Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
Elenco di modelli di policy
Di seguito sono riportati i modelli di policy disponibili, insieme alle autorizzazioni applicate a ciascuno di essi. AWS Serverless Application Model(AWS SAM) compila automaticamente gli elementi segnaposto (come laAWS regione e l'ID dell'account) con le informazioni appropriate.
Argomenti
- AcmGetCertificatePolicy
- AMIDescribePolicy
- AthenaQueryPolicy
- AWSSecretsManagerGetSecretValuePolicy
- AWSSecretsManagerRotationPolicy
- CloudFormationDescribeStacksPolicy
- CloudWatchDashboardPolicy
- CloudWatchDescribeAlarmHistoryPolicy
- CloudWatchPutMetricPolicy
- CodePipelineLambdaExecutionPolicy
- CodePipelineReadOnlyPolicy
- CodeCommitCrudPolicy
- CodeCommitReadPolicy
- ComprehendBasicAccessPolicy
- CostExplorerReadOnlyPolicy
- DynamoDBBackupFullAccessPolicy
- DynamoDBCrudPolicy
- DynamoDBReadPolicy
- DynamoDBReconfigurePolicy
- DynamoDBRestoreFromBackupPolicy
- DynamoDBStreamReadPolicy
- DynamoDBWritePolicy
- EC2CopyImagePolicy
- EC2DescribePolicy
- EcsRunTaskPolicy
- EFSWriteAccessPolicy
- EKSDescribePolicy
- ElasticMapReduceAddJobFlowStepsPolitica
- ElasticMapReduceCancelStepsPolicy
- ElasticMapReduceModifyInstanceFleetPolicy
- ElasticMapReduceModifyInstanceGroupsPolicy
- ElasticMapReduceSetTerminationProtectionPolicy
- ElasticMapReduceTerminateJobFlowsPolicy
- ElasticsearchHttpPostPolicy
- EventBridgePutEventsPolicy
- FilterLogEventsPolicy
- FirehoseCrudPolicy
- FirehoseWritePolicy
- KinesisCrudPolicy
- KinesisStreamReadPolicy
- KMDecryptPolicy
- KMEncryptPolicy
- LambdaInvokePolicy
- MobileAnalyticsWriteOnlyAccessPolicy
- OrganizationsListAccountsPolicy
- PinpointEndpointAccessPolicy
- PollyFullAccessPolicy
- RekognitionDetectOnlyPolicy
- RekognitionFacesManagementPolicy
- RekognitionFacesPolicy
- RekognitionLabelsPolicy
- RekognitionNoDataAccessPolicy
- RekognitionReadPolicy
- RekognitionWriteOnlyAccessPolicy
- Percorso 53ChangeResourceRecordSetsPolicy
- S3CrudPolicy
- S3FullAccessPolicy
- S3ReadPolicy
- S3WritePolicy
- SageMakerCreateEndpointConfigPolicy
- SageMakerCreateEndpointPolicy
- ServerlessRepoReadWriteAccessPolicy
- SESBulkTemplatedCrudPolicy
- SESCrudPolicy
- SESEmailTemplateCrudPolicy
- SESSendBouncePolicy
- SNSCrudPolicy
- SNSPublishMessagePolicy
- SQSPollerPolicy
- SQSSendMessagePolicy
- SSMParameterReadPolicy
- StepFunctionsExecutionPolicy
- TextractDetectAnalyzePolicy
- TextractGetResultPolicy
- TextractPolicy
- VPCAccessPolicy
AcmGetCertificatePolicy
Fornisce il permesso di leggere un certificato daAWS Certificate Manager.
"Statement": [ { "Effect": "Allow", "Action": [ "acm:GetCertificate" ], "Resource": { "Fn::Sub": [ "${certificateArn}", { "certificateArn": { "Ref": "CertificateArn" } } ] } } ]
AMIDescribePolicy
Autorizza l'utente a descrivere Amazon Machine Image (AMI).
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": "*" } ]
AthenaQueryPolicy
Fornisce le autorizzazioni per eseguire le query Athena.
"Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:GetExecutionEngine", "athena:GetExecutionEngines", "athena:GetNamespace", "athena:GetCatalogs", "athena:GetNamespaces", "athena:GetTables", "athena:GetTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryResults", "athena:DeleteNamedQuery", "athena:GetNamedQuery", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResultsStream", "athena:ListNamedQueries", "athena:CreateNamedQuery", "athena:GetQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", "athena:GetWorkGroup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", { "workgroupName": { "Ref": "WorkGroupName" } } ] } } ]
AWSSecretsManagerGetSecretValuePolicy
Consente di ottenere il valore segreto per ilAWS Secrets Manager segreto specificato.
