适用于 Amazon Web Services Systems Manager 的 Amazon 托管策略 - Amazon Web Services Systems Manager
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

适用于 Amazon Web Services Systems Manager 的 Amazon 托管策略

要向用户、组和角色添加权限,您可以更容易地使用Amazon托管策略而不是自己编写策略。它需要时间和专业知识创建 IAM 客户托管策略,仅为您的团队提供所需的权限。要快速入门,您可以使用我们的Amazon托管策略。这些策略涵盖常见使用案例,可在Amazonaccount. 有关 的更多信息Amazon的托管策略,请参阅Amazon托管策略中的IAM 用户指南

Amazon服务维护和更新Amazon托管策略。您不能更改Amazon托管策略。服务偶尔会将其他权限添加到Amazon托管策略来支持新功能。此类更新会影响策略附加到的所有身份(用户、组和角色)。服务最有可能更新Amazon托管策略,当启动新功能或新操作可用时。服务不会从Amazon托管策略,因此策略更新不会破坏您的现有权限。

此外,Amazon支持跨多个服务的工作职能的托管策略。例如,ReadOnlyAccess Amazon托管策略提供对所有Amazon服务和资源。当服务启动新功能时,Amazon为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅Amazon工作职能的 托管策略中的IAM 用户指南

Amazon托管策略:AmazonSSMServiceRolePolicy

您不能附加AmazonSSMServiceRolePolicy添加到您的 AWS Identity and Access Management (IAM) 实体。此策略将附加到服务相关角色,以便允许Amazon Web Services Systems Manager以代表您执行操作。有关更多信息,请参阅 使用角色收集库存、运行维护窗口任务和查看 OpsData:AWSServiceRoleForAmazonSSM

当前,有三个 Systems Manager 功能使用服务相关角色:

  • 清单功能需要服务相关角色。该角色支持系统收集标签和资源组中的清单元数据。

  • 维护时段功能可以有选择性地使用服务相关角色。借助该角色,维护 Windows 服务可在目标实例上运行维护任务。请注意,Systems Manager 的服务相关角色未提供所有场景需要的权限。有关更多信息,请参阅 我应该使用服务相关角色还是自定义服务角色来运行维护时段任务?

  • 资源管理器功能使用服务相关角色,以支持从多个账户查看 OpsData 和 OpenSitems。此服务链接角色还允许资源管理器创建托管规则,当您将 Security Hub 启用为来自资源管理器或 OpsCenter 的数据源。

权限详细信息

这些区域有:AWSServiceRoleForAmazonSSM服务相关角色权限策略允许 Systems Manager 对所有相关资源 ("Resource": "*"),除非注明:

  • ssm:CancelCommand

  • ssm:GetCommandInvocation

  • ssm:ListCommandInvocations

  • ssm:ListCommands

  • ssm:SendCommand

  • ssm:GetAutomationExecution

  • ssm:GetParameters

  • ssm:StartAutomationExecution

  • ssm:ListTagsForResource

  • ssm:GetCalendarState

  • ssm:UpdateServiceSetting [1]

  • ssm:GetServiceSetting [1]

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeInstanceStatus

  • ec2:DescribeInstances

  • lambda:InvokeFunction[2]

  • states:DescribeExecution[3]

  • states:StartExecution[3]

  • resource-groups:ListGroups

  • resource-groups:ListGroupResources

  • resource-groups:GetGroupQuery

  • tag:GetResources

  • config:SelectResourceConfig

  • config:DescribeComplianceByConfigRule

  • config:DescribeComplianceByResource

  • config:DescribeRemediationConfigurations

  • config:DescribeConfigurationRecorders

  • compute-optimizer:GetEC2InstanceRecommendations

  • compute-optimizer:GetEnrollmentStatus

  • support:DescribeTrustedAdvisorChecks

  • support:DescribeTrustedAdvisorCheckSummaries

  • support:DescribeTrustedAdvisorCheckResult

  • support:DescribeCases

  • iam:PassRole[4]

