# 使用 CloudWatch RUM 的 IAM 策略
<a name="CloudWatch-RUM-permissions"></a>

为了完全管理 CloudWatch RUM，必须以具有 **AmazonCloudWatchRUMFullAccess** IAM 策略的 IAM 用户或角色身份登录。此外，可能需要其他策略或权限：
+ 要创建应用程序监控来创建新的 Amazon Cognito 身份池进行授权，需要具备 **Admin** IAM 角色或 **AdministratorAccess** IAM 策略。
+ 要创建将数据发送到 CloudWatch Logs 的应用程序监控，必须登录具有以下权限的 IAM 角色或策略：

  ```
  {
      "Effect": "Allow",
      "Action": [
          "logs:PutResourcePolicy"
      ],
      "Resource": [
          "*"
      ]
  }
  ```
+ 要在应用程序监测仪中启用 JavaScript 源映射，您需要将源映射文件上传到 Amazon S3 存储桶。您的 IAM 角色或策略需要特定的 Amazon S3 权限，才能创建 Amazon S3 存储桶、设置存储桶策略和管理存储桶中的文件。为了安全起见，将这些权限范围限定于特定资源。下面的示例策略限制访问名称中包含 `rum` 的存储桶，并使用 `aws:ResourceAccount` 条件键将权限仅限于主体账户。

  ```
  {
      "Sid": "AllowS3BucketCreationAndListing",
      "Effect": "Allow",
      "Action": [
          "s3:CreateBucket",
          "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*",
      "Condition": {
          "StringEquals": {
              "aws:ResourceAccount": "${aws:PrincipalAccount}"
          }
      }
  },
  {
      "Sid": "AllowS3BucketActions",
      "Effect": "Allow",
      "Action": [
          "s3:GetBucketLocation",
          "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::*rum*",
      "Condition": {
          "StringEquals": {
              "aws:ResourceAccount": "${aws:PrincipalAccount}"
          }
      }
  },
  {
      "Sid": "AllowS3BucketPolicyActions",
      "Effect": "Allow",
      "Action": [
          "s3:PutBucketPolicy",
          "s3:GetBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::*rum*",
      "Condition": {
          "StringEquals": {
              "aws:ResourceAccount": "${aws:PrincipalAccount}"
          }
      }
  },
  {
      "Sid": "AllowS3ObjectActions",
      "Effect": "Allow",
      "Action": [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject",
          "s3:AbortMultipartUpload"
      ],
      "Resource": "arn:aws:s3:::*rum*",
      "Condition": {
          "StringEquals": {
              "aws:ResourceAccount": "${aws:PrincipalAccount}"
          }
      }
  }
  ```
+ 要在源映射存储桶上使用自己的 Amazon KMS 密钥进行服务器端加密，您的 IAM 角色或策略需要特定的 Amazon KMS 权限，才能创建密钥、更新密钥策略、在 Amazon S3 中使用 Amazon KMS 密钥以及设置 Amazon S3 存储桶的加密配置。为了安全起见，将这些权限范围限定于特定目的。下面的示例限制访问特定区域和 accountId 的密钥，并具有与上面示例类似的 S3 限制。

  ```
  {
      "Sid": "AllowKMSKeyCreation",
      "Effect": "Allow",
      "Action": [
          "kms:CreateKey",
          "kms:CreateAlias"
      ],
      "Resource": "*"
  },
  {
      "Sid": "KMSReadPermissions",
      "Effect": "Allow",
      "Action": [
          "kms:ListAliases"
      ],
      "Resource": "*"
  },
  {
      "Sid": "AllowUpdatingKeyPolicy",
      "Effect": "Allow",
      "Action": [
          "kms:PutKeyPolicy",
          "kms:GetKeyPolicy",
          "kms:ListKeyPolicies"
      ],
      "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/*"
  },
  {
      "Sid": "AllowUseOfKMSKeyForS3",
      "Effect": "Allow",
      "Action": [
          "kms:DescribeKey",
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/*"
  },
  {
      "Sid": "AllowS3EncryptionConfiguration",
      "Effect": "Allow",
      "Action": [
          "s3:PutEncryptionConfiguration",
          "s3:GetEncryptionConfiguration"
      ],
      "Resource": "arn:aws:s3:::*rum*",
      "Condition": {
          "StringEquals": {
              "aws:ResourceAccount": "${aws:PrincipalAccount}"
          }
      }
  }
  ```

需要查看 CloudWatch RUM 数据但不需要创建 CloudWatch RUM 资源的其他用户，可以授予 **AmazonCloudWatchRUMReadOnlyAccess** 策略。