第 1 步:使用 Fleet Manager 权限创建 IAM policy - Amazon Systems Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

第 1 步:使用 Fleet Manager 权限创建 IAM policy

要使用 Amazon Systems Manager 的功能 Fleet Manager,您的 Amazon Identity and Access Management (IAM) 用户或角色必须拥有所需权限。您可以创建一个 IAM policy 提供对所有 Fleet Manager 功能的访问权限,或者修改策略以授予对所选功能的访问权限。以下策略示例提供了对所有 Fleet Manager 功能的所需权限,以及对功能子集的所需权限。

有关创建和编辑 IAM policy的更多信息,请参阅《IAM 用户指南》中的创建 IAM policy

注意

在以下所有策略中,将 key-name 替换为您要用于加密 Session Manager 会话数据的 Amazon Key Management Service (Amazon KMS) 密钥的名称。将 regionaccount-id 替换为您的 Amazon Web Services 区域 和 Amazon Web Services 账户 ID,例如 us-east-2111122223333

管理员策略

以下策略提供了对所有 Fleet Manager 功能的权限。这意味着用户可以创建和删除本地用户和组、修改任何本地组的组成员资格,以及修改 Windows 注册表键或值。

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:AddTagsToResource", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations", "ssm:RemoveTagsFromResource" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*", "arn:aws:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws:ssm:*:*:document/AWS-PasswordReset", "arn:aws:ssm:*:*:document/AWSFleetManager-AddUsersToGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateGroup", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateUser", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateUserInteractive", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateWindowsRegistryKey", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteGroup", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteUser", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryKey", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryValue", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent", "arn:aws:ssm:*:*:document/AWSFleetManager-RemoveUsersFromGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-SetWindowsRegistryValue" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws:kms:region:account-id:key/key-name" ] } ] }

只读功能策略

以下策略提供了对只读 Fleet Manager 功能的权限。

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*", "arn:aws:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws:kms:region:account-id:key/key-name" ] } ] }