设置 Amazon IoT Events 警报权限 - Amazon IoT SiteWise
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

设置 Amazon IoT Events 警报权限

当您使用 Amazon IoT Events 警报模型监控 Amazon IoT SiteWise 资产属性时,您必须拥有以下 IAM 权限:

  • 允许 Amazon IoT Events 向发送数据的 Amazon IoT Events 服务角色 Amazon IoT SiteWise。有关更多信息,请参阅 Amazon IoT Events 开发人员指南中的适用于 Amazon IoT Events的 身份和访问管理

  • 您必须拥有以下 Amazon IoT SiteWise 操作权限:iotsitewise:DescribeAssetModeliotsitewise:UpdateAssetModelPropertyRouting。这些权限允许 Amazon IoT SiteWise 向 Amazon IoT Events 警报模型发送资产属性值。

有关更多信息,请参阅 IAM 用户指南的基于资源的策略

所需的操作权限

管理员可以使用 Amazon JSON 策略来指定谁有权访问什么。也就是说,哪个主体 可以对什么资源 执行操作,以及在什么 条件 下执行。JSON 策略的 Action 元素描述可用于在策略中允许或拒绝访问的操作。

在定义 Amazon IoT Events 警报模型之前,必须授予以下权限,允许 Amazon IoT SiteWise 向警报模型发送资产属性值。

  • iotsitewise:DescribeAssetModel— Amazon IoT Events 允许检查资产属性是否存在。

  • iotsitewise:UpdateAssetModelPropertyRouting— Amazon IoT SiteWise 允许自动创建允许 Amazon IoT SiteWise 向其发送数据的订阅 Amazon IoT Events。

有关 Amazon IoT SiteWise 支持的操作的更多信息,请参阅《服务授权参考》 Amazon IoT SiteWise中定义的操作

例 权限策略示例 1

以下策略允许 Amazon IoT SiteWise 向任何 Amazon IoT Events 警报模型发送资产属性值。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }
例 权限策略示例 2

以下策略 Amazon IoT SiteWise 允许将指定资产属性的值发送到指定的 Amazon IoT Events 警报模型。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": [ "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef" ], "Condition": { "StringLike": { "iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890", "iotevents:alarmModelArn": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel" } } } ] }

(可选) ListInputRoutings 权限

更新或删除资产模型时, Amazon IoT SiteWise 可以检查中的警报模型是否 Amazon IoT Events 正在监视与该资产模型关联的资产属性。这可以防止您删除 Amazon IoT Events 警报当前正在使用的资产属性。要在中启用此功能 Amazon IoT SiteWise,您必须拥有iotevents:ListInputRoutings权限。此权限 Amazon IoT SiteWise 允许调用支持的 ListInputRouting s API 操作。 Amazon IoT Events

注意

强烈建议您添加 ListInputRoutings 权限。

例 权限策略示例

以下政策允许您更新和删除资产模型,并使用中的 ListInputRoutings API Amazon IoT SiteWise。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModel", "iotsitewise:DeleteAssetModel", "iotevents:ListInputRoutings" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }

SiteWise 监控器所需的权限

如果要在 SiteWise 监控门户中使用警报功能,则必须使用以下策略更新SiteWise 监控服务角色

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:DescribePortal", "iotsitewise:CreateProject", "iotsitewise:DescribeProject", "iotsitewise:UpdateProject", "iotsitewise:DeleteProject", "iotsitewise:ListProjects", "iotsitewise:BatchAssociateProjectAssets", "iotsitewise:BatchDisassociateProjectAssets", "iotsitewise:ListProjectAssets", "iotsitewise:CreateDashboard", "iotsitewise:DescribeDashboard", "iotsitewise:UpdateDashboard", "iotsitewise:DeleteDashboard", "iotsitewise:ListDashboards", "iotsitewise:CreateAccessPolicy", "iotsitewise:DescribeAccessPolicy", "iotsitewise:UpdateAccessPolicy", "iotsitewise:DeleteAccessPolicy", "iotsitewise:ListAccessPolicies", "iotsitewise:DescribeAsset", "iotsitewise:ListAssets", "iotsitewise:ListAssociatedAssets", "iotsitewise:DescribeAssetProperty", "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetAssetPropertyValueHistory", "iotsitewise:GetAssetPropertyAggregates", "iotsitewise:BatchPutAssetPropertyValue", "iotsitewise:ListAssetRelationships", "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels", "iotsitewise:UpdateAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting", "sso-directory:DescribeUsers", "sso-directory:DescribeUser", "iotevents:DescribeAlarmModel", "iotevents:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotevents:BatchAcknowledgeAlarm", "iotevents:BatchSnoozeAlarm", "iotevents:BatchEnableAlarm", "iotevents:BatchDisableAlarm" ], "Resource": "*", "Condition": { "Null": { "iotevents:keyValue": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:TagResource" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:UpdateAlarmModel", "iotevents:DeleteAlarmModel" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "iotevents.amazonaws.com" ] } } } ] }