配置 Systems Manager 应用程序管理器权限 - Amazon Web Services Systems Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

配置 Systems Manager 应用程序管理器权限

您可以使用应用程序管理器的所有功能,Amazon Web Services Systems Manager(如果您的 AWS Identity and Access Management (IAM) 用户、组或角色具有访问本主题中列出的 API 操作的访问权限)。API 操作分为两个表,以帮助您了解它们执行的不同功能。

下表列出了由于要查看资源详细信息而在应用程序管理器中选择资源时 Systems Manager 调用的 API 操作。例如,如果应用程序管理器列出了 Amazon EC2 Auto Scaling 组,并且您选择该组查看其详细信息,Systems Manager 将调用autoscaling:DescribeAutoScalingGroupsAPI 操作。如果您的账户中没有任何 Auto Scaling 组,则不会从应用程序管理器调用此 API 操作。

仅限资源详细信息
acm:DescribeCertificate acm:ListTagsForCertificate autoscaling:DescribeAutoScalingGroups cloudfront:GetDistribution cloudfront:ListTagsForResource cloudtrail:DescribeTrails cloudtrail:ListTags cloudtrail:LookupEvents codebuild:BatchGetProjects codepipeline:GetPipeline codepipeline:ListTagsForResource dynamodb:DescribeTable dynamodb:ListTagsOfResource ec2:DescribeAddresses ec2:DescribeCustomerGateways ec2:DescribeHosts ec2:DescribeInternetGateways ec2:DescribeNetworkAcls ec2:DescribeNetworkInterfaces ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeVpnGateways elasticbeanstalk:DescribeApplications elasticbeanstalk:ListTagsForResource elasticloadbalancing:DescribeInstanceHealth elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags iam:GetGroup iam:GetPolicy iam:GetRole iam:GetUser lambda:GetFunction rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeDBSecurityGroups rds:DescribeDBSnapshots rds:DescribeDBSubnetGroups rds:DescribeEventSubscriptions rds:ListTagsForResource redshift:DescribeClusterParameters redshift:DescribeClusterSecurityGroups redshift:DescribeClusterSnapshots redshift:DescribeClusterSubnetGroups redshift:DescribeClusters s3:GetBucketTagging

下表列出了 Systems Manager 用于对应用程序管理器中列出的应用程序和资源进行更改或查看所选应用程序或资源的操作信息的 API 操作。

申请操作和详细信息
cloudformation:DescribeStacks cloudwatch:DescribeAlarms cloudwatch:DescribeInsightRules cloudwatch:ListMetrics cloudwatch:ListTagsForResource config:DescribeComplianceByResource config:DescribeRemediationConfigurations config:GetComplianceDetailsByResource config:GetResourceConfigHistory config:StartConfigRulesEvaluation ec2:DescribeInstances eks:DescribeCluster eks:ListClusters eks:ListFargateProfiles eks:ListNodegroups eks:TagResource ecs:ListClusters ecs:DescribeClusters ecs:ListContainerInstances ecs:DescribeContainerInstances ecs:DescribeCapacityProviders ecs:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:GetGroup resource-groups:GetGroupQuery resource-groups:GetTags resource-groups:ListGroupResources resource-groups:ListGroups resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:GetOpsSummary ssm:GetOpsMetadata ssm:UpdateServiceSetting ssm:GetServiceSetting ssm:ListOpsMetadata ssm:UpdateOpsItem tag:GetTagKeys tag:GetTagValues

配置权限

要配置 IAM 用户、组或角色的应用程序管理器权限,请使用以下示例创建 IAM 策略。此策略示例包括应用程序管理器使用的所有 API 操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListTagsForCertificate", "autoscaling:DescribeAutoScalingGroups", "cloudfront:GetDistribution", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource", "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeHosts", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:ListClusters", "ecs:DescribeClusters", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "ecs:DescribeCapacityProviders", "ecs:TagResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:ListTagsForResource", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "iam:GetGroup", "iam:GetPolicy", "iam:GetRole", "iam:GetUser", "lambda:GetFunction", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "s3:GetBucketTagging", "cloudformation:DescribeStacks", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:ListMetrics", "cloudwatch:ListTagsForResource", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:GetComplianceDetailsByResource", "config:GetResourceConfigHistory", "config:StartConfigRulesEvaluation", "ec2:DescribeInstances", "eks:DescribeCluster", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListNodegroups", "eks:TagResource", "resource-groups:CreateGroup", "resource-groups:DeleteGroup", "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:Tag", "resource-groups:Untag", "ssm:CreateOpsMetadata", "ssm:DeleteOpsMetadata", "ssm:GetOpsSummary", "ssm:GetOpsMetadata", "ssm:UpdateServiceSetting", "ssm:GetServiceSetting", "ssm:ListOpsMetadata", "ssm:UpdateOpsItem", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" } ] }
注意

您可以通过从附加到用户、组或角色的 IAM 权限策略中删除以下 API 操作,限制用户在应用程序管理器中对应用程序和资源进行更改的能力。删除这些操作会在应用程序管理器中创建只读体验。

eks:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:UpdateOpsItem

有关创建和编辑 IAM 策略的信息,请参阅创建 IAM 策略中的IAM 用户指南。有关如何将此策略分配到 IAM 用户、组或角色的信息,请参阅添加和删除 IAM 身份权限