「翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。」
ポリシーテンプレートの一覧
以下は、使用可能なポリシーテンプレートと、各テンプレートに適用されるアクセス許可です。AWS サーバーレスアプリケーションモデル (AWS SAM) により、プレースホルダー項目 (AWS リージョンやアカウント ID など) に適切な情報が自動的に入力されます。
SQSPollerPolicy
(Amazon Simple Queue Service) キューをポーリングする権限を与えます。Amazon SQS
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
LambdaInvokePolicy
関数、エイリアス、またはバージョンを呼び出す権限を与えます。AWS Lambda
"Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]
CloudWatchDescribeAlarmHistoryPolicy
Amazon CloudWatch アラーム履歴を記述する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmHistory" ], "Resource": "*" } ]
CloudWatchPutMetricPolicy
にメトリクスを送信する権限を与えます。CloudWatch
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]
EC2DescribePolicy
(Amazon Elastic Compute Cloud) インスタンスを記述する権限を与えます。Amazon EC2
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]
DynamoDBCrudPolicy
テーブルに対して作成、読み取り、更新、削除の権限を与えます。Amazon DynamoDB
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReadPolicy
DynamoDB テーブルに読み取り専用権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem", "dynamodb:DescribeTable" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBWritePolicy
テーブルに書き込み専用権限を与えます。DynamoDB
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]
DynamoDBReconfigurePolicy
DynamoDB テーブルを再構成する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:UpdateTable" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
SESSendBouncePolicy
(SendBounce) ID に Amazon Simple Email Service 権限を与えます。Amazon SES
"Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
ElasticsearchHttpPostPolicy
Amazon Elasticsearch Service に POST と PUT の権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost", "es:ESHttpPut" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": { "Ref": "DomainName" } } ] } } ]
S3ReadPolicy
(Amazon Simple Storage Service) バケット内のオブジェクトを読み取る読み取り専用権限を与えます。Amazon S3
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3WritePolicy
バケットにオブジェクトを書き込むための書き込み権限を与えます。Amazon S3
"Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3CrudPolicy
バケット内のオブジェクトに対するアクションの実行権限を、作成、読み取り、更新、および削除の権限を与えます。Amazon S3
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
AMIDescribePolicy
Amazon マシンイメージ (AMI) を記述する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" } } ]
CloudFormationDescribeStacksPolicy
AWS CloudFormation スタックを記述する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]
RekognitionDetectOnlyPolicy
顔、ラベル、およびテキストを検出する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ]
RekognitionNoDataAccessPolicy
顔とラベルを比較および検出する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionReadPolicy
顔のリスト表示と検索の権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionWriteOnlyAccessPolicy
顔のコレクションを作成してインデックスを付けるアクセス権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
SQSSendMessagePolicy
Amazon SQS キューにメッセージを送信する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
SNSPublishMessagePolicy
(Amazon Simple Notification Service) トピックにメッセージを発行する権限を与えます。Amazon SNS
"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]
VPCAccessPolicy
Elastic Network Interface を作成、削除、説明、およびデタッチするアクセス許可を付与します。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]
DynamoDBStreamReadPolicy
DynamoDB ストリームとレコードの記述と読み取りの権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": { "Ref": "TableName" } } ] } } ]
KinesisStreamReadPolicy
Amazon Kinesis ストリームを一覧表示し、読み取る権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
SESCrudPolicy
E メールを送信し、ID を確認する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SNSCrudPolicy
Amazon SNS トピックを作成、公開、サブスクライブする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]
KinesisCrudPolicy
Amazon Kinesis ストリームを作成、発行、および削除する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
KMSDecryptPolicy
(AWS Key Management Service) キーで復号する権限を与えます。AWS KMSは、キーエイリアスではなく、keyId キー ID である必要があります。AWS KMS
"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
KMSEncryptPolicy
AWS KMS キーを使用して暗号化する権限を与えます。は、キーエイリアスではなく、keyId キー ID である必要があります。AWS KMS
"Statement": [ { "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
PollyFullAccessPolicy
Amazon Polly レキシコンリソースへのフルアクセス権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]
S3FullAccessPolicy
バケット内のオブジェクトに対するアクションを行うフルアクセス許可を付与します。Amazon S3
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
CodePipelineLambdaExecutionPolicy
AWS CodePipeline によって呼び出された Lambda 関数に対して、ジョブのステータスをレポートする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ]
ServerlessRepoReadWriteAccessPolicy
(AWS Serverless Application Repository) サービスでアプリケーションを作成して一覧表示する権限を与えます。AWS SAM
"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]
EC2CopyImagePolicy
Amazon EC2 イメージをコピーする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]
AWSSecretsManagerRotationPolicy
AWS Secrets Manager でシークレットをローテーションする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]
AWSSecretsManagerGetSecretValuePolicy
指定された AWS Secrets Manager シークレットのシークレット値を取得する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ]
CodePipelineReadOnlyPolicy
CodePipeline パイプラインの詳細を取得するための読み取り権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:ListPipelineExecutions" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": { "Ref": "PipelineName" } } ] } } ]
CloudWatchDashboardPolicy
CloudWatch ダッシュボードを操作するメトリクスを配置する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]
RekognitionFacesManagementPolicy
コレクション内の顔を追加、削除、および検索する権限を与えます。Amazon Rekognition
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:IndexFaces", "rekognition:DeleteFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage", "rekognition:ListFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } ]
RekognitionFacesPolicy
顔とラベルを比較および検出する権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": "*" } ]
RekognitionLabelsPolicy
オブジェクトおよびモデレーションラベルを検出する権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]
DynamoDBBackupFullAccessPolicy
テーブルの DynamoDB オンデマンドバックアップに対する読み取りおよび書き込み権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBRestoreFromBackupPolicy
バックアップから DynamoDB テーブルを復元する権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
ComprehendBasicAccessPolicy
エンティティ、キーフレーズ、言語、および感情を検出するための権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]
MobileAnalyticsWriteOnlyAccessPolicy
すべてのアプリケーションリソースのイベントデータを格納するための書き込み専用権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]
PinpointEndpointAccessPolicy
Amazon Pinpoint アプリケーションのエンドポイントを取得および更新する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]
FirehoseWritePolicy
Kinesis Data Firehose デリバリーストリームへの書き込み権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
FirehoseCrudPