本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
IAM Identity Center 基于身份的策略示例
本主题提供了 IAM 策略示例,您可以创建这些策略来授予用户和角色管理 IAM Identity Center 的权限。
重要
我们建议您首先阅读以下介绍性主题,这些主题讲解了管理 IAM Identity Center 资源访问的基本概念和选项。有关更多信息,请参阅 管理 IAM Identity Center 资源的访问权限概述。
本主题的各个部分涵盖以下内容:
自定义策略示例
本部分提供了需要自定义 IAM policy 的常见用例示例。这些示例策略是基于身份的策略,不指定主体元素。这是因为使用基于身份的策略时,您无需指定获得权限的主体。相反,您将策略附加到主体。向 IAM 角色附加基于身份的权限策略后,该角色的信任策略中标识的主体将获取权限。您可以在 IAM 中创建基于身份的策略并将其附加到用户、组和/或角色。当您在 IAM Identity Center 中创建权限集时,您还可以将这些策略应用于 IAM Identity Center 用户。
注意
在为您的环境创建策略时使用这些示例,并确保在生产环境中部署这些策略之前测试正面(“授予访问”)和负面(“拒绝访问”)测试用例。有关测试 IAM 策略的更多信息,请参阅 IAM 用户指南中的使用 IAM policy simulator 测试 IAM 策略。
主题
示例 1:允许用户查看 IAM Identity Center
以下权限策略向用户授予只读权限,以便他们可以查看 IAM Identity Center 中配置的所有设置和目录信息。
注意
本策略仅供参考。在生产环境中,我们建议您使用 IAM Identity Center 的ViewOnlyAccess Amazon 托管策略。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ds:DescribeDirectories", "ds:DescribeTrusts", "iam:ListPolicies", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListRoots", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListPermissionSets", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", "sso-directory:DescribeDirectory", "sso-directory:SearchUsers", "sso-directory:SearchGroups" ], "Resource": "*" } ] }
示例 2:允许用户 Amazon Web Services 账户 在 IAM 身份中心管理权限
以下权限策略授予允许用户为您的 Amazon Web Services 账户创建、管理和部署权限集的权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AttachManagedPolicyToPermissionSet", "sso:CreateAccountAssignment", "sso:CreatePermissionSet", "sso:DeleteAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:DetachManagedPolicyFromPermissionSet", "sso:ProvisionPermissionSet", "sso:PutInlinePolicyToPermissionSet", "sso:UpdatePermissionSet" ], "Resource": "*" }, { "Sid": "IAMListPermissions", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "AccessToSSOProvisionedRoles", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:PutRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" }, { "Effect": "Allow", "Action": [ "iam:GetSAMLProvider" ], "Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE" } ] }
注意
和” "Sid": "AccessToSSOProvisiondRoles" 部分下列出的"Sid": "IAMListPermissions"其他权限仅用于使用户能够在 Amazon Organizations 管理账户中创建任务。在某些情况下,您可能还需要添加 iam:UpdateSAMLProvider 到这些部分。
示例 3:允许用户管理 IAM Identity Center 中的应用程序
以下权限策略授予权限以允许用户查看和配置 IAM Identity Center 中的应用程序,包括 IAM Identity Center 目录中预集成的 SaaS 应用程序。
注意
管理应用程序的用户和组分配需要以下策略示例中使用的 sso:AssociateProfile 操作。它还允许用户使用现有权限集向 Amazon Web Services 账户 其分配用户和组。如果用户必须在 IAM Identity Center 中管理 Amazon Web Services 账户 访问权限,并且需要管理权限集所需的权限,请参阅示例 2:允许用户 Amazon Web Services 账户 在 IAM 身份中心管理权限。
截至 2020 年 10 月,其中许多操作只能通过 Amazon 控制台进行。此示例策略包括“读取”操作,例如列表、获取和搜索,这些操作与本例中控制台的无错误操作相关。