Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
• Amazon Systems Manager Change Manager 不再向新客户开放。现有客户可以继续正常使用该服务。有关更多信息,请参阅 Amazon Systems Manager Change Manager 可用性变更。
• Amazon Systems Manager CloudWatch 控制面板在 2026 年 4 月 30 日之后将不再可用。客户可以像现在一样继续使用 Amazon CloudWatch 控制台来查看、创建和管理其 Amazon CloudWatch 控制面板。有关更多信息,请参阅 Amazon CloudWatch 控制面板文档。
设置基于身份的策略示例
以下部分提供了 Amazon Systems Manager Automation 服务的基于 IAM 身份的策略示例。要详细了解如何使用这些示例 JSON 策略文档创建基于 IAM 身份的策略,请参阅《IAM 用户指南》中的创建 IAM 策略。
所有示例都包含虚构的账户 ID。不应在 Amazon 自有公共文档的 Amazon 资源名称(ARN)中指定账户 ID。
示例
示例 1:允许用户运行自动化文档并查看自动化执行情况
以下示例 IAM 策略允许用户执行以下操作:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}",
"arn:aws:ssm:*:111122223333:automation-execution/*"
]
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
示例 2:允许用户运行自动化文档的特定版本
以下示例 IAM 策略允许用户运行自动化文档的特定版本:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}"
],
"Condition": {
"ForAnyValue:StringEquals": {
"ssm:DocumentVersion": ["5"]
}
}
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
示例 3:允许用户执行具有特定标签的自动化文档
以下示例 IAM 策略允许用户执行具有特定标签的任何自动化文档:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/stage": "production"
}
}
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
示例 4:当为自动化执行提供了特定的标签参数时,允许用户运行自动化文档
当为自动化执行提供了特定的标签参数时,以下示例 IAM 策略向用户授予运行自动化文档的权限:
-
运行策略中指定的自动化文档。文档名称由以下条目确定。
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
-
必须为自动化执行提供特定的标签参数。自动化执行资源的标签参数由以下条目确定。
"aws:ResourceTag/stage": "production"
-
停止并向具有指定标签的自动化执行发送信号。
-
查看有关具有指定标签的自动化执行的详细信息。
-
为 SSM 资源添加指定标签
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}"
]
},
{
"Action": [
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "beta"
}
}
},
{
"Action": "ssm:AddTagsToResource",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
]
}
]
}