开始使用 Quick Setup - Amazon Systems Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

开始使用 Quick Setup

使用本主题中的信息帮助您准备使用 Quick Setup。

注册 Quick Setup 的 IAM 角色和权限

2024 年 7 月 1 日,Quick Setup 推出了新的主机体验和新的 API。您可以通过选择 Quick Setup 主机顶部横幅中的选择加入按钮立即选择加入新体验。如果您选择使用新体验,则会使用新的 API 重新创建现有配置。根据您账户中的现有配置数量,此过程可能需要几分钟。

要使用新的 Quick Setup 控制台,您必须拥有以下操作的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm-quicksetup:*", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStacks", "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources", "cloudformation:ListStackSetOperations", "cloudformation:ListStackInstances", "cloudformation:DescribeStackSet", "cloudformation:ListStackSets", "cloudformation:DescribeStackInstance", "cloudformation:DescribeOrganizationsAccess", "cloudformation:ActivateOrganizationsAccess", "cloudformation:GetTemplate", "cloudformation:ListStackSetOperationResults", "cloudformation:DescribeStackEvents", "ec2:DescribeInstances", "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution", "ssm:ListAssociations", "ssm:DescribeAssociation", "ssm:GetDocument", "ssm:ListDocuments", "ssm:DescribeDocument", "ssm:ListResourceDataSync", "ssm:DescribePatchBaselines", "ssm:GetPatchBaseline", "ssm:DescribeMaintenanceWindows", "ssm:DescribeMaintenanceWindowTasks", "ssm:GetOpsSummary", "organizations:DeregisterDelegatedAdministrator", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "organizations:ListRoots", "organizations:ListParents", "organizations:ListOrganizationalUnitsForParent", "organizations:DescribeOrganizationalUnit", "organizations:ListAWSServiceAccessForOrganization", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "resource-groups:ListGroups", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRole", "iam:CreatePolicy", "organizations:RegisterDelegatedAdministrator", "organizations:EnableAWSServiceAccess", "cloudformation:TagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:RollbackStack", "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:stack/AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:type/resource/*", "arn:aws:cloudformation:*:*:stack/StackSet-SSMQuickSetup" ] }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStackSet", "cloudformation:UpdateStackSet", "cloudformation:DeleteStackSet", "cloudformation:DeleteStackInstances", "cloudformation:CreateStackInstances", "cloudformation:StopStackSetOperation" ], "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:stackset/SSMQuickSetup", "arn:aws:cloudformation:*:*:type/resource/*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-*:*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:GetRolePolicy", "iam:PassRole", "iam:PutRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-*" ] }, { "Effect": "Allow", "Action": [ "ssm:DeleteAssociation", "ssm:CreateAssociation", "ssm:StartAssociationsOnce" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/AWS-EnableExplorer:*" }, { "Effect": "Allow", "Action": [ "ssm:GetOpsSummary", "ssm:CreateResourceDataSync", "ssm:UpdateResourceDataSync" ], "Resource": "arn:aws:ssm:*:*:resource-data-sync/AWS-QuickSetup-*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Condition": { "StringEquals": { "iam:AWSServiceName": [ "accountdiscovery.ssm.amazonaws.com", "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "stacksets.cloudformation.amazonaws.com" ] } }, "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin" } ] }

要将用户限制为只读权限,请仅允许对 Quick Setup API 执行 ssm-quicksetup:List*ssm-quicksetup:Get* 操作。

在引导期间,Quick Setup 将代表您创建以下 Amazon Identity and Access Management(IAM)角色:

  • AWS-QuickSetup-LocalExecutionRole – 授予 Amazon CloudFormation 使用任何模板(不包括补丁策略模板)和创建必要资源的权限。

  • AWS-QuickSetup-LocalAdministrationRole - 授予 Amazon CloudFormation 担任 AWS-QuickSetup-LocalExecutionRole 的权限。

  • AWS-QuickSetup-PatchPolicy-LocalExecutionRole – 授予 Amazon CloudFormation 使用补丁策略模板和创建必要资源的权限。

  • AWS-QuickSetup-PatchPolicy-LocalAdministrationRole - 授予 Amazon CloudFormation 担任 AWS-QuickSetup-PatchPolicy-LocalExecutionRole 的权限。

如果您正在注册管理账户(用于在 Amazon Organizations 中创建组织的账户),Quick Setup 还会代表您创建以下角色:

  • AWS-QuickSetup-SSM-RoleForEnablingExplorer - 授予 AWS-EnableExplorer 自动化 Runbook 权限。使用 AWS-EnableExplorer 运行手册,可将 Systems Manager 的功能 Explorer 配置为显示多个 Amazon Web Services 账户 和 Amazon Web Services 区域 的信息。

  • AWSServiceRoleForAmazonSSM - 服务链接角色,用于授予对由 Systems Manager 管理和使用的 Amazon 资源的访问权限。

  • AWSServiceRoleForAmazonSSM_AccountDiscovery – 服务相关角色,用于向 Systems Manager 授予在同步数据时调用 Amazon Web Services来查找 Amazon Web Services 账户信息的权限。有关更多信息,请参阅 关于 AWSServiceRoleForAmazonSSM_AccountDiscovery 角色

在引导管理账户时,Quick Setup 将在 Amazon Organizations 和 CloudFormation 之间启用受信任的访问权限,来部署整个组织的 Quick Setup 配置。要启用受信任访问权限,您的管理账户必须具有管理员权限。在完成引导后,便不再需要管理员权限。有关更多信息,请参阅启用 Organizations 受信任的访问权限

有关 Amazon Organizations 账户类型的更多信息,请参阅《Amazon Organizations 用户指南》中的 Amazon Organizations 术语和概念

注意

Quick Setup 使用 Amazon CloudFormation StackSets 通过 Amazon Web Services 账户 和区域来部署您的配置。如果目标账户数量乘以区域数超过 10000,则配置部署失败。我们建议检查您的用例并创建使用较少目标的配置,以适应组织的增长。堆栈实例不会部署到组织的管理账户。有关更多信息,请参阅创建具有服务托管权限的堆栈集时的注意事项