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ]
AWSSecretsManagerRotationPolicy
Dà il permesso di far ruotare un segretoAWS Secrets Manager.
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]
CloudFormationDescribeStacksPolicy
Dà il permesso di descrivere leAWS CloudFormation pile.
"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]
CloudWatchDashboardPolicy
Fornisce le autorizzazioni per inserire metriche per operare sui CloudWatch dashboard.
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]
CloudWatchDescribeAlarmHistoryPolicy
Consente di descrivere la cronologia degli CloudWatch allarmi di Amazon.
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmHistory" ], "Resource": "*" } ]
CloudWatchPutMetricPolicy
Concede il permesso di inviare metriche a CloudWatch.
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]
CodePipelineLambdaExecutionPolicy
Fornisce l'autorizzazione per una funzione Lambda richiamata daAWS CodePipeline per segnalare lo stato del lavoro.
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ]
CodePipelineReadOnlyPolicy
Autorizza l'utente ad ottenere i dettagli relativi a una CodePipeline pipeline.
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:ListPipelineExecutions" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": { "Ref": "PipelineName" } } ] } } ]
CodeCommitCrudPolicy
Autorizza l'utente a creare, eliminare gli oggetti all'interno di un CodeCommit repository specifico.
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:MergeBranchesByFastForward", "codecommit:MergeBranchesBySquash", "codecommit:MergeBranchesByThreeWay", "codecommit:UpdateDefaultBranch", "codecommit:BatchDescribeMergeConflicts", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:CreatePullRequest", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:MergePullRequestByFastForward", "codecommit:MergePullRequestBySquash", "codecommit:MergePullRequestByThreeWay", "codecommit:PostCommentForPullRequest", "codecommit:UpdatePullRequestDescription", "codecommit:UpdatePullRequestStatus", "codecommit:UpdatePullRequestTitle", "codecommit:DeleteFile", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:PutFile", "codecommit:DeleteCommentContent", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:PostCommentForComparedCommit", "codecommit:PostCommentReply", "codecommit:UpdateComment", "codecommit:BatchGetCommits", "codecommit:CreateCommit", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:UpdateRepositoryDescription", "codecommit:ListTagsForResource", "codecommit:TagResource", "codecommit:UntagResource", "codecommit:GetRepositoryTriggers", "codecommit:PutRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
CodeCommitReadPolicy
Concede le autorizzazioni per leggere oggetti all'interno di un CodeCommit repository specifico.
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:BatchDescribeMergeConflicts", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:BatchGetCommits", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:ListTagsForResource", "codecommit:GetRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
ComprehendBasicAccessPolicy
Consente di rilevare entità, frasi chiave, lingue e sentimenti.
"Statement": [{ "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]
CostExplorerReadOnlyPolicy
Concede l'autorizzazione di sola lettura alle API di sola letturaAWS Cost Explorer (Cost Explorer) per la cronologia di fatturazione.
"Statement": [{ "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues", "ce:GetReservationCoverage", "ce:GetReservationPurchaseRecommendation", "ce:GetReservationUtilization", "ce:GetTags" ], "Resource": "*" }]
DynamoDBBackupFullAccessPolicy
Fornisce l'autorizzazione di lettura e scrittura ai backup su richiesta di DynamoDB per una tabella.
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBCrudPolicy
Autorizza l'utente a creare, cancelle/update/update/update/update/update/update/update/update/update/update/update/update/update/update/updat
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReadPolicy
Autorizza l'utente ad arrestare una tabella DynamoDB.
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem", "dynamodb:DescribeTable" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReconfigurePolicy
Autorizza l'utente a riconfigurare una tabella DynamoDB.
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:UpdateTable" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBRestoreFromBackupPolicy
Consente di ripristinare una tabella DynamoDB dal backup.
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBStreamReadPolicy
Consente di descrivere e leggere stream e record di DynamoDB.
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBWritePolicy
Autorizza l'utente ad arrestare una tabella DynamoDB.
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
EC2CopyImagePolicy
Concede il permesso di copiare immagini Amazon EC2.
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]
EC2DescribePolicy
Autorizza l'utente a descrivere le istanze Amazon Elastic Compute Cloud (Amazon EC2).
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]
EcsRunTaskPolicy
Autorizza l'utente ad avviare una nuova attività per la definizione di un'attività.
"Statement": [ { "Action": [ "ecs:RunTask" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}", { "taskDefinition": { "Ref": "TaskDefinition" } } ] }, "Effect": "Allow" } ]
EFSWriteAccessPolicy
Autorizza l'utente a montare un file system Amazon EFS con accesso alla scrittura.
"Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}", { "FileSystem": { "Ref": "FileSystem" } } ] }, "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}", { "AccessPoint": { "Ref": "AccessPoint" } } ] } } } } ]
EKSDescribePolicy
Autorizza l'utente a descrivere o elencare i cluster Amazon Elastic Kubernetes Service (Amazon EKS).
"Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ]
ElasticMapReduceAddJobFlowStepsPolitica
Autorizza l'utente ad aggiungere nuovi passaggi a un cluster in esecuzione.
"Statement": [ { "Action": "elasticmapreduce:AddJobFlowSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceCancelStepsPolicy
Autorizza l'utente ad annullare uno o più passaggi in sospeso in un cluster in esecuzione.
"Statement": [ { "Action": "elasticmapreduce:CancelSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceModifyInstanceFleetPolicy
Consente di elencare i dettagli e modificare le capacità, ad esempio le flotte all'interno di un cluster.
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceFleet", "elasticmapreduce:ListInstanceFleets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceModifyInstanceGroupsPolicy
Consente di elencare i dettagli e modificare le impostazioni per i gruppi di esempio all'interno di un cluster.
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceSetTerminationProtectionPolicy
Autorizza l'utente ad impostare la protezione dall'arresto per un cluster.
"Statement": [ { "Action": "elasticmapreduce:SetTerminationProtection", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceTerminateJobFlowsPolicy
Autorizza l'utente ad arrestare un cluster.
"Statement": [ { "Action": "elasticmapreduce:TerminateJobFlows", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticsearchHttpPostPolicy
Concede l'autorizzazione POST e PUT ad Amazon OpenSearch Service.
"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost", "es:ESHttpPut" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": { "Ref": "DomainName" } } ] } } ]
EventBridgePutEventsPolicy
Concede le autorizzazioni per inviare eventi ad Amazon EventBridge.
"Statement": [ { "Effect": "Allow", "Action": "events:PutEvents", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}", { "eventBusName": { "Ref": "EventBusName" } } ] } } ]
FilterLogEventsPolicy
Consente di filtrare gli eventi CloudWatch Logs da un gruppo di log specificato.
"Statement": [ { "Effect": "Allow", "Action": [ "logs:FilterLogEvents" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": { "Ref": "LogGroupName" } } ] } } ]
FirehoseCrudPolicy
Autorizza l'utente a creare, eliminare un flusso di consegna Kinesis Data Firehose.
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
FirehoseWritePolicy
Autorizza l'utente a scrivere in un flusso di consegna Kinesis Data Firehose.
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
KinesisCrudPolicy
Concede il permesso di creare, pubblicare ed eliminare uno stream Amazon Kinesis.
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
KinesisStreamReadPolicy
Autorizza l'utente ad elencare e leggere un flusso Amazon Kinesis.
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
KMDecryptPolicy
Fornisce il permesso di decrittografare con una chiaveAWS Key Management Service (AWS KMS). Nota chekeyId deve essere un IDAWS KMS chiave e non un alias chiave.
"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
KMEncryptPolicy
Fornisce il permesso di crittografare con unaAWS KMS chiave. Nota che keyID deve essere un IDAWS KMS chiave e non un alias chiave.
"Statement": [ { "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
LambdaInvokePolicy
Consente di richiamare unaAWS Lambda funzione, un alias o una versione.
"Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]
MobileAnalyticsWriteOnlyAccessPolicy
Fornisce il permesso di sola scrittura per inserire i dati degli eventi per tutte le risorse dell'applicazione.
"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]
OrganizationsListAccountsPolicy
Concede il permesso di sola lettura per elencare i nomi e gli ID degli account dei bambini.
"Statement": [{ "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" }]
PinpointEndpointAccessPolicy
Autorizza l'utente ad ottenere e aggiornare gli endpoint per un'applicazione Amazon Pinpoint.
"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]
PollyFullAccessPolicy
Fornisce l'autorizzazione di accesso completo alle risorse lessicali di Amazon Polly.
"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]
RekognitionDetectOnlyPolicy
Consente di rilevare volti, etichette e testo.
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ]
RekognitionFacesManagementPolicy
Concede il permesso di aggiungere, eliminare e cercare volti in una raccolta Amazon Rekognition.
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:IndexFaces", "rekognition:DeleteFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage", "rekognition:ListFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } }]
RekognitionFacesPolicy
Consente di confrontare e rilevare volti ed etichette.
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": "*" } ]
RekognitionLabelsPolicy
Consente di rilevare le etichette degli oggetti e delle moderazioni.
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]
RekognitionNoDataAccessPolicy
Consente di confrontare e rilevare volti ed etichette.
