本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # Quick 的 IAM 策略示例 IAM 策略示例 本节提供了可以与 Quick 配合使用的 IAM 策略的示例。 ## 适用于 Quick 的 IAM 基于身份的策略 基于身份的策略 本节显示了与 Quick 配合使用的基于身份的策略的示例。 **Topics** + [ ### 适用于 Amazon Quick IAM 控制台管理的 IAM 基于身份的策略 ](#security_iam_conosole-administration) ### 适用于 Amazon Quick IAM 控制台管理的 IAM 基于身份的策略 控制台管理 以下示例显示了 Amazon Quick IAM 控制台管理操作所需的 IAM 权限。 ``` { "Version": "2012-10-17" , "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog" ], "Resource": [ "*" ] } ] } ``` ## 适用于 Quick: 仪表板的 IAM 基于身份的策略 控制面板嵌入 下面是一个 IAM 策略示例,它为特定控制面板允许控制面板共享和嵌入。 ``` { "Version": "2012-10-17" , "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89", "Effect": "Allow" } ] } ``` ## 适用于 Quick: 命名空间的 IAM 基于身份的策略 以下示例显示了允许 Amazon Quick 管理员创建或删除命名空间的 IAM 策略。 **创建命名空间** ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "ds:DescribeDirectories", "quicksight:CreateNamespace" ], "Resource": "*" } ] } ``` **删除命名空间** ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:DescribeDirectories", "quicksight:DeleteNamespace" ], "Resource": "*" } ] } ``` ## 适用于 Quick 的 IAM 基于身份的策略:自定义权限 以下示例显示了允许 Amazon Quick 管理员或开发者管理自定义权限的 IAM 策略。 ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:*CustomPermissions" ], "Resource": "*" } ] } ``` 以下示例显示了另一种授予与上一个示例中所示相同权限的方法。 ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:CreateCustomPermissions", "quicksight:DescribeCustomPermissions", "quicksight:ListCustomPermissions", "quicksight:UpdateCustomPermissions", "quicksight:DeleteCustomPermissions" ], "Resource": "*" } ] } ``` ## 适用于 Quick 的 IAM 基于身份的策略:自定义电子邮件报告模板 自定义电子邮件报告模板 以下示例显示了一项策略,该策略允许在 Amazon Quick 中查看、更新和创建电子邮件报告模板,以及获取亚马逊简单电子邮件服务身份的验证属性。此政策允许 Amazon Quick 管理员创建和更新自定义电子邮件报告模板,并确认他们想要发送电子邮件报告的任何自定义电子邮件地址都是 SES 中经过验证的身份。 ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:DescribeAccountCustomization", "quicksight:CreateAccountCustomization", "quicksight:UpdateAccountCustomization", "quicksight:DescribeEmailCustomizationTemplate", "quicksight:CreateEmailCustomizationTemplate", "quicksight:UpdateEmailCustomizationTemplate", "ses:GetIdentityVerificationAttributes" ], "Resource": "*" } ] } ``` ## 适用于 Quick 的 IAM 基于身份的政策:使用 Amazon Quick 托管用户创建企业账户 使用 Amazon Quick 托管用户创建企业账户 以下示例显示了一项政策,该策略允许 Amazon Quick 管理员向 Amazon Quick 托管用户创建企业版 Amazon Quick 账户。 ``` { "Version": "2012-10-17" , "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory" ], "Resource": [ "*" ] } ] } ``` ## 适用于 Quick:创建用户的 IAM 基于身份的策略 创建 用户 以下示例显示的策略仅允许创建 Amazon Quick 用户。对于 `quicksight:CreateReader`、`quicksight:CreateUser` 和 `quicksight:CreateAdmin`,您可以限制 **"Resource": "arn:aws:quicksight::**:user/\$1\$1aws:userid\$1"** 权限。有关本指南中所述的所有其他权限,请使用 **"Resource": "\$1"**。您指定的资源将权限范围限制为指定的资源。 ``` { "Version": "2012-10-17" , "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight:::user/${aws:userid}" } ] } ``` ## 适用于 Quick 的 IAM 基于身份的策略:创建和管理群组 创建和管理组 以下示例显示了允许 Amazon Quick 管理员和开发人员创建和管理群组的策略。 ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:ListGroups", "quicksight:CreateGroup", "quicksight:SearchGroups", "quicksight:ListGroupMemberships", "quicksight:CreateGroupMembership", "quicksight:DeleteGroupMembership", "quicksight:DescribeGroupMembership", "quicksight:ListUsers" ], "Resource": "*" } ] } ``` ## Quick:标准版的所有访问权限的 IAM 基于身份的策略 标准版的所有访问权限 以下 Amazon Quick 标准版示例显示了一项允许订阅和创建作者和读者的政策。此示例明确拒绝用户取消订阅 Amazon Quick 的权限。 ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateUser", "quicksight:DescribeAccountSubscription", "quicksight:Subscribe" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] } ``` ## Quick:带有 IAM 身份中心的企业版的所有访问权限的 IAM 基于身份的策略(专业版角色) 对企业版和 IAM Identity Center 的所有访问权限(Pro 角色) 以下 Amazon Quick Enterprise 版示例显示了一项策略,该策略允许 Amazon Quick 用户在与 IAM 身份中心集成的亚马逊快速账户中订阅 Amazon Quick、创建用户和管理活动目录。 该政策还允许用户订阅 Amazon Quick Pro 角色,这些角色授予在快速生成商业智能功能中访问 Amazon Q 的权限。有关 Amazon Quick 中专业角色的更多信息,请参阅[生成式 BI 入门](https://docs.amazonaws.cn/quicksight/latest/user/generative-bi-get-started.html)。 此示例明确拒绝用户取消订阅 Amazon Quick 的权限。 ``` { "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "iam:CreateServiceLinkedRole", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization", "user-subscriptions:CreateClaim", "user-subscriptions:UpdateClaim", "sso-directory:DescribeUser", "sso:ListApplicationAssignments", "sso-directory:DescribeGroup", "organizations:ListAWSServiceAccessForOrganization", "identitystore:DescribeUser", "identitystore:DescribeGroup" ], "Resource": [ "*" ] } ] } ``` ## 基于 IAM 身份的 Quick:带有 IAM 身份中心的企业版的所有访问权限的 IAM 身份策略 对企业版和 IAM Identity Center 的所有访问权限 以下 Amazon Quick Enterprise 版示例显示了一项策略,该策略允许在与 IAM 身份中心集成的 Amazon Quick 账户中订阅、创建用户和管理活动目录。 此政策不授予在 Amazon Quick 中创建专业版角色的权限。要创建授予在 [Amazon Quick 中订阅专业角色权限的策略,请参阅 Amazon Quick 的基于身份的政策:带有 IAM 身份中心的企业版的所有访问权限(专业角色](https://docs.amazonaws.cn/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples-all-access-enterprise-edition-sso-pro))。 此示例明确拒绝用户取消订阅 Amazon Quick 的权限。 ``` { "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:DescribeApplication", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:DeleteApplication", "sso:SearchGroups", "sso:GetProfile", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListInstances", "sso:DescribeRegisteredRegions", "organizations:DescribeOrganization" ], "Resource": [ "*" ] } ] } ``` ## 适用于 Quick 的 IAM 基于身份的策略:使用活动目录的企业版的所有访问权限 对企业版和 Active Directory 的所有访问权限 以下 Amazon Quick Enterprise 版示例显示了一项策略,该策略允许在使用 Active Directory 进行身份管理的 Amazon Quick 账户中订阅、创建用户和管理 Active Directory。此示例明确拒绝用户取消订阅 Amazon Quick 的权限。 ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateAdmin", "quicksight:Subscribe", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] } ``` ## 适用于 Quick: 活动目录组的 IAM 基于身份的策略 Active Directory 组 以下示例显示了一个 IAM 策略,该策略允许对 Amazon Quick Enterprise 版账户进行活动目录群组管理。 ``` { "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } ``` ## 适用于 Quick 的 IAM 基于身份的策略:使用管理员资产管理控制台 管理员资产管理控制台 以下示例显示了允许访问管理员资产管理控制台的 IAM 策略。 ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:SearchGroups", "quicksight:SearchUsers", "quicksight:ListNamespaces", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeFolderPermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListFolders", "quicksight:SearchAnalyses", "quicksight:SearchDashboards", "quicksight:SearchFolders", "quicksight:SearchDatasets", "quicksight:SearchDatasources", "quicksight:UpdateAnalysisPermissions", "quicksight:UpdateDashboardPermissions", "quicksight:UpdateDataSetPermissions", "quicksight:UpdateDataSourcePermissions", "quicksight:UpdateFolderPermissions" ], "Resource": "*" } ] } ``` ## 适用于 Quick 的 IAM 基于身份的策略:使用管理员密钥管理控制台 管理员密钥管理控制台 以下示例显示了允许访问管理员密钥管理控制台的 IAM 策略。 ``` { "Version":"2012-10-17" , "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration", "quicksight:UpdateKeyRegistration", "quicksight:ListKMSKeysForUser", "kms:CreateGrant", "kms:ListGrants", "kms:ListAliases" ], "Resource":"*" } ] } ``` 需要`"quicksight:ListKMSKeysForUser"`和`"kms:ListAliases"`权限才能从 Amazon Quick 控制台访问客户托管的密钥。 `"quicksight:ListKMSKeysForUser"``"kms:ListAliases"`并且不需要使用 Amazon Quick 密钥管理 APIs。 要指定您希望用户能够访问哪些密钥,请使用`UpdateKeyRegistration`条件键将您希望用户访问的密钥添加到`quicksight:KmsKeyArns`条件中。 ARNs 用户只能访问 `UpdateKeyRegistration` 中指定的密钥。有关 Amazon Quick 支持的条件键的更多信息,请参阅 Amaz [on Quick 的条件密钥](https://docs.amazonaws.cn/service-authorization/latest/reference/list_amazonquicksight.html#amazonquicksight-policy-keys)。 以下示例为注册到Amazon Quick账户的所有`Describe` CMKs 用户授予权限,并`Update`向注册到Amazon Quick账户的特定 CMKs 用户授予权限。 ``` { "Version":"2012-10-17" , "Statement":[ { "Effect":"Allow", "Action":[ "quicksight:DescribeKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*" }, { "Effect":"Allow", "Action":[ "quicksight:UpdateKeyRegistration" ], "Resource":"arn:aws:quicksight:us-west-2:123456789012:*", "Condition":{ "ForAllValues:StringEquals":{ "quicksight:KmsKeyArns":[ "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1", "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2", "..." ] } } }, { "Effect":"Allow", "Action":[ "kms:CreateGrant", "kms:ListGrants" ], "Resource":"arn:aws:kms:us-west-2:123456789012:key/*" } ] } ``` ## Amazon resources Quick:在企业版中确定策略的范围 在企业版中确定策略范围 以下 Amazon Quick Enterprise 版示例显示了一个策略,该策略允许设置 Amazon 资源默认访问权限和 Amazon 资源权限范围策略。 ``` { "Version": "2012-10-17" , "Statement": [ { "Action": [ "quicksight:*IAMPolicyAssignment*", "quicksight:AccountConfigurations" ], "Effect": "Allow", "Resource": "*" } ] } ```