Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
Politiques IAM de surveillance des flux de travail
Le moniteur de flux de travail interagit avec plusieurs AWS services pour créer des cartes de signaux, des builds, EventBridge des ressources CloudWatch et des AWS CloudFormation modèles. Étant donné que le moniteur de flux de travail interagit avec un large éventail de services, des politiques spécifiques AWS Identity and Access Management (IAM) doivent être attribuées à ces services. Les exemples suivants indiquent les politiques IAM nécessaires pour les rôles IAM d'administrateur et d'opérateur.
Politique IAM de l'administrateur
L'exemple de politique suivant concerne une stratégie IAM de surveillance des flux de travail au niveau de l'administrateur. Ce rôle permet de créer et de gérer les ressources du moniteur de flux de travail et les ressources de service prises en charge qui interagissent avec le moniteur de flux de travail.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:List*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:PutAnomalyDetector", "cloudwatch:PutMetricData", "cloudwatch:PutMetricAlarm", "cloudwatch:PutCompositeAlarm", "cloudwatch:PutDashboard", "cloudwatch:DeleteAlarms", "cloudwatch:DeleteAnomalyDetector", "cloudwatch:DeleteDashboards", "cloudwatch:TagResource", "cloudwatch:UntagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:List*", "cloudformation:Describe*", "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:TagResource", "cloudformation:UntagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudfront:List*", "cloudfront:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:List*", "events:Describe*", "events:CreateEventBus", "events:PutRule", "events:PutTargets", "events:EnableRule", "events:DisableRule", "events:DeleteRule", "events:RemoveTargets", "events:TagResource", "events:UntagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*", "logs:TagLogGroup", "logs:TagResource", "logs:UntagLogGroup", "logs:UntagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediaconnect:List*", "mediaconnect:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "medialive:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediapackage:List*", "mediapackage:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediapackagev2:List*", "mediapackagev2:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediapackage-vod:List*", "mediapackage-vod:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediatailor:List*", "mediatailor:Describe*", "mediatailor:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroups", "resource-groups:GetGroup", "resource-groups:GetTags", "resource-groups:GetGroupQuery", "resource-groups:GetGroupConfiguration", "resource-groups:CreateGroup", "resource-groups:UngroupResources", "resource-groups:GroupResources", "resource-groups:DeleteGroup", "resource-groups:UpdateGroupQuery", "resource-groups:UpdateGroup", "resource-groups:Tag", "resource-groups:Untag" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::workflow-monitor-templates*" }, { "Effect": "Allow", "Action": [ "sns:TagResource", "sns:UntagResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "tag:Get*", "tag:Describe*", "tag:TagResources", "tag:UntagResources" ], "Resource": "*" } ] }
Politique IAM de l'opérateur
L'exemple de politique suivant concerne une stratégie IAM de surveillance des flux de travail au niveau de l'opérateur. Ce rôle permet un accès limité et en lecture seule aux ressources du moniteur de flux de travail et aux ressources de service prises en charge qui interagissent avec le moniteur de flux de travail.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:List*", "cloudwatch:Describe*", "cloudwatch:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:List*", "cloudformation:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudfront:List*", "cloudfront:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:List*", "events:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:Describe*", "logs:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediaconnect:List*", "mediaconnect:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "medialive:List*", "medialive:Get*", "medialive:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediapackage:List*", "mediapackage:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediapackagev2:List*", "mediapackagev2:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediapackage-vod:List*", "mediapackage-vod:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "mediatailor:List*", "mediatailor:Describe*", "mediatailor:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::workflow-monitor-templates*" }, { "Effect": "Allow", "Action": [ "tag:Get*", "tag:Describe*" ], "Resource": "*" } ] }
