配置 Systems Manager Application Manager 的权限
如果您的 Amazon Identity and Access Management (IAM) 用户、组或角色可以访问本主题中列出的 API 操作,则您可以使用 Application Manager 的所有功能,后者是 Amazon Systems Manager 的一项功能。API 操作分为两个表,以帮助您理解它们执行的不同功能。
下表列出了 Systems Manager 您在 Application Manager 中选择资源时调用的 API 操作,因为您希望查看资源详细信息。例如,如果 Application Manager 列出了 Amazon EC2 Auto Scaling 组,而您选择该组查看其详细信息,Systems Manager 会调用 autoscaling:DescribeAutoScalingGroups API 操作。如果您的账户中没有任何 Auto Scaling 组,则不会从 Application Manager 中调用此 API。
| 仅资源详细信息 |
|---|
|
下表列出了 Systems Manager 用于更改 Application Manager 中所列应用程序和资源或查看所选应用程序或资源的操作信息的 API 操作。
| 申请操作和详细信息 |
|---|
|
配置权限
要为 IAM 用户配置 Application Manager 权限,请使用以下示例创建 IAM 策略。此策略示例包括 Application Manager 使用的所有 API 操作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListTagsForCertificate", "autoscaling:DescribeAutoScalingGroups", "cloudfront:GetDistribution", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource", "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeHosts", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:ListClusters", "ecs:DescribeClusters", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "ecs:DescribeCapacityProviders", "ecs:TagResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:ListTagsForResource", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "iam:GetGroup", "iam:GetPolicy", "iam:GetRole", "iam:GetUser", "lambda:GetFunction", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "s3:GetBucketTagging", "cloudformation:DescribeStacks", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:ListMetrics", "cloudwatch:ListTagsForResource", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:GetComplianceDetailsByResource", "config:GetResourceConfigHistory", "config:StartConfigRulesEvaluation", "ec2:DescribeInstances", "eks:DescribeCluster", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListNodegroups", "eks:TagResource", "resource-groups:CreateGroup", "resource-groups:DeleteGroup", "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:Tag", "resource-groups:Untag", "ssm:CreateOpsMetadata", "ssm:DeleteOpsMetadata", "ssm:GetOpsSummary", "ssm:GetOpsMetadata", "ssm:UpdateServiceSetting", "ssm:GetServiceSetting", "ssm:ListOpsMetadata", "ssm:UpdateOpsItem", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" } ] }
您可以限制用户在 Application Manager 中对应用程序和资源的进行修改的能力,方法是从附加到其用户、组或角色的 IAM 权限策略中删除以下 API 操作。删除这些操作会在 Application Manager 中创建一个只读体验。
eks:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:UpdateOpsItem
有关如何创建 IAM 策略的信息,请参阅 IAM 用户指南中的创建 IAM 策略。有关如何将此策略分配给 IAM 用户、组或角色的信息,请参阅 添加和删除 IAM 身份权限。