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AssociateProfile", "sso:CreateApplicationInstance", "sso:ImportApplicationInstanceServiceProviderMetadata", "sso:DeleteApplicationInstance", "sso:DeleteProfile", "sso:DisassociateProfile", "sso:GetApplicationTemplate", "sso:UpdateApplicationInstanceServiceProviderConfiguration", "sso:UpdateApplicationInstanceDisplayData", "sso:DeleteManagedApplicationInstance", "sso:UpdateApplicationInstanceStatus", "sso:GetManagedApplicationInstance", "sso:UpdateManagedApplicationInstanceStatus", "sso:CreateManagedApplicationInstance", "sso:UpdateApplicationInstanceSecurityConfiguration", "sso:UpdateApplicationInstanceResponseConfiguration", "sso:GetApplicationInstance", "sso:CreateApplicationInstanceCertificate", "sso:UpdateApplicationInstanceResponseSchemaConfiguration", "sso:UpdateApplicationInstanceActiveCertificate", "sso:DeleteApplicationInstanceCertificate", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationTemplates", "sso:ListApplications", "sso:ListApplicationInstances", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:ListProfileAssociations", "sso:ListInstances", "sso:GetProfile", "sso:GetSSOStatus", "sso:GetSsoConfiguration", "sso-directory:DescribeDirectory", "sso-directory:DescribeUsers", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }
示例 4:允许用户管理 Identity Center 目录中的用户和组
以下权限策略授予权限以允许用户在 IAM Identity Center 中创建、查看、修改和删除用户和组。
在某些情况下,对 IAM Identity Center 中的用户和组的直接修改受到限制。例如,当选择 Active Directory 或启用了自动预置的外部身份提供商作为身份源时。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:ListGroupsForUser", "sso-directory:DisableUser", "sso-directory:EnableUser", "sso-directory:SearchGroups", "sso-directory:DeleteGroup", "sso-directory:AddMemberToGroup", "sso-directory:DescribeDirectory", "sso-directory:UpdateUser", "sso-directory:ListMembersInGroup", "sso-directory:CreateUser", "sso-directory:DescribeGroups", "sso-directory:SearchUsers", "sso:ListDirectoryAssociations", "sso-directory:RemoveMemberFromGroup", "sso-directory:DeleteUser", "sso-directory:DescribeUsers", "sso-directory:UpdateGroup", "sso-directory:CreateGroup" ], "Resource": "*" } ] }
使用 IAM Identity Center 控制台所需的权限
为了使用户能够正确使用 IAM Identity Center 控制台,需要额外的权限。如果创建的 IAM policy 比所需的最低权限更严格,则控制台将无法按使用该策略的用户的预期运行。以下示例列出了确保 IAM Identity Center 控制台中无错误操作可能需要的权限集。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:DescribeAccountAssignmentCreationStatus", "sso:DescribeAccountAssignmentDeletionStatus", "sso:DescribePermissionSet", "sso:DescribePermissionSetProvisioningStatus", "sso:DescribePermissionsPolicies", "sso:DescribeRegisteredRegions", "sso:GetApplicationInstance", "sso:GetApplicationTemplate", "sso:GetInlinePolicyForPermissionSet", "sso:GetManagedApplicationInstance", "sso:GetMfaDeviceManagementForDirectory", "sso:GetPermissionSet", "sso:GetPermissionsPolicy", "sso:GetProfile", "sso:GetSharedSsoConfiguration", "sso:GetSsoConfiguration", "sso:GetSSOStatus", "sso:GetTrust", "sso:ListAccountAssignmentCreationStatus", "sso:ListAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationInstances", "sso:ListApplications", "sso:ListApplicationTemplates", "sso:ListDirectoryAssociations", "sso:ListInstances", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetProvisioningStatus", "sso:ListPermissionSets", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListProfileAssociations", "sso:ListProfiles", "sso:ListTagsForResource", "sso-directory:DescribeDirectory", "sso-directory:DescribeGroups", "sso-directory:DescribeUsers", "sso-directory:ListGroupsForUser", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }