翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。
ポリシーテンプレートリスト
以下は利用可能なポリシーテンプレートと、各テンプレートに適用されるアクセス権限です。AWS Serverless Application Model(AWS SAM) は自動的にプレースホルダー項目 (AWSリージョンIDおよびアカウント ID) に適切な情報を入力します。
SQSPollerPolicy
Amazon Simple Queue Service (Amazon SQS) キューにポーリングする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
LambdaInvokePolicy
呼び出す権限を与えますAWS Lambda関数、エイリアス、またはバージョンについて説明します。
"Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]
CloudWatchDescribeAlarmHistoryPolicy
Amazon CloudWatch アラーム履歴を記述する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmHistory" ], "Resource": "*" } ]
CloudWatchPutMetricPolicy
CloudWatch にメトリックスを送信する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]
EC2DescribePolicy
Amazon Elastic Compute Cloud (Amazon EC2) インスタンスを記述する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]
DynamoDBCrudPolicy
Amazon DynamoDB テーブルに対して作成、読み取り、更新、および削除の権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReadPolicy
DynamoDB テーブルに読み取り専用の権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem", "dynamodb:DescribeTable" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBWritePolicy
DynamoDB テーブルに書き込み専用の権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReconfigurePolicy
DynamoDB テーブルを再構成する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:UpdateTable" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
SESSendBouncePolicy
Amazon Simple Email Service (Amazon SES) ID に対する SendBounce アクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
ElasticsearchHttpPostPolicy
Amazon Elasticsearch Service に POST と PUT のアクセス許可
"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost", "es:ESHttpPut" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": { "Ref": "DomainName" } } ] } } ]
S3ReadPolicy
Amazon Simple Storage Service (Amazon S3) バケットのオブジェクトを読み取る読み取り専用のアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3WritePolicy
Amazon S3 バケットにオブジェクトを書き込むための書き込みアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3CrudPolicy
Amazon S3 バケットのオブジェクトに対してアクションする作成、読み取り、更新、および削除の権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
AMIDescribePolicy
Amazon マシンイメージ (AMI) を記述する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": { "*" } } ]
CloudFormationDescribeStacksPolicy
AWS CloudFormation スタックを記述する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]
RekognitionDetectOnlyPolicy
顔、ラベル、およびテキストを検出する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ]
RekognitionNoDataAccessPolicy
顔とラベルを比較および検出する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionReadPolicy
顔のリスト表示と検索の権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionWriteOnlyAccessPolicy
顔のコレクションを作成してインデックスを付けるアクセス権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
SQSSendMessagePolicy
Amazon SQS キューにメッセージを送信する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
SNSPublishMessagePolicy
Amazon Simple Notification Service (Amazon SNS) トピックにメッセージを発行する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]
VPCAccessPolicy
Elastic Network Interface を作成、削除、記述、デタッチするアクセス権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]
DynamoDBStreamReadPolicy
DynamoDB ストリームとレコードの記述と読み取りの権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": { "Ref": "TableName" } } ] } } ]
KinesisStreamReadPolicy
Amazon Kinesis Kinesis ストリームを一覧表示して読み取る権限を与えます
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
SESCrudPolicy
E メールを送信し、ID を確認する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SNSCrudPolicy
Amazon SNS トピックを作成、発行、サブスクライブする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]
KinesisCrudPolicy
Amazon Kinesis Kinesis Stream を作成、発行、および削除するアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
KMSDecryptPolicy
を使用して復号する権限を与えますAWS Key Management Service(AWS KMS) キー。注意keyIdを指定してくださいAWS KMSキー ID であり、キーエイリアスではありません。
"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
KMSEncryptPolicy
AWS KMS キーを使用して暗号化する権限を与えます。keyId はAWS KMSキー ID であり、キーエイリアスではありません。
"Statement": [ { "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
PollyFullAccessPolicy
Amazon Polly レキシコンリソースへのフルアクセス権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]
S3FullAccessPolicy
Amazon S3 バケットのオブジェクトに対してアクションするフルアクセス権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
CodePipelineLambdaExecutionPolicy
によって呼び出された Lambda 関数のアクセス許可を与えますAWS CodePipelineをクリックして、ジョブのステータスをレポートします。
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ]
ServerlessRepoReadWriteAccessPolicy
アプリケーションを作成して一覧表示する権限を与えますAWS Serverless Application Repository(AWS SAM) サービス。
"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]
