWS 托管策略添加额外权限以支持新功能。此类更新会影响策略附加到的所有身份(用户、组和角色)。在推出新功能或可用新操作时,服务很可能会更新 AWS 托管策略。服务不会从 AWS 托管策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,AWS 支持跨多个服务的作业职能的托管策略。例如,ReadOnlyAccessAWS 托管策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动新功能时,AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅适用于工作职能的 AWS 托管策略中的IAM 用户指南

AWS 托管策略:AWSS 配置服务策略

AWS Config 使用服务相关服务 名称的角色适用于配置的 AWS 服务 代表您调用其他 AWS 服务。何时您可以使用 AWS 管理控制台set向上 AWS Config,如果您选择使用 AWS Config SLR 而不是您自己的 AWS Identity and Access Management (IAM) 的选项,AWS Config 会自动创建此 SLR服务角色。

这些区域有:适用于配置的 AWS 服务SLR 包含托管策略AWSConfigServiceRolePolicy。此托管策略包含只读和“仅写”AWS Config 资源的权限以及 AWS Config 支持的其他服务中的资源的只读权限。有关更多信息,请参阅 支持的资源类型对 AWS Config 使用服务相关角色

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribePolicies", "autoscaling:DescribeScheduledActions", "autoscaling:DescribeTags", "backup:ListBackupPlans", "backup:GetBackupPlan", "backup:ListBackupVaults", "backup:DescribeBackupVault", "backup:GetBackupVaultNotifications", "backup:GetBackupVaultAccessPolicy", "backup:ListBackupSelections", "backup:GetBackupSelection", "backup:ListRecoveryPointsByBackupVault", "backup:DescribeRecoveryPoint", "backup:ListTags", "cloudfront:ListTagsForResource", "cloudformation:DescribeType", "cloudformation:ListTypes", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudwatch:DescribeAlarms", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:ListPipelines", "config:BatchGet*", "config:Describe*", "config:Get*", "config:List*", "config:Put*", "config:Select*", "dax:DescribeClusters", "dms:DescribeReplicationInstances", "dms:DescribeReplicationSubnetGroups", "dms:ListTagsForResource", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:Describe*", "ec2:GetEbsEncryptionByDefault", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:GetRepositoryPolicy", "ecr:ListTagsForResource", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTaskSets", "ecs:ListClusters", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTaskDefinitions", "eks:DescribeCluster", "eks:DescribeNodegroup", "eks:ListClusters", "eks:ListNodegroups", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameterGroups", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeSecurityConfiguration", "elasticmapreduce:GetBlockPublicAccessConfiguration", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstances", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomains", "es:ListDomainNames", "es:ListTags", "guardduty:GetDetector", "guardduty:GetFindings", "guardduty:GetMasterAccount", "guardduty:ListDetectors", "guardduty:ListFindings", "iam:GenerateCredentialReport", "iam:GetAccountAuthorizationDetails", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroupsForUser", "iam:ListInstanceProfilesForRole", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListUserPolicies", "iam:ListVirtualMFADevices", "kinesis:DescribeStreamSummary", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListKeys", "kms:ListResourceTags", "lambda:GetAlias", "lambda:GetFunction", "lambda:GetPolicy", "lambda:ListAliases", "lambda:ListFunctions", "logs:DescribeLogGroups", "organizations:DescribeOrganization", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "redshift:DescribeEventSubscriptions", "redshift:DescribeLoggingStatus", "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "s3:GetAccelerateConfiguration", "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListAccessPoints", "s3:ListAllMyBuckets", "s3:ListBucket", "sagemaker:DescribeCodeRepository", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeNotebookInstance", "sagemaker:ListCodeRepositories", "sagemaker:ListEndpointConfigs", "sagemaker:ListNotebookInstances", "sagemaker:ListTags", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds", "securityhub:describeHub", "shield:DescribeDRTAccess", "shield:DescribeProtection", "shield:DescribeSubscription", "sns:GetTopicAttributes", "sns:ListSubscriptions", "sns:ListTagsForResource", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:GetDocument", "ssm:ListDocuments", "storagegateway:ListGateways", "storagegateway:ListVolumes", "support:DescribeCases", "tag:GetResources", "waf:GetLoggingConfiguration", "waf:GetWebACL", "wafv2:GetLoggingConfiguration", "waf-regional:GetLoggingConfiguration", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource" ], "Resource": "*" } ] }

AWS 托管策略:我们 _ 亲友

如果您要为 AWS Config 创建 IAM 角色,请使用托管策略AWS_ConfigRole并将其附加到您的 IAM 角色。

每次 AWS Config 添加对 AWS 资源类型的支持时,都会更新此 IAM 策略。这意味着 AWS Config 将继续拥有记录受支持资源类型的配置数据所需的权限,只要我们 _ 亲友角色附加了此托管策略。有关更多信息,请参阅 支持的资源类型分配给 AWS Config 的 IAM 角色的权限

