指定委派 GuardDuty 管理员账号所需的权限 - Amazon GuardDuty
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

指定委派 GuardDuty 管理员账号所需的权限

委托委派 GuardDuty 管理员账户时,您必须拥有启用权限 GuardDuty 以及某些 Amazon Organizations API 操作。您可以在 IAM policy 末尾添加以下语句来授予这些权限:

{
    "Sid": "PermissionsForGuardDutyAdmin",
    "Effect": "Allow",
    "Action": [
        "guardduty:EnableOrganizationAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:ListAccounts",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:ListAccounts"
    ],
    "Resource": "*"
}

此外,如果您希望将您的 Amazon Organizations 管理账户指定为 GuardDuty委托 GuardDuty 管理员账户,则该实体需要CreateServiceLinkedRole权限才能进行初始化 GuardDuty。为此,请将以下声明添加到 IAM 策略中,并将 111122223333 替换为您组织的管理账户的 Amazon Web Services 账户 ID:

{
	"Sid": "PermissionsToEnableGuardDuty"
	"Effect": "Allow",
	"Action": [
		"iam:CreateServiceLinkedRole"
	],
	"Resource": "arn:aws:iam::111122223333:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
	"Condition": {
		"StringLike": {
			"iam:AWSServiceName": "guardduty.amazonaws.com"
		}
	}
}