Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
Amazon QuickSight 的 IAM 策略示例
本部分提供了您可以与 Amazon QuickSight 一起使用的 IAM 策略的示例。
Amazon QuickSight 的基于身份的 IAM 策略
本部分演示与 Amazon QuickSight 一起使用的基于身份的策略示例。
QuickSight IAM 控制台管理的基于身份的 IAM 策略
以下示例显示了 QuickSight IAM 控制台管理操作所需的 IAM 权限。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:控制面板
下面是一个 IAM 策略示例,它为特定控制面板允许控制面板共享和嵌入。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89",
"Effect": "Allow"
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:命名空间
以下示例显示了允许 QuickSight 管理员创建或删除命名空间的 IAM 策略。
创建命名空间
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"ds:DescribeDirectories",
"quicksight:CreateNamespace"
],
"Resource": "*"
}
]
}
删除命名空间
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:DescribeDirectories",
"quicksight:DeleteNamespace"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:自定义权限
以下示例显示了允许 QuickSight 管理员和开发人员管理自定义权限的 IAM 策略。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:*CustomPermissions"
],
"Resource": "*"
}
]
}
以下示例显示了另一种授予与上一个示例中所示相同权限的方法。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:CreateCustomPermissions",
"quicksight:DescribeCustomPermissions",
"quicksight:ListCustomPermissions",
"quicksight:UpdateCustomPermissions",
"quicksight:DeleteCustomPermissions"
],
"Resource": "*"
}
]
}
Amazon QuickSight 基于身份的 IAM 策略:自定义电子邮件报告模板
以下示例显示了一项策略,该策略允许在 QuickSight 中查看、更新和创建电子邮件报告模板,以及获取 Amazon Simple Email Service 身份的验证属性。该策略允许 QuickSight 管理员创建和更新自定义电子邮件报告模板,并确认他们想要发送电子邮件报告的任何自定义电子邮件地址都是 SES 中经过验证的身份。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:DescribeAccountCustomization",
"quicksight:CreateAccountCustomization",
"quicksight:UpdateAccountCustomization",
"quicksight:DescribeEmailCustomizationTemplate",
"quicksight:CreateEmailCustomizationTemplate",
"quicksight:UpdateEmailCustomizationTemplate",
"ses:GetIdentityVerificationAttributes"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的基于 IAM 身份的策略:使用 QuickSight 托管用户创建企业账户
以下示例显示了允许 QuickSight 管理员使用 QuickSight 托管用户创建企业版 QuickSight 账户的策略。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:创建用户
以下示例显示了仅允许创建 Amazon QuickSight 用户的策略。对于 quicksight:CreateReader、quicksight:CreateUser 和 quicksight:CreateAdmin,您可以限制 "Resource":
"arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}" 权限。有关本指南中所述的所有其他权限,请使用 "Resource":
"*"。您指定的资源将权限范围限制为指定的资源。
Amazon QuickSight 的基于身份的 IAM 策略:创建和管理组
以下示例显示了允许 QuickSight 管理员和开发人员创建和管理组的策略。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:ListGroups",
"quicksight:CreateGroup",
"quicksight:SearchGroups",
"quicksight:ListGroupMemberships",
"quicksight:CreateGroupMembership",
"quicksight:DeleteGroupMembership",
"quicksight:DescribeGroupMembership",
"quicksight:ListUsers"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:标准版的所有访问权限
以下 Amazon QuickSight 标准版示例显示了一个策略,该策略允许订阅、创建作者和读者。该示例明确拒绝取消订阅 Amazon QuickSight 的权限。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateUser",
"quicksight:DescribeAccountSubscription",
"quicksight:Subscribe"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:对企业版和 IAM Identity Center 的所有访问权限(Pro 角色)
以下 Amazon QuickSight 企业版示例显示了一项策略,该策略允许 QuickSight 用户订阅 QuickSight、创建用户以及在与 IAM Identity Center 集成的 QuickSight 账户中管理 Active Directory。
此策略还允许用户订阅 QuickSight Pro 角色,这些角色授予对 QuickSight 中的 Amazon Q 生成式 BI 功能的访问权限。有关 Amazon QuickSight 中的 Pro 角色的更多信息,请参阅 。
该示例明确拒绝取消订阅 Amazon QuickSight 的权限。
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"iam:CreateServiceLinkedRole",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization",
"user-subscriptions:CreateClaim",
"user-subscriptions:UpdateClaim",
