本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon License Manager 的托管策略
要向用户、群组和角色添加权限,使用 Amazon 托管策略比自己编写策略要容易得多。创建仅为团队提供所需权限的 [IAM 客户管理型策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create-console.html)需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些策略涵盖常见使用案例,可在您的 Amazon Web Services 账户中使用。有关 Amazon 托管策略的更多信息,请参阅 *IAM 用户指南*中的[Amazon 托管策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
Amazon 服务维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新特征或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管策略中移除权限,因此策略更新不会破坏您的现有权限。
此外,还 Amazon 支持跨多个服务的工作职能的托管策略。例如,**ReadOnlyAccess** Amazon 托管策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动一项新功能时, Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 *IAM 用户指南*中的[适用于工作职能的Amazon 托管式策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html)。
## Amazon 托管策略:AWSLicenseManagerServiceRolePolicy
此策略将附加到名为 `AWSServiceRoleForAWSLicenseManagerRole` 的服务相关角色,这样 License Manager 可以代表您调用 API 操作来管理许可证。有关服务相关角色的更多信息,请参阅 [核心角色的权限](license-manager-role-core.md#slr-permissions-core-role)。
角色权限策略允许 License Manager 对指定的资源完成以下操作。
| 处理建议 | 资源 ARN |
| --- | --- |
| iam:CreateServiceLinkedRole | arn:aws:iam::\*:role/aws-service-role/license-management.marketplace.amazonaws.com/AWSServiceRoleForMarketplaceLicenseManagement |
| iam:CreateServiceLinkedRole | arn:aws:iam::\*:role/aws-service-role/license-manager.member-account.amazonaws.com/AWSServiceRoleForAWSLicenseManagerMemberAccountRole |
| s3:GetBucketLocation | arn:aws:s3:::aws-license-manager-service-\* |
| s3:ListBucket | arn:aws:s3:::aws-license-manager-service-\* |
| s3:ListAllMyBuckets | \* |
| s3:PutObject | arn:aws:s3:::aws-license-manager-service-\* |
| sns:Publish | arn:aws::sns:\*:\*:aws-license-manager-service-\* |
| sns:ListTopics | \* |
| ec2:DescribeInstances | \* |
| ec2:DescribeImages | \* |
| ec2:DescribeHosts | \* |
| ssm:ListInventoryEntries | \* |
| ssm:GetInventory | \* |
| ssm:CreateAssociation | \* |
| ssm:GetCommandInvocation | \* |
| ssm:SendCommand | arn:aws:ec2:\*:\*:instance/\* |
| ssm:SendCommand | arn:aws:ssm:\*:\*:managed-instance/\* |
| ssm:SendCommand | arn:aws:ssm:\*::document/AWSLicenseManager-\* |
| organizations:ListAWSServiceAccessForOrganization | \* |
| organizations:DescribeOrganization | \* |
| organizations:ListDelegatedAdministrators | \* |
| license-manager:GetServiceSettings | \* |
| license-manager:GetLicense\* | \* |
| license-manager:UpdateLicenseSpecificationsForResource | \* |
| license-manager:List\* | \* |
要在中查看此策略的权限 Amazon Web Services 管理控制台,请参阅[https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerServiceRolePolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerServiceRolePolicy)。
## Amazon 托管策略:AWSLicenseManagerMasterAccountRolePolicy
此策略附加`AWSServiceRoleForAWSLicenseManagerMasterAccountRole`到名为的服务相关角色,允许 License Manager 调用代表您为中央管理账户执行许可证管理的 API 操作。有关服务相关角色的更多信息,请参阅 [License Manager — 管理账户角色](management-role.md)。
角色权限策略允许 License Manager 对指定的资源完成以下操作。
| 处理建议 | 资源 ARN |
| --- | --- |
| s3:GetBucketLocation | arn:aws:s3:::aws-license-manager-service-\* |
