为 Systems Manager Application Manager 配置权限
如果您的 Amazon Identity and Access Management(IAM)实体(如用户、组或角色)有权访问本主题中列出的 API 操作,则您可以使用 Application Manager(Amazon Systems Manager 中的一项工具)的所有功能。API 操作分为两个表,以帮助您理解它们执行的不同功能。
下表列出了 Systems Manager 您在 Application Manager 中选择资源时调用的 API 操作,因为您希望查看资源详细信息。例如,如果 Application Manager 列出了 Amazon EC2 Auto Scaling 组,而您选择该组查看其详细信息,Systems Manager 会调用 autoscaling:DescribeAutoScalingGroups API 操作。如果您的账户中没有任何 Auto Scaling 组,则不会从 Application Manager 中调用此 API。
| 仅资源详细信息 |
|---|
|
下表列出了 Systems Manager 用于更改 Application Manager 中所列应用程序和资源或查看所选应用程序或资源的操作信息的 API 操作。
| 申请操作和详细信息 |
|---|
|
所有 Application Manager 权限的策略示例
要为 IAM 实体(如用户、组或角色)配置 Application Manager 权限,请使用以下示例创建 IAM policy。此策略示例包括 Application Manager 使用的所有 API 操作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListTagsForCertificate", "applicationinsights:CreateApplication", "applicationinsights:DescribeApplication", "applicationinsights:ListProblems", "autoscaling:DescribeAutoScalingGroups", "ce:GetCostAndUsage", "ce:GetTags", "ce:ListCostAllocationTags", "ce:UpdateCostAllocationTagsStatus", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:DetectStackDrift", "cloudformation:GetTemplate", "cloudformation:GetTemplateSummary", "cloudformation:ListStacks", "cloudformation:ListStackResources", "cloudformation:UpdateStack", "cloudfront:GetDistribution", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:DisableAlarmActions", "cloudwatch:EnableAlarmActions", "cloudwatch:GetMetricData", "cloudwatch:ListTagsForResource", "cloudwatch:PutMetricAlarm", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource", "config:DescribeComplianceByConfigRule", "config:DescribeComplianceByResource", "config:DescribeConfigRules", "config:DescribeRemediationConfigurations", "config:GetComplianceDetailsByConfigRule", "config:GetComplianceDetailsByResource", "config:GetResourceConfigHistory", "config:ListDiscoveredResources", "config:PutRemediationConfigurations", "config:SelectResourceConfig", "config:StartConfigRulesEvaluation", "config:StartRemediationExecution", "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeHosts", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:DescribeCapacityProviders", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:TagResource", "eks:DescribeCluster", "eks:DescribeFargateProfile", "eks:DescribeNodegroup", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListNodegroups", "eks:TagResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:ListTagsForResource", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "iam:CreateServiceLinkedRole", "iam:GetGroup", "iam:GetPolicy", "iam:GetRole", "iam:GetUser", "iam:ListRoles", "lambda:GetFunction", "logs:DescribeLogGroups", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameters", "redshift:DescribeClusters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "resource-groups:CreateGroup", "resource-groups:DeleteGroup", "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:Tag", "resource-groups:Untag", "resource-groups:UpdateGroup", "s3:GetBucketTagging", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions", "servicecatalog:GetApplication", "servicecatalog:ListApplications", "sns:CreateTopic", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:Subscribe", "ssm:AddTagsToResource", "ssm:CreateDocument", "ssm:CreateOpsMetadata", "ssm:DeleteDocument", "ssm:DeleteOpsMetadata", "ssm:DescribeAssociation", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:DescribeDocumentPermission", "ssm:GetDocument", "ssm:GetInventory", "ssm:GetOpsMetadata", "ssm:GetOpsSummary", "ssm:GetServiceSetting", "ssm:ListAssociations", "ssm:ListComplianceItems", "ssm:ListDocuments", "ssm:ListDocumentVersions", "ssm:ListOpsMetadata", "ssm:ListResourceComplianceSummaries", "ssm:ListTagsForResource", "ssm:ModifyDocumentPermission", "ssm:RemoveTagsFromResource", "ssm:StartAssociationsOnce", "ssm:StartAutomationExecution", "ssm:UpdateDocument", "ssm:UpdateDocumentDefaultVersion", "ssm:UpdateOpsMetadata", "ssm:UpdateOpsItem", "ssm:UpdateServiceSetting", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "tag:TagResources", "tag:UntagResources" ], "Resource": "*" } ] }
注意
您可以限制用户在 Application Manager 中对应用程序和资源的进行修改的能力,方法是从附加到其用户、组或角色的 IAM 权限策略中删除以下 API 操作。删除这些操作会在 Application Manager 中创建一个只读体验。以下是允许用户更改应用程序或其他相关资源的所有 API。
applicationinsights:CreateApplication ce:UpdateCostAllocationTagsStatus cloudformation:CreateStack cloudformation:DeleteStack cloudformation:UpdateStack cloudwatch:DisableAlarmActions cloudwatch:EnableAlarmActions cloudwatch:PutMetricAlarm config:PutRemediationConfigurations config:StartConfigRulesEvaluation config:StartRemediationExecution ecs:TagResource eks:TagResource iam:CreateServiceLinkedRole resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:Tag resource-groups:Untag resource-groups:UpdateGroup sns:CreateTopic sns:Subscribe ssm:AddTagsToResource ssm:CreateDocument ssm:CreateOpsMetadata ssm:DeleteDocument ssm:DeleteOpsMetadata ssm:ModifyDocumentPermission ssm:RemoveTagsFromResource ssm:StartAssociationsOnce ssm:StartAutomationExecution ssm:UpdateDocument ssm:UpdateDocumentDefaultVersion ssm:UpdateOpsMetadata ssm:UpdateOpsItem ssm:UpdateServiceSetting tag:TagResources tag:UntagResources
有关如何创建 IAM policy 的信息,请参阅 IAM 用户指南中的创建 IAM policy。有关如何将此策略分配给 IAM 实体(如用户、组或角色)的信息,请参阅添加和删除 IAM 身份权限。