本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
基于资源的策略示例 Amazon Organizations
以下代码示例说明如何使用基于资源的委托策略。有关更多信息,请参阅 的委派管理员 Amazon Organizations。
示例:查看组织OUs、账户和政策
在委托策略管理之前,您必须委派权限才能浏览组织结构并查看组织单位 (OUs)、账户和附加到它们的策略。
此示例说明如何将这些权限包含在成员账户的基于资源的委托策略中AccountId
。
重要
建议您仅包含对所需最低操作的权限,如示例所示,但可以使用此策略委托任何 Organizations 只读操作。
此示例委托策略授予通过 Amazon API或 Amazon CLI以编程方式完成操作所需的权限。要使用此委托策略,请将的 Amazon 占位符文本替换为您自己的信息。AccountId
然后,按照 的委派管理员 Amazon Organizations 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
AccountId
:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*" } ] }
示例:创建、读取、更新和删除策略
您可以创建基于资源的委派策略,允许管理账户委派任何策略类型的 create
、read
、update
和 delete
操作。此示例说明如何将服务控制策略的这些操作委托给成员账户MemberAccountId
。示例中显示的两个资源分别授予对客户托管和托 Amazon 管服务控制策略的访问权限。
重要
此策略允许委派管理员对组织中任何账户(包括管理账户)创建的策略执行指定操作。
此策略不允许委派管理员附加或分离策略,因为未包含执行 organizations:AttachPolicy
和 organizations:DetachPolicy
操作所需的权限。
此示例委托策略授予通过 Amazon API或 Amazon CLI以编程方式完成操作所需的权限。将MemberAccountId
、ManagementAccountId
和的 Amazon 占位符文本OrganizationId
替换为您自己的信息。然后,按照 的委派管理员 Amazon Organizations 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
MemberAccountId
:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "SERVICE_CONTROL_POLICY" } } }, { "Sid": "DelegatingMinimalActionsForSCPs", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId
:root" }, "Action": [ "organizations:CreatePolicy", "organizations:DescribePolicy", "organizations:UpdatePolicy", "organizations:DeletePolicy" ], "Resource": [ "arn:aws:organizations::ManagementAccountId
:policy/o-OrganizationId
/service_control_policy/*", "arn:aws:organizations::aws:policy/service_control_policy/*" ] } ] }
示例:标记和取消标记策略
此示例展示了如何创建基于资源的委派策略,以允许委派管理员标记或取消标记备份策略。它授予通过 Amazon API或 Amazon CLI以编程方式完成操作所需的权限。
要使用此委托策略,请将MemberAccountId
ManagementAccountId
、和OrganizationId
的 Amazon 占位符文本替换为您自己的信息。然后,按照 的委派管理员 Amazon Organizations 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
MemberAccountId
:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "BACKUP_POLICY" } } }, { "Sid": "DelegatingTaggingBackupPolicies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId
:root" }, "Action": [ "organizations:TagResource", "organizations:UntagResource" ], "Resource": "arn:aws:organizations::ManagementAccountId
:policy/o-OrganizationId
/backup_policy/*" } ] }
示例:将策略附加到单个 OU 或账户
此示例展示了如何创建基于资源的委派策略,以允许来自指定组织单位(OU)或指定账户的委派管理员 attach
或 detach
Organizations 策略。在委派这些操作之前,必须委派浏览组织结构并查看组织结构下账户的权限。有关详细信息,请参阅 示例:查看组织OUs、账户和政策
重要
-
虽然此政策允许将策略与指定 OU 或账户关联或分离,但不包括子账号OUs和子账号。OUs
-
此策略允许委托管理员对组织中任何账户(包括管理账户)创建的策略执行指定操作。
此示例委托策略授予通过 Amazon API或 Amazon CLI以编程方式完成操作所需的权限。要使用此委托策略,请将、MemberAccountId
ManagementAccountId
OrganizationId
、和TargetAccountId
的 Amazon 占位符文本替换为您自己的信息。然后,按照 的委派管理员 Amazon Organizations 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
MemberAccountId
:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AttachDetachPoliciesSpecifiedAccountOU", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId
:root" }, "Action": [ "organizations:AttachPolicy", "organizations:DetachPolicy" ], "Resource": [ "arn:aws:organizations::ManagementAccountId
:ou/o-OrganizationId
/ou-OUId", "arn:aws:organizations::ManagementAccountId
:account/o-OrganizationId
/TargetAccountId
", "arn:aws:organizations::ManagementAccountId
:policy/o-OrganizationId
/backup_policy/*" ] } ] }
要将附加和分离策略的责任委派给组织中的任何 OU 或账户,请将上一个示例中的资源替换为以下资源:
"Resource": [ "arn:aws:organizations::
ManagementAccountId
:ou/o-OrganizationId
/*", "arn:aws:organizations::ManagementAccountId
:account/o-OrganizationId
/*", "arn:aws:organizations::ManagementAccountId
:policy/o-OrganizationId
/backup_policy/*" ]
示例:管理组织备份策略所需的合并权限
此示例说明如何创建基于资源的委托策略,该策略允许管理账户委托管理组织内部备份策略所需的全部权限,包括 create
、read
、update
和 delete
操作以及 attach
和 detach
策略操作。
重要
此策略允许委托管理员对组织中任何账户(包括管理账户)创建的策略执行指定操作。
此示例委托策略授予通过 Amazon API或 Amazon CLI以编程方式完成操作所需的权限。要使用此委托策略,请将、MemberAccountId
ManagementAccountId
OrganizationId
、和RootId
的 Amazon
占位符文本替换为您自己的信息。然后,按照 的委派管理员 Amazon Organizations 中的说明进行操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DelegatingNecessaryDescribeListActions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
MemberAccountId
:root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:ListRoots", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListTagsForResource" ], "Resource": "*" }, { "Sid": "DelegatingNecessaryDescribeListActionsForSpecificPolicyType", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId
:root" }, "Action": [ "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "BACKUP_POLICY" } } }, { "Sid": "DelegatingAllActionsForBackupPolicies", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MemberAccountId
:root" }, "Action": [ "organizations:CreatePolicy", "organizations:UpdatePolicy", "organizations:DeletePolicy", "organizations:AttachPolicy", "organizations:DetachPolicy", "organizations:EnablePolicyType", "organizations:DisablePolicyType" ], "Resource": [ "arn:aws:organizations::ManagementAccountId
:root/o-OrganizationId
/r-RootId
", "arn:aws:organizations::ManagementAccountId
:ou/o-OrganizationId
/*", "arn:aws:organizations::ManagementAccountId
:account/o-OrganizationId
/*", "arn:aws:organizations::ManagementAccountId
:policy/o-OrganizationId
/backup_policy/*" ], "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "BACKUP_POLICY" } } } ] }