为Amazon IoT Events警报设置权限 - Amazon IoT SiteWise
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为Amazon IoT Events警报设置权限

当您使用Amazon IoT Events警报模型监控Amazon IoT SiteWise资产属性时,您必须拥有以下 IAM 权限:

  • 允许Amazon IoT Events向发送数据的Amazon IoT Events服务角色Amazon IoT SiteWise。有关更多信息,请参阅《Amazon IoT Events开发者指南》Amazon IoT Events中的身份和访问管理

  • 您必须具有以下Amazon IoT SiteWise操作权限:iotsitewise:DescribeAssetModeliotsitewise:UpdateAssetModelPropertyRouting。这些权限允许Amazon IoT SiteWise向Amazon IoT Events警报模型发送资产属性值。

有关更多信息,请参阅 IAM 用户指南中的基于资源的策略

所需的操作权限权限

管理员可以使用 Amazon JSON 策略来指定谁有权访问什么内容。也就是说,哪个主体 可以对什么资源 执行操作,以及在什么 条件 下执行。JSON 策略的 Action 元素描述可用于在策略中允许或拒绝访问的操作。

在定义Amazon IoT Events警报模型之前,必须授予以下权限,Amazon IoT SiteWise以允许向警报模型发送资产属性值。

  • iotsitewise:DescribeAssetModel—Amazon IoT Events 允许检查资产属性是否存在。

  • iotsitewise:UpdateAssetModelPropertyRouting—Amazon IoT SiteWise 允许自动创建可将数据发送Amazon IoT SiteWise到的订阅Amazon IoT Events。

有关Amazon IoT SiteWise支持的操作的更多信息,请参阅《服务授权参考》Amazon IoT SiteWise中定义的操作

例 权限策略示例

以下策略允许Amazon IoT SiteWise向任何Amazon IoT Events警报模型发送资产属性值。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }
例 权限策略示例

以下策略Amazon IoT SiteWise允许将指定资产属性的值发送到指定的Amazon IoT Events警报模型。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": [ "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef" ], "Condition": { "StringLike": { "iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890", "iotevents:alarmModelArn": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel" } } } ] }

(可选) ListInputRoutings 权限

当您更新或删除资产模型时,Amazon IoT SiteWise可以检查中的警报模型是否Amazon IoT Events正在监视与该资产模型关联的资产属性。这样可以防止您删除Amazon IoT Events警报当前正在使用的资产属性。要在中启用此功能Amazon IoT SiteWise,您必须具有iotevents:ListInputRoutings权限。此权限Amazon IoT SiteWise允许调用支持的 ListInputRoutingsAPI 操作Amazon IoT Events。

注意

强烈建议您添加ListInputRoutings权限。

例 权限策略示例

以下策略允许您更新和删除资产模型,并在中使用ListInputRoutings APIAmazon IoT SiteWise。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModel", "iotsitewise:DeleteAssetModel", "iotevents:ListInputRoutings" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }

SiteWise 监视器所需的权限

如果要使用 SiteWise 监控门户中的警报功能,则必须使用以下策略更新SiteWise 监控服务角色

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:DescribePortal", "iotsitewise:CreateProject", "iotsitewise:DescribeProject", "iotsitewise:UpdateProject", "iotsitewise:DeleteProject", "iotsitewise:ListProjects", "iotsitewise:BatchAssociateProjectAssets", "iotsitewise:BatchDisassociateProjectAssets", "iotsitewise:ListProjectAssets", "iotsitewise:CreateDashboard", "iotsitewise:DescribeDashboard", "iotsitewise:UpdateDashboard", "iotsitewise:DeleteDashboard", "iotsitewise:ListDashboards", "iotsitewise:CreateAccessPolicy", "iotsitewise:DescribeAccessPolicy", "iotsitewise:UpdateAccessPolicy", "iotsitewise:DeleteAccessPolicy", "iotsitewise:ListAccessPolicies", "iotsitewise:DescribeAsset", "iotsitewise:ListAssets", "iotsitewise:ListAssociatedAssets", "iotsitewise:DescribeAssetProperty", "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetAssetPropertyValueHistory", "iotsitewise:GetAssetPropertyAggregates", "iotsitewise:BatchPutAssetPropertyValue", "iotsitewise:ListAssetRelationships", "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels", "iotsitewise:UpdateAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting", "sso-directory:DescribeUsers", "sso-directory:DescribeUser", "iotevents:DescribeAlarmModel", "iotevents:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotevents:BatchAcknowledgeAlarm", "iotevents:BatchSnoozeAlarm", "iotevents:BatchEnableAlarm", "iotevents:BatchDisableAlarm" ], "Resource": "*", "Condition": { "Null": { "iotevents:keyValue": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:TagResource" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:UpdateAlarmModel", "iotevents:DeleteAlarmModel" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "iotevents.amazonaws.com" ] } } } ] }