第 1 步:创建具有车队管理员权限的 IAM 策略 - Amazon Web Services Systems Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

第 1 步:创建具有车队管理员权限的 IAM 策略

要使用车队管理器,可以使用Amazon Web Services Systems Manager,您的 AWS Identity and Access Management (IAM) 用户或角色必须具备所需的权限。您可以创建一个 IAM 策略,提供对所有舰队管理器功能的访问权限,也可以修改策略以授予对所选功能的访问权限。以下策略示例提供了所有舰队管理器功能所需的权限以及功能子集所需的权限。

注意

在以下所有策略中,将密钥名称的名称Amazon Key Management Service(Amazon KMS) 密钥用于加密会话管理器会话数据。Replace区域account-id与您的Amazon Web Services 区域和Amazon Web Services 账户ID,例如us-east-2111122223333

管理员策略

以下策略提供对所有舰队管理器功能的权限。这意味着用户可以创建和删除本地用户和组、修改任何本地组的组成员身份以及修改 Windows 注册表项或值。

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:AddTagsToResource", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations", "ssm:RemoveTagsFromResource" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*", "arn:aws:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws:ssm:*:*:document/AWS-PasswordReset", "arn:aws:ssm:*:*:document/AWSFleetManager-AddUsersToGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateGroup", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateUser", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateUserInteractive", "arn:aws:ssm:*:*:document/AWSFleetManager-CreateWindowsRegistryKey", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteGroup", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteUser", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryKey", "arn:aws:ssm:*:*:document/AWSFleetManager-DeleteWindowsRegistryValue", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent", "arn:aws:ssm:*:*:document/AWSFleetManager-RemoveUsersFromGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-SetWindowsRegistryValue" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws:kms:region:account-id:key/key-name" ] } ] }

Read-only

以下策略提供对只读舰队管理器功能的权限。

{ "Version":"2012-10-17", "Statement":[ { "Sid":"EC2", "Effect":"Allow", "Action":[ "ec2:DescribeInstances", "ec2:DescribeTags" ], "Resource":"*" }, { "Sid":"General", "Effect":"Allow", "Action":[ "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstancePatches", "ssm:DescribeInstancePatchStates", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation", "ssm:GetServiceSetting", "ssm:GetInventorySchema", "ssm:ListComplianceItems", "ssm:ListInventoryEntries", "ssm:ListTagsForResource", "ssm:ListCommandInvocations", "ssm:ListAssociations" ], "Resource":"*" }, { "Sid":"SendCommand", "Effect":"Allow", "Action":[ "ssm:GetDocument", "ssm:SendCommand", "ssm:StartSession" ], "Resource":[ "arn:aws:ec2:*:account-id:instance/*", "arn:aws:ssm:*:account-id:managed-instance/*", "arn:aws:ssm:*:account-id:document/SSM-SessionManagerRunShell", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetFileSystemContent", "arn:aws:ssm:*:*:document/AWSFleetManager-GetGroups", "arn:aws:ssm:*:*:document/AWSFleetManager-GetPerformanceCounters", "arn:aws:ssm:*:*:document/AWSFleetManager-GetUsers", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsEvents", "arn:aws:ssm:*:*:document/AWSFleetManager-GetWindowsRegistryContent" ], "Condition":{ "BoolIfExists":{ "ssm:SessionDocumentAccessCheck":"true" } } }, { "Sid":"TerminateSession", "Effect":"Allow", "Action":[ "ssm:TerminateSession" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/aws:ssmmessages:session-id":[ "${aws:userid}" ] } } }, { "Sid":"KMS", "Effect":"Allow", "Action":[ "kms:GenerateDataKey" ], "Resource":[ "arn:aws:kms:region:account-id:key/key-name" ] } ] }