"sso-directory:DescribeUser",
"sso:ListApplicationAssignments",
"sso-directory:DescribeGroup",
"organizations:ListAWSServiceAccessForOrganization",
"identitystore:DescribeUser",
"identitystore:DescribeGroup"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:对企业版和 IAM Identity Center 的所有访问权限
以下 Amazon QuickSight 企业版示例显示了允许在与 IAM Identity Center 集成的 QuickSight 账户中订阅、创建用户和管理 Active Directory 的策略。
此策略不授予在 QuickSight 中创建 Pro 角色的权限。要创建一个策略来授予订阅 QuickSight 中的 Pro 角色的权限,请参阅 Amazon QuickSight 的基于身份的 IAM 策略:对企业版和 IAM Identity Center 的所有访问权限(Pro 角色)。
该示例明确拒绝取消订阅 Amazon QuickSight 的权限。
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:对企业版和 Active Directory 的所有访问权限
以下 Amazon QuickSight 企业版示例显示了一个策略,该策略允许在使用 Active Directory 进行身份管理的 QuickSight 账户中订阅、创建用户和管理 Active Directory。该示例明确拒绝取消订阅 Amazon QuickSight 的权限。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateAdmin",
"quicksight:Subscribe",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:active directory 组
以下示例显示了为 Amazon QuickSight 企业版账户启用 Active Directory 组管理的 IAM 策略。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ds:DescribeTrusts",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:使用管理员资产管理控制台
以下示例显示了允许访问管理员资产管理控制台的 IAM 策略。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:SearchGroups",
"quicksight:SearchUsers",
"quicksight:ListNamespaces",
"quicksight:DescribeAnalysisPermissions",
"quicksight:DescribeDashboardPermissions",
"quicksight:DescribeDataSetPermissions",
"quicksight:DescribeDataSourcePermissions",
"quicksight:DescribeFolderPermissions",
"quicksight:ListAnalyses",
"quicksight:ListDashboards",
"quicksight:ListDataSets",
"quicksight:ListDataSources",
"quicksight:ListFolders",
"quicksight:SearchAnalyses",
"quicksight:SearchDashboards",
"quicksight:SearchFolders",
"quicksight:SearchDatasets",
"quicksight:SearchDatasources",
"quicksight:UpdateAnalysisPermissions",
"quicksight:UpdateDashboardPermissions",
"quicksight:UpdateDataSetPermissions",
"quicksight:UpdateDataSourcePermissions",
"quicksight:UpdateFolderPermissions"
],
"Resource": "*"
}
]
}
Amazon QuickSight 的基于身份的 IAM 策略:使用管理员密钥管理控制台
以下示例显示了允许访问管理员密钥管理控制台的 IAM 策略。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration",
"quicksight:UpdateKeyRegistration",
"quicksight:ListKMSKeysForUser",
"kms:CreateGrant",
"kms:ListGrants",
"kms:ListAliases"
],
"Resource":"*"
}
]
}
从 QuickSight 控制台访问客户自主管理型密钥需要 "quicksight:ListKMSKeysForUser" 和 "kms:ListAliases" 权限。使用 QuickSight 密钥管理 API 不需要 "quicksight:ListKMSKeysForUser" 和 "kms:ListAliases"。
要指定您希望用户能够访问哪些密钥,请使用 quicksight:KmsKeyArns 条件键将您希望用户访问的密钥的 ARN 添加到 UpdateKeyRegistration 条件中。用户只能访问 UpdateKeyRegistration 中指定的密钥。有关 QuickSight 支持的条件键的更多信息,请参阅 Condition keys for Amazon QuickSight。
以下示例授予对注册到 QuickSight 账户的所有 CMK 的 Describe 权限,并授予对注册到 QuickSight 账户的特定 CMK 的 Update 权限。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*"
},
{
"Effect":"Allow",
"Action":[
"quicksight:UpdateKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*",
"Condition":{
"ForAllValues:StringEquals":{
"quicksight:KmsKeyArns":[
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1",
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2",
"..."
]
}
}
},
{
"Effect":"Allow",
"Action":[
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource":"arn:aws:kms:us-west-2:123456789012:key/*"
}
]
}
Amazon 资源 Amazon QuickSight:在企业版中确定策略范围
以下 Amazon QuickSight 企业版示例显示了一个策略,该策略允许设置对 Amazon 资源的默认访问权限并将策略的权限范围限制到 Amazon 资源。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"quicksight:*IAMPolicyAssignment*",
"quicksight:AccountConfigurations"
],
"Effect": "Allow",
"Resource": "*"
}
]
}