本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
配置 Systems Manager 应用程序管理器权限
您可以使用应用程序管理器的所有功能,Amazon Web Services Systems Manager(如果您的 AWS Identity and Access Management (IAM) 用户、组或角色具有访问本主题中列出的 API 操作的访问权限)。API 操作分为两个表,以帮助您了解它们执行的不同功能。
下表列出了由于要查看资源详细信息而在应用程序管理器中选择资源时 Systems Manager 调用的 API 操作。例如,如果应用程序管理器列出了 Amazon
EC2 Auto Scaling 组,并且您选择该组查看其详细信息,Systems Manager 将调用autoscaling:DescribeAutoScalingGroupsAPI 操作。如果您的账户中没有任何 Auto Scaling 组,则不会从应用程序管理器调用此 API 操作。
| 仅限资源详细信息 |
|---|
|
下表列出了 Systems Manager 用于对应用程序管理器中列出的应用程序和资源进行更改或查看所选应用程序或资源的操作信息的 API 操作。
| 申请操作和详细信息 |
|---|
|
配置权限
要配置 IAM 用户、组或角色的应用程序管理器权限,请使用以下示例创建 IAM 策略。此策略示例包括应用程序管理器使用的所有 API 操作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListTagsForCertificate", "autoscaling:DescribeAutoScalingGroups", "cloudfront:GetDistribution", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource", "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeHosts", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:ListClusters", "ecs:DescribeClusters", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "ecs:DescribeCapacityProviders", "ecs:TagResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:ListTagsForResource", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "iam:GetGroup", "iam:GetPolicy", "iam:GetRole", "iam:GetUser", "lambda:GetFunction", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "s3:GetBucketTagging", "cloudformation:DescribeStacks", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:ListMetrics", "cloudwatch:ListTagsForResource", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:GetComplianceDetailsByResource", "config:GetResourceConfigHistory", "config:StartConfigRulesEvaluation", "ec2:DescribeInstances", "eks:DescribeCluster", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListNodegroups", "eks:TagResource", "resource-groups:CreateGroup", "resource-groups:DeleteGroup", "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:Tag", "resource-groups:Untag", "ssm:CreateOpsMetadata", "ssm:DeleteOpsMetadata", "ssm:GetOpsSummary", "ssm:GetOpsMetadata", "ssm:UpdateServiceSetting", "ssm:GetServiceSetting", "ssm:ListOpsMetadata", "ssm:UpdateOpsItem", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" } ] }
您可以通过从附加到用户、组或角色的 IAM 权限策略中删除以下 API 操作,限制用户在应用程序管理器中对应用程序和资源进行更改的能力。删除这些操作会在应用程序管理器中创建只读体验。
eks:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:UpdateOpsItem
有关创建和编辑 IAM 策略的信息,请参阅创建 IAM 策略中的IAM 用户指南。有关如何将此策略分配到 IAM 用户、组或角色的信息,请参阅添加和删除 IAM 身份权限。