配置 Systems Manager Application Manager 的权限 - Amazon Systems Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

配置 Systems Manager Application Manager 的权限

如果您的 Amazon Identity and Access Management (IAM) 用户、组或角色可以访问本主题中列出的 API 操作,则您可以使用 Application Manager 的所有功能,后者是 Amazon Systems Manager 的一项功能。API 操作分为两个表,以帮助您理解它们执行的不同功能。

下表列出了 Systems Manager 您在 Application Manager 中选择资源时调用的 API 操作,因为您希望查看资源详细信息。例如,如果 Application Manager 列出了 Amazon EC2 Auto Scaling 组,而您选择该组查看其详细信息,Systems Manager 会调用 autoscaling:DescribeAutoScalingGroups API 操作。如果您的账户中没有任何 Auto Scaling 组,则不会从 Application Manager 中调用此 API。

仅资源详细信息
acm:DescribeCertificate acm:ListTagsForCertificate autoscaling:DescribeAutoScalingGroups cloudfront:GetDistribution cloudfront:ListTagsForResource cloudtrail:DescribeTrails cloudtrail:ListTags cloudtrail:LookupEvents codebuild:BatchGetProjects codepipeline:GetPipeline codepipeline:ListTagsForResource dynamodb:DescribeTable dynamodb:ListTagsOfResource ec2:DescribeAddresses ec2:DescribeCustomerGateways ec2:DescribeHosts ec2:DescribeInternetGateways ec2:DescribeNetworkAcls ec2:DescribeNetworkInterfaces ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeVpnGateways elasticbeanstalk:DescribeApplications elasticbeanstalk:ListTagsForResource elasticloadbalancing:DescribeInstanceHealth elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags iam:GetGroup iam:GetPolicy iam:GetRole iam:GetUser lambda:GetFunction rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeDBSecurityGroups rds:DescribeDBSnapshots rds:DescribeDBSubnetGroups rds:DescribeEventSubscriptions rds:ListTagsForResource redshift:DescribeClusterParameters redshift:DescribeClusterSecurityGroups redshift:DescribeClusterSnapshots redshift:DescribeClusterSubnetGroups redshift:DescribeClusters s3:GetBucketTagging

下表列出了 Systems Manager 用于更改 Application Manager 中所列应用程序和资源或查看所选应用程序或资源的操作信息的 API 操作。

申请操作和详细信息
cloudformation:DescribeStacks cloudwatch:DescribeAlarms cloudwatch:DescribeInsightRules cloudwatch:ListMetrics cloudwatch:ListTagsForResource config:DescribeComplianceByResource config:DescribeRemediationConfigurations config:GetComplianceDetailsByResource config:GetResourceConfigHistory config:StartConfigRulesEvaluation ec2:DescribeInstances eks:DescribeCluster eks:ListClusters eks:ListFargateProfiles eks:ListNodegroups eks:TagResource ecs:ListClusters ecs:DescribeClusters ecs:ListContainerInstances ecs:DescribeContainerInstances ecs:DescribeCapacityProviders ecs:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:GetGroup resource-groups:GetGroupQuery resource-groups:GetTags resource-groups:ListGroupResources resource-groups:ListGroups resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:GetOpsSummary ssm:GetOpsMetadata ssm:UpdateServiceSetting ssm:GetServiceSetting ssm:ListOpsMetadata ssm:UpdateOpsItem tag:GetTagKeys tag:GetTagValues

配置权限

要为 IAM 用户配置 Application Manager 权限,请使用以下示例创建 IAM 策略。此策略示例包括 Application Manager 使用的所有 API 操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListTagsForCertificate", "autoscaling:DescribeAutoScalingGroups", "cloudfront:GetDistribution", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource", "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeHosts", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:ListClusters", "ecs:DescribeClusters", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "ecs:DescribeCapacityProviders", "ecs:TagResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:ListTagsForResource", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "iam:GetGroup", "iam:GetPolicy", "iam:GetRole", "iam:GetUser", "lambda:GetFunction", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "s3:GetBucketTagging", "cloudformation:DescribeStacks", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:ListMetrics", "cloudwatch:ListTagsForResource", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:GetComplianceDetailsByResource", "config:GetResourceConfigHistory", "config:StartConfigRulesEvaluation", "ec2:DescribeInstances", "eks:DescribeCluster", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListNodegroups", "eks:TagResource", "resource-groups:CreateGroup", "resource-groups:DeleteGroup", "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:Tag", "resource-groups:Untag", "ssm:CreateOpsMetadata", "ssm:DeleteOpsMetadata", "ssm:GetOpsSummary", "ssm:GetOpsMetadata", "ssm:UpdateServiceSetting", "ssm:GetServiceSetting", "ssm:ListOpsMetadata", "ssm:UpdateOpsItem", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" } ] }
注意

您可以限制用户在 Application Manager 中对应用程序和资源的进行修改的能力,方法是从附加到其用户、组或角色的 IAM 权限策略中删除以下 API 操作。删除这些操作会在 Application Manager 中创建一个只读体验。

eks:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:UpdateOpsItem

有关如何创建 IAM 策略的信息,请参阅 IAM 用户指南中的创建 IAM 策略。有关如何将此策略分配给 IAM 用户、组或角色的信息,请参阅 添加和删除 IAM 身份权限