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribePolicies", "autoscaling:DescribeScheduledActions", "autoscaling:DescribeTags", "backup:ListBackupPlans", "backup:GetBackupPlan", "backup:ListBackupVaults", "backup:DescribeBackupVault", "backup:GetBackupVaultNotifications", "backup:GetBackupVaultAccessPolicy", "backup:ListBackupSelections", "backup:GetBackupSelection", "backup:ListRecoveryPointsByBackupVault", "backup:DescribeRecoveryPoint", "backup:ListTags", "cloudfront:ListTagsForResource", "cloudformation:DescribeType", "cloudformation:ListTypes", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudwatch:DescribeAlarms", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:ListPipelines", "config:BatchGet*", "config:Describe*", "config:Get*", "config:List*", "config:Put*", "config:Select*", "dax:DescribeClusters", "dms:DescribeReplicationInstances", "dms:DescribeReplicationSubnetGroups", "dms:ListTagsForResource", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:Describe*", "ec2:GetEbsEncryptionByDefault", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:GetRepositoryPolicy", "ecr:ListTagsForResource", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTaskSets", "ecs:ListClusters", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTaskDefinitions", "eks:DescribeCluster", "eks:DescribeNodegroup", "eks:ListClusters", "eks:ListNodegroups", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameterGroups", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeSecurityConfiguration", "elasticmapreduce:GetBlockPublicAccessConfiguration", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstances", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomains", "es:ListDomainNames", "es:ListTags", "guardduty:GetDetector", "guardduty:GetFindings", "guardduty:GetMasterAccount", "guardduty:ListDetectors", "guardduty:ListFindings", "iam:GenerateCredentialReport", "iam:GetAccountAuthorizationDetails", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroupsForUser", "iam:ListInstanceProfilesForRole", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListUserPolicies", "iam:ListVirtualMFADevices", "kinesis:DescribeStreamSummary", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListKeys", "kms:ListResourceTags", "lambda:GetAlias", "lambda:GetFunction", "lambda:GetPolicy", "lambda:ListAliases", "lambda:ListFunctions", "logs:DescribeLogGroups", "organizations:DescribeOrganization", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "redshift:DescribeEventSubscriptions", "redshift:DescribeLoggingStatus", "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "s3:GetAccelerateConfiguration", "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListAccessPoints", "s3:ListAllMyBuckets", "s3:ListBucket", "sagemaker:DescribeCodeRepository", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeNotebookInstance", "sagemaker:ListCodeRepositories", "sagemaker:ListEndpointConfigs", "sagemaker:ListNotebookInstances", "sagemaker:ListTags", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds", "securityhub:describeHub", "shield:DescribeDRTAccess", "shield:DescribeProtection", "shield:DescribeSubscription", "sns:GetTopicAttributes", "sns:ListSubscriptions", "sns:ListTagsForResource", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:GetDocument", "ssm:ListDocuments", "storagegateway:ListGateways", "storagegateway:ListVolumes", "support:DescribeCases", "tag:GetResources", "waf:GetLoggingConfiguration", "waf:GetWebACL", "wafv2:GetLoggingConfiguration", "waf-regional:GetLoggingConfiguration", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource" ], "Resource": "*" } ] }

AWS Config 更新到 AWS 托管策略

查看有关自此服务开始跟踪这些更改以来 AWS Config 托管策略的更新的详细信息。如需有关此页面更改的自动警报,您可以订阅 AWS Config 上的 RSS 源。文档历史记录页.

变更 描述 日期

AWSS 配置服务策略— 添加 SSM: 列出文档权限和新的附加权限资源类型

此策略现在授予查看有关 AWS Systems Manager(以前称为 SSM)指定文档的信息的权限。此策略现在还支持 AWS 备份、Amazon Elastic File System、Amazon ElastiCache、亚马逊简单存储服务、亚马逊弹性计算云、亚马逊 Kinesis、Amazon SageMaker、AWS Database Migration Service 和 Amazon Route 53 的其他 AWS 资源类型。这些权限更改允许 AWS Config 调用支持这些资源类型所需的只读 API。

2021 年 4 月 1 日

我们 _ 亲友— 添加 SSM: 列出文档权限和新资源类型的其他权限

此策略现在授予查看有关 AWS Systems Manager(以前称为 SSM)指定文档的信息的权限。此策略现在还支持 AWS 备份、Amazon Elastic File System、Amazon ElastiCache、亚马逊简单存储服务、亚马逊弹性计算云、亚马逊 Kinesis、Amazon SageMaker、AWS Database Migration Service 和 Amazon Route 53 的其他 AWS 资源类型。这些权限更改允许 AWS Config 调用支持这些资源类型所需的只读 API。

2021 年 4 月 1 日

AWS Config 开始跟踪更改

AWS Config 开始跟踪其 AWS 托管策略的更改。

2021 年 4 月 1 日