EC2CopyImagePolicy
Amazon EC2 イメージをコピーする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]
AWSSecretsManagerRotationPolicy
AWS Secrets Manager でシークレットをローテーションする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]
AWSSecretsManagerGetSecretValuePolicy
指定されたシークレット値を取得する権限を与えますAWS Secrets Managerのシークレット。
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ]
CodePipelineReadOnlyPolicy
CodePipeline パイプラインの詳細を取得する読み取りアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:ListPipelineExecutions" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": { "Ref": "PipelineName" } } ] } } ]
CloudWatchDashboardPolicy
CloudWatch ダッシュボードを操作するメトリクスを配置する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]
RekognitionFacesManagementPolicy
Amazon Rekognition コレクション内の顔を追加、削除、および検索する権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:IndexFaces", "rekognition:DeleteFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage", "rekognition:ListFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } ]
RekognitionFacesPolicy
顔とラベルを比較および検出する権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": "*" } ]
RekognitionLabelsPolicy
オブジェクトおよびモデレーションラベルを検出する権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]
DynamoDBBackupFullAccessPolicy
テーブルの DynamoDB オンデマンドバックアップに対する読み取りおよび書き込み権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBRestoreFromBackupPolicy
DynamoDB テーブルをバックアップから復元する権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
ComprehendBasicAccessPolicy
エンティティ、キーフレーズ、言語、および感情を検出するための権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]
MobileAnalyticsWriteOnlyAccessPolicy
すべてのアプリケーションリソースのイベントデータを格納するための書き込み専用権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]
PinpointEndpointAccessPolicy
Amazon Pinpointアプリケーションのエンドポイントを取得して更新するアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]
FirehoseWritePolicy
Kinesis Data Firehose 配信ストリームへの書き込みアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
FirehoseCrudPolicy
Kinesis Data Firehose 配信ストリームを作成、書き込み、更新、削除するアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
EKSDescribePolicy
Amazon Elastic Kubernetes Service (Amazon EKS) クラスターを記述または一覧表示するアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ]
CostExplorerReadOnlyPolicy
読み取り専用の権限を与えますAWS Cost Explorer(Cost Explorer)請求履歴の API。
"Statement": [{ "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues", "ce:GetReservationCoverage", "ce:GetReservationPurchaseRecommendation", "ce:GetReservationUtilization", "ce:GetTags" ], "Resource": "*" }]
OrganizationsListAccountsPolicy
子アカウントの名前と ID を一覧表示する読み取り専用権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" }]
SESBulkTemplatedCrudPolicy
Amazon SES E メール、テンプレート化された E メール、テンプレート化された一括 E メールの送信、および ID を確認する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SESEmailTemplateCrudPolicy
Amazon SES E E メールテンプレートの作成、取得、一覧表示、更新、および削除を行う権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "ses:CreateTemplate", "ses:GetTemplate", "ses:ListTemplates", "ses:UpdateTemplate", "ses:DeleteTemplate", "ses:TestRenderTemplate" ], "Resource": "*" }]
FilterLogEventsPolicy
指定されたロググループで CloudWatch Logs イベントをフィルタリングする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "logs:FilterLogEvents" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": { "Ref": "LogGroupName" } } ] } } ]
SSMParameterReadPolicy
このアカウントのシークレットをロードするための Amazon EC2 Systems Manager(SSM)パラメータストアからパラメータにアクセスする権限を与えます。
デフォルトのキーを使用していない場合は、KMSDecryptPolicyポリシー。
"Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": { "Ref": "ParameterName" } } ] } } ]
StepFunctionsExecutionPolicy
Step Functions ステートマシンの実行を開始する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": { "Ref": "StateMachineName" } } ] } } ]
CodeCommitCrudPolicy
特定の CodeCommit リポジトリ内のオブジェクトを作成、読み取り、更新、および削除するアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:MergeBranchesByFastForward", "codecommit:MergeBranchesBySquash", "codecommit:MergeBranchesByThreeWay", "codecommit:UpdateDefaultBranch", "codecommit:BatchDescribeMergeConflicts", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:CreatePullRequest", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:MergePullRequestByFastForward", "codecommit:MergePullRequestBySquash", "codecommit:MergePullRequestByThreeWay", "codecommit:PostCommentForPullRequest", "codecommit:UpdatePullRequestDescription", "codecommit:UpdatePullRequestStatus", "codecommit:UpdatePullRequestTitle", "codecommit:DeleteFile", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:PutFile", "codecommit:DeleteCommentContent", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:PostCommentForComparedCommit", "codecommit:PostCommentReply", "codecommit:UpdateComment", "codecommit:BatchGetCommits", "codecommit:CreateCommit", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:UpdateRepositoryDescription", "codecommit:ListTagsForResource", "codecommit:TagResource", "codecommit:UntagResource", "codecommit:GetRepositoryTriggers", "codecommit:PutRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