| s3:ListBucket | arn:aws:s3:::aws-license-manager-service-\* |
| s3:GetLifecycleConfiguration | arn:aws:s3:::aws-license-manager-service-\* |
| s3:PutLifecycleConfiguration | arn:aws:s3:::aws-license-manager-service-\* |
| s3:GetBucketPolicy | arn:aws:s3:::aws-license-manager-service-\* |
| s3:PutBucketPolicy | arn:aws:s3:::aws-license-manager-service-\* |
| s3:AbortMultipartUpload | arn:aws:s3:::aws-license-manager-service-\* |
| s3:PutObject | arn:aws:s3:::aws-license-manager-service-\* |
| s3:GetObject | arn:aws:s3:::aws-license-manager-service-\* |
| s3:ListBucketMultipartUploads | arn:aws:s3:::aws-license-manager-service-\* |
| s3:ListMultipartUploadParts | arn:aws:s3:::aws-license-manager-service-\* |
| s3:DeleteObject | arn:aws:s3:::aws-license-manager-service-\*/resource-sync/\* |
| athena:GetQueryExecution | \* |
| athena:GetQueryResults | \* |
| athena:StartQueryExecution | \* |
| glue:GetTable | \* |
| glue:GetPartition | \* |
| glue:GetPartitions | \* |
| glue:CreateTable | 请参阅脚注 ¹ |
| glue:UpdateTable | 请参阅脚注 ¹ |
| glue:DeleteTable | 请参阅脚注 ¹ |
| glue:UpdateJob | 请参阅脚注 ¹ |
| glue:UpdateCrawler | 请参阅脚注 ¹ |
| organizations:DescribeOrganization | \* |
| organizations:ListAccounts | \* |
| organizations:DescribeAccount | \* |
| organizations:ListChildren | \* |
| organizations:ListParents | \* |
| organizations:ListAccountsForParent | \* |
| organizations:ListRoots | \* |
| organizations:ListAWSServiceAccessForOrganization | \* |
| ram:GetResourceShares | \* |
| ram:GetResourceShareAssociations | \* |
| ram:TagResource | \* |
| ram:CreateResourceShare | \* |
| ram:AssociateResourceShare | \* |
| ram:DisassociateResourceShare | \* |
| ram:UpdateResourceShare | \* |
| ram:DeleteResourceShare | \* |
| resource-groups:PutGroupPolicy | \* |
| iam:GetRole | \* |
| iam:PassRole | arn:aws:iam::\*:role/LicenseManagerServiceResourceDataSyncRole\* |
| cloudformation:UpdateStack | arn:aws:cloudformation:\*:\*:stack/LicenseManagerCrossAccountCloudDiscoveryStack/\* |
| cloudformation:CreateStack | arn:aws:cloudformation:\*:\*:stack/LicenseManagerCrossAccountCloudDiscoveryStack/\* |
| cloudformation:DeleteStack | arn:aws:cloudformation:\*:\*:stack/LicenseManagerCrossAccountCloudDiscoveryStack/\* |
| cloudformation:DescribeStacks | arn:aws:cloudformation:\*:\*:stack/LicenseManagerCrossAccountCloudDiscoveryStack/\* |
¹ 以下是为 Amazon Glue 操作定义的资源:
+ `arn:aws:glue:*:*:catalog`
+ `arn:aws:glue:*:*:crawler/LicenseManagerResourceSynDataCrawler`
+ `arn:aws:glue:*:*:job/LicenseManagerResourceSynDataProcessJob`
+ `arn:aws:glue:*:*:table/license_manager_resource_inventory_db/*`
+ `arn:aws:glue:*:*:table/license_manager_resource_sync/*`
+ `arn:aws:glue:*:*:database/license_manager_resource_inventory_db`
+ `arn:aws:glue:*:*:database/license_manager_resource_sync`
要在中查看此策略的权限 Amazon Web Services 管理控制台,请参阅[https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerMasterAccountRolePolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerMasterAccountRolePolicy)。