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionReadPolicy
Concede il permesso di elencare e cercare volti.
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionWriteOnlyAccessPolicy
Concede il permesso di creare facce di raccolta e indicizzazione.
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
Percorso 53ChangeResourceRecordSetsPolicy
Consente di modificare i set di record di risorse in Route 53.
"Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}", { "HostedZoneId": { "Ref": "HostedZoneId" } } ] } } ]
S3CrudPolicy
Fornisce il permesso di creare, leggere, aggiornare ed eliminare gli oggetti in un bucket Amazon S3.
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3FullAccessPolicy
Fornisce il permesso di accesso completo per agire sugli oggetti in un bucket Amazon S3.
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3ReadPolicy
Autorizza l'utente a leggere gli oggetti in un bucket Amazon Simple Storage Service (Amazon Simple Simple Storage Service (Amazon S3) di base.
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3WritePolicy
Autorizza l'utente a scrivere oggetti in un bucket Amazon S3.
"Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
SageMakerCreateEndpointConfigPolicy
Autorizza l'utente a creare una configurazione dell'endpoint in SageMaker.
"Statement": [ { "Action": [ "sagemaker:CreateEndpointConfig" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}", { "endpointConfigName": { "Ref": "EndpointConfigName" } } ] }, "Effect": "Allow" } ]
SageMakerCreateEndpointPolicy
Autorizza l'utente a creare un endpoint in SageMaker.
"Statement": [ { "Action": [ "sagemaker:CreateEndpoint" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}", { "endpointName": { "Ref": "EndpointName" } } ] }, "Effect": "Allow" } ]
ServerlessRepoReadWriteAccessPolicy
Fornisce il permesso di creare ed elencare applicazioni nel servizioAWS Serverless Application Repository (AWS SAM).
"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]
SESBulkTemplatedCrudPolicy
Concede il permesso di inviare e-mail Amazon SES, e-mail con modelli ed e-mail collettive basate su modelli e di verificare l'identità.
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SESCrudPolicy
Concede il permesso di inviare e-mail e verificare l'identità.
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SESEmailTemplateCrudPolicy
Concede il permesso di creare, ottenere, elencare, aggiornare ed eliminare modelli di email Amazon SES.
"Statement": [{ "Effect": "Allow", "Action": [ "ses:CreateTemplate", "ses:GetTemplate", "ses:ListTemplates", "ses:UpdateTemplate", "ses:DeleteTemplate", "ses:TestRenderTemplate" ], "Resource": "*" }]
SESSendBouncePolicy
SendBounce Autorizza l'utente a un'identità Amazon Simple Email Service (Amazon SES).
"Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SNSCrudPolicy
Concede il permesso di creare, pubblicare e sottoscrivere argomenti Amazon SNS.
"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]
SNSPublishMessagePolicy
Autorizza l'utente a pubblicare un messaggio su un argomento Amazon Simple Notification Service (Amazon SNS).
"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]
SQSPollerPolicy
Autorizza l'utente ad arrestare una coda Amazon Simple Queue Service (Amazon SQS).
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
SQSSendMessagePolicy
Autorizza l'utente ad inviare messaggi a una coda Amazon SQS.
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
SSMParameterReadPolicy
Consente di accedere a parametri da un archivio di parametri di Amazon EC2 Systems Manager (SSM) per caricare segreti in questo account.
Se non stai utilizzando la chiave predefinita, avrai bisogno anche dellaKMSDecryptPolicy politica.
"Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": { "Ref": "ParameterName" } } ] } } ]
StepFunctionsExecutionPolicy
Autorizza l'utente ad avviare l'esecuzione di una macchina a stati Step Functions.
"Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": { "Ref": "StateMachineName" } } ] } } ]
TextractDetectAnalyzePolicy
Fornisce l'accesso per rilevare e analizzare documenti con Amazon Textract.
"Statement": [ { "Effect": "Allow", "Action": [ "textract:DetectDocumentText", "textract:StartDocumentTextDetection", "textract:StartDocumentAnalysis", "textract:AnalyzeDocument" ], "Resource": "*" } ]
TextractGetResultPolicy
Consente l'accesso ai documenti rilevati e analizzati da Amazon Textract.
"Statement": [ { "Effect": "Allow", "Action": [ "textract:GetDocumentTextDetection", "textract:GetDocumentAnalysis" ], "Resource": "*" } ]
TextractPolicy
Fornisce l'accesso completo ad Amazon Textract.
"Statement": [ { "Effect": "Allow", "Action": [ "textract:*" ], "Resource": "*" } ]
VPCAccessPolicy
Fornisce l'accesso per creare, eliminare, descrivere e scollegare interfacce di rete elastiche.
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]