CodeCommitReadPolicy
特定の CodeCommit リポジトリ内のオブジェクトを読み取るアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:BatchDescribeMergeConflicts", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:BatchGetCommits", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:ListTagsForResource", "codecommit:GetRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
AthenaQueryPolicy
Athena クエリを実行する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:GetExecutionEngine", "athena:GetExecutionEngines", "athena:GetNamespace", "athena:GetCatalogs", "athena:GetNamespaces", "athena:GetTables", "athena:GetTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryResults", "athena:DeleteNamedQuery", "athena:GetNamedQuery", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResultsStream", "athena:ListNamedQueries", "athena:CreateNamedQuery", "athena:GetQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", "athena:GetWorkGroup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", { "workgroupName": { "Ref": "WorkGroupName" } } ] } } ]
TextractPolicy
Amazon Textract へのフルアクセス権を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "textract:*" ], "Resource": "*" } ]
TextractDetectAnalyzePolicy
Amazon Textract でドキュメントを検出および分析するためのアクセスを提供します。
"Statement": [ { "Effect": "Allow", "Action": [ "textract:DetectDocumentText", "textract:StartDocumentTextDetection", "textract:StartDocumentAnalysis", "textract:AnalyzeDocument" ], "Resource": "*" } ]
TextractGetResultPolicy
Amazon Textract からドキュメントを検出および分析するためのアクセスを提供します。
"Statement": [ { "Effect": "Allow", "Action": [ "textract:GetDocumentTextDetection", "textract:GetDocumentAnalysis" ], "Resource": "*" } ]
EventBridgePutEventsPolicy
Amazon EventBridge にイベントを送信する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": "events:PutEvents", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}", { "eventBusName": { "Ref": "EventBusName" } } ] } } ]
ElasticMapReduceModifyInstanceFleetPolicy
クラスター内のインスタンスフリートの詳細を一覧表示し、容量を変更する権限を与えます。
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceFleet", "elasticmapreduce:ListInstanceFleets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceSetTerminationProtectionPolicy
クラスターの終了保護を設定するアクセス許可を付与します。
"Statement": [ { "Action": "elasticmapreduce:SetTerminationProtection", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceModifyInstanceGroupsPolicy
クラスター内のインスタンスグループの詳細を一覧表示し、設定を変更する権限を与えます。
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceCancelStepsPolicy
実行中のクラスターで保留中のステップを取り消すアクセス許可を付与します。
"Statement": [ { "Action": "elasticmapreduce:CancelSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceTerminateJobFlowsPolicy
クラスターをシャットダウンする権限を与えます。
"Statement": [ { "Action": "elasticmapreduce:TerminateJobFlows", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceAddJobFlowStepsPolicy
実行中のクラスターに新しいステップを追加する権限を与えます。
"Statement": [ { "Action": "elasticmapreduce:AddJobFlowSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
SageMakerCreateEndpointPolicy
SageMaker でエンドポイントを作成する権限を与えます。
"Statement": [ { "Action": [ "sagemaker:CreateEndpoint" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}", { "endpointName": { "Ref": "EndpointName" } } ] }, "Effect": "Allow" } ]
SageMakerCreateEndpointConfigPolicy
SageMaker でエンドポイント設定を作成する権限を与えます。
"Statement": [ { "Action": [ "sagemaker:CreateEndpointConfig" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}", { "endpointConfigName": { "Ref": "EndpointConfigName" } } ] }, "Effect": "Allow" } ]
EcsRunTaskPolicy
タスク定義で新しいタスクを開始する権限を与えます。
"Statement": [ { "Action": [ "ecs:RunTask" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}", { "taskDefinition": { "Ref": "TaskDefinition" } } ] }, "Effect": "Allow" } ]
EFSWriteAccessPolicy
Amazon EFS ファイルシステムへの書き込みアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}", { "FileSystem": { "Ref": "FileSystem" } } ] }, "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}", { "AccessPoint": { "Ref": "AccessPoint" } } ] } } } } ]
Route53ChangeResourceRecordSetsPolicy
Route53 でリソースレコードセットを変更する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}", { "HostedZoneId": { "Ref": "HostedZoneId" } } ] } } ]