  • cloudformation:DescribeStacks

  • cloudformation:ListStackResources

  • cloudformation:ListStackInstances[5]

  • cloudformation:DescribeStackSetOperation[5]

  • cloudformation:DeleteStackSet[5]

  • cloudformation:DeleteStackInstances[6]

  • events:PutRule[7]

  • events:PutTargets[7]

  • events:RemoveTargets[8]

  • events:DeleteRule[8]

  • events:DescribeRule

  • securityhub:DescribeHub

[1]ssm:UpdateServiceSettingssm:GetServiceSetting操作仅允许对以下资源执行操作。

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[2]lambda:InvokeFunction操作仅允许对以下资源执行操作。

arn:aws:lambda:*:*:function:SSM* arn:aws:lambda:*:*:function:*:SSM*

[3]states:仅允许对以下资源执行操作。

arn:aws:states:*:*:stateMachine:SSM* arn:aws:states:*:*:execution:SSM*

[4]iam:PassRole根据 Systems Manager 服务的以下条件,只允许执行操作。

"Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } }

[5]cloudformation:ListStackInstancescloudformation:DescribeStackSetOperation, 和cloudformation:DeleteStackSet操作仅允许对以下资源的权限。

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*

[6]cloudformation:DeleteStackInstances仅允许对以下资源执行操作。

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:type/resource/*

[7]events:PutRuleevents:PutTargets根据 Systems Manager 服务的以下条件,只允许执行操作。

"Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com" } }

[8]events:RemoveTargetsevents:DeleteRule操作仅允许对以下资源的权限。

arn:aws:events:*:*:rule/SSMExplorerManagedRule

完整的 AmazonSSMServiceRolePolicy 策

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:CancelCommand", "ssm:GetCommandInvocation", "ssm:ListCommandInvocations", "ssm:ListCommands", "ssm:SendCommand", "ssm:GetAutomationExecution", "ssm:GetParameters", "ssm:StartAutomationExecution", "ssm:ListTagsForResource", "ssm:GetCalendarState" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*", "arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:SSM*", "arn:aws:lambda:*:*:function:*:SSM*" ] }, { "Effect": "Allow", "Action": [ "states:DescribeExecution", "states:StartExecution" ], "Resource": [ "arn:aws:states:*:*:stateMachine:SSM*", "arn:aws:states:*:*:execution:SSM*" ] }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroups", "resource-groups:ListGroupResources", "resource-groups:GetGroupQuery" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "config:SelectResourceConfig" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEnrollmentStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "support:DescribeTrustedAdvisorChecks", "support:DescribeTrustedAdvisorCheckSummaries", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeCases" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "config:DescribeComplianceByConfigRule", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:DescribeConfigurationRecorders" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudformation:ListStackSets", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:ListStackInstances", "cloudformation:DescribeStackSetOperation", "cloudformation:DeleteStackSet" ], "Resource": "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*" }, { "Effect": "Allow", "Action": "cloudformation:DeleteStackInstances", "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:*", "arn:aws:cloudformation:*:*:type/resource/*" ] }, { "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:RemoveTargets", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/SSMExplorerManagedRule" ] }, { "Effect": "Allow", "Action": "events:DescribeRule", "Resource": "*" }, { "Effect": "Allow", "Action": "securityhub:DescribeHub", "Resource": "*" } ] }

Amazon托管策略:AWSServiceRoleForSystemsManagerOpsDataSyncPolicy

您不能附加AWSServiceRoleForSystemsManagerOpsDataSyncPolicy添加到您的 IAM 实体。此策略附加到服务相关角色,该角色允许 Systems Manager 代表您执行操作。有关更多信息,请参阅 使用角色为 Systems Manager 资源管理器创建 OpsData 和 Opsitems:AWSServiceRoleForSystemsManagerOpsDataSync

AWSServiceRoleForSystemsManagerOpsDataSyncPolicy允许适用于系统管理器的 AWS 服务系统操作数据同步服务链接角色来创建和更新 OpsItems 和 OpsDataAmazon Security Hub发现结果。

权限详细信息

这些区域有:AWSServiceRoleForAmazonSSM服务相关角色权限策略允许 Systems Manager 对所有相关资源 ("Resource": "*"),除非注明:

  • ssm:GetOpsItem [1]

  • ssm:UpdateOpsItem [1]

  • ssm:CreateOpsItem

  • ssm:AddTagsToResource[2]

  • ssm:UpdateServiceSetting[3]

  • ssm:GetServiceSetting[3]

  • securityhub:GetFindings

  • securityhub:GetFindings

  • securityhub:BatchUpdateFindings[4]

[1]ssm:GetOpsItemssm:UpdateOpsItem根据 Systems Manager 服务的以下条件,只允许执行操作。

"Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } }

[2]ssm:AddTagsToResource仅允许对以下资源执行操作。

arn:aws:ssm:*:*:opsitem/*

[3]ssm:UpdateServiceSettingssm:GetServiceSetting操作仅允许对以下资源执行操作。

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[4]securityhub:BatchUpdateFindings根据 Systems Manager 服务的以下条件,只拒绝权限。

"Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" }, "Null": { "securityhub:ASFFSyntaxPath/Confidence": false, "securityhub:ASFFSyntaxPath/Criticality": false, "securityhub:ASFFSyntaxPath/Note": false, "securityhub:ASFFSyntaxPath/RelatedFindings": false, "securityhub:ASFFSyntaxPath/Types": false, "securityhub:ASFFSyntaxPath/UserDefinedFields": false, "securityhub:ASFFSyntaxPath/VerificationState": false } }

FULLAWSServiceRoleForSystemsManagerOpsDataSyncPolicy策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:UpdateOpsItem" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } } }, { "Effect": "Allow", "Action": [ "ssm:CreateOpsItem" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:AddTagsToResource" ], "Resource": "arn:aws:ssm:*:*:opsitem/*" }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*", "arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*" ] }, { "Effect": "Allow", "Action": [ "securityhub:GetFindings", "securityhub:BatchUpdateFindings" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" }, "Null": { "securityhub:ASFFSyntaxPath/Confidence": false, "securityhub:ASFFSyntaxPath/Criticality": false, "securityhub:ASFFSyntaxPath/Note": false, "securityhub:ASFFSyntaxPath/RelatedFindings": false, "securityhub:ASFFSyntaxPath/Types": false, "securityhub:ASFFSyntaxPath/UserDefinedFields": false, "securityhub:ASFFSyntaxPath/VerificationState": false } } } ] }

Systems Manager 更新Amazon托管策略

要查看有关Amazon托管策略,因为此服务开始跟踪这些更改。有关此页面更改的自动警报,您可以在 Systems Manager 上订阅 RSS 源文档历史记录页.

变更 描述 日期

AmazonSSMServiceRolePolicy— 更新到现有策略。

当您从资源管理器或 OpsCenter 启用 Security Hub 时,Systems Manager 添加了新的权限,以允许资源管理器创建托管规则。添加了新的权限来检查该配置,并且计算优化程序在启用 OpsData 之前是否满足必要的要求。

2019 年 4 月 27 日

适用于系统管理器的 AWS 服务系统操作数据同步策略— 新策略。

Systems Manager 添加了一个新策略,用于创建和更新 OpsSenter 中的 Security Hub 调查结果中的 OpsSitems 和 OpsData。

2019 年 4 月 27 日

AmazonSSMServiceRolePolicy— 更新到现有策略。

Systems Manager 添加了新的权限,以允许查看来自多个帐户的聚合 OpsData 和 Opsitems 详细信息,Amazon Web Services 区域在资源管理器中。

2019 年 3 月 24 日

Systems Manager 开始跟踪更改

Systems Manager 开始跟踪其Amazon托管策略。

2021 年 3 月 12 日