## Amazon 托管策略:AWSLicenseManagerMemberAccountRolePolicy
此策略将附加到名为 `AWSServiceRoleForAWSLicenseManagerMemberAccountRole` 的服务相关角色,这样 License Manager 可以代表您从配置的管理账户调用 API 操作来管理许可证。有关更多信息,请参阅 [License Manager — 成员账户角色](member-role.md)。
角色权限策略允许 License Manager 对指定的资源完成以下操作。
| 处理建议 | 资源 ARN |
| --- | --- |
| license-manager:UpdateLicenseSpecificationsForResource | \* |
| license-manager:GetLicenseConfiguration | \* |
| ssm:ListInventoryEntries | \* |
| ssm:GetInventory | \* |
| ssm:CreateAssociation | \* |
| ssm:CreateResourceDataSync | \* |
| ssm:DeleteResourceDataSync | \* |
| ssm:ListResourceDataSync | \* |
| ssm:ListAssociations | \* |
| ram:AcceptResourceShareInvitation | \* |
| ram:GetResourceShareInvitations | \* |
要在中查看此策略的权限 Amazon Web Services 管理控制台,请参阅[https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerMemberAccountRolePolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerMemberAccountRolePolicy)。
## Amazon 托管策略:AWSLicenseManagerConsumptionPolicy
您可以将 `AWSLicenseManagerConsumptionPolicy` 策略附加到您的 IAM 身份上。此策略授予的权限允许访问使用许可证所需的 License Manager API 操作。有关更多信息,请参阅 [卖家在 License Manager 中颁发的许可证使用情况](license-usage.md)。
要查看此策略的权限,请参阅 Amazon Web Services 管理控制台中的 [https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/AWSLicenseManagerConsumptionPolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/AWSLicenseManagerConsumptionPolicy)。
## License Manager 更新 Amazon 了托管策略
查看自该服务开始跟踪这些更改以来,License Manager Amazon 托管策略更新的详细信息。
| 更改 | 描述 | 日期 |
| --- | --- | --- |
| [AWSLicenseManagerMasterAccountRolePolicy](#security-iam-AWSLicenseManagerMasterAccountRolePolicy):对现有策略的更新 | License Manager 为管理的资源组添加了resource-groups:PutGroupPolicy权限 Amazon Resource Access Manager。 | 2022 年 6 月 27 日 |
| [AWSLicenseManagerMasterAccountRolePolicy](#security-iam-AWSLicenseManagerMasterAccountRolePolicy):对现有策略的更新 | License Manager 将[的 Amazon 托管策略`AWSLicenseManagerMasterAccountRolePolicy`条件密钥 Amazon Resource Access Manager](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsresourceaccessmanager.html)从使用ram:ResourceTag更改为aws:ResourceTag。 | 2021 年 11 月 16 日 |
| [AWSLicenseManagerConsumptionPolicy](#security-iam-AWSLicenseManagerConsumptionPolicy):新策略 | License Manager 添加了一项新策略,该策略授予使用许可证的权限。 | 2021 年 8 月 11 日 |
| [AWSLicenseManagerServiceRolePolicy](#security-iam-AWSLicenseManagerServiceRolePolicy):对现有策略的更新 | License Manager 添加了列出委托管理员的权限和创建名为 AWSServiceRoleForAWSLicenseManagerMemberAccountRole 的服务相关角色的权限。 | 2021 年 6 月 16 日 |
| [AWSLicenseManagerServiceRolePolicy](#security-iam-AWSLicenseManagerServiceRolePolicy):对现有策略的更新 | License Manager 添加了列出所有 License Manager 资源(例如许可证配置、许可证和授予)的权限。 | 2021 年 6 月 15 日 |
| [AWSLicenseManagerServiceRolePolicy](#security-iam-AWSLicenseManagerServiceRolePolicy):对现有策略的更新 | License Manager 添加了创建名为 AWSServiceRoleForMarketplaceLicenseManagement 的服务相关角色的权限。此角色 Amazon Web Services Marketplace 提供在 License Manager 中创建和管理许可证的权限。有关更多信息,请参阅《Amazon Web Services Marketplace 买家指南》中的 [Amazon Web Services Marketplace的服务相关角色](https://docs.amazonaws.cn/marketplace/latest/buyerguide/buyer-using-service-linked-roles.html)。 | 2021 年 3 月 9 日 |
| License Manager 开始跟踪更改 | License Manager 开始跟踪其 Amazon 托管策略的更改。 | 2021 年 3 月 9 日 |