本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
指定委派 GuardDuty 管理员账号所需的权限
委托委派 GuardDuty 管理员账户时,您必须拥有启用权限 GuardDuty 以及某些 Amazon Organizations API 操作。您可以在 IAM policy 末尾添加以下语句来授予这些权限:
{ "Sid": "PermissionsForGuardDutyAdmin", "Effect": "Allow", "Action": [ "guardduty:EnableOrganizationAdminAccount", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts" ], "Resource": "*" }
此外,如果您希望将您的 Amazon Organizations 管理账户指定为 GuardDuty委托 GuardDuty 管理员账户,则该实体需要CreateServiceLinkedRole
权限才能进行初始化 GuardDuty。为此,请将以下声明添加到 IAM 策略中,并将 111122223333
替换为您组织的管理账户的 Amazon Web Services 账户 ID:
{ "Sid": "PermissionsToEnableGuardDuty" "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::
111122223333
:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", "Condition": { "StringLike": { "iam:AWSServiceName": "guardduty.amazonaws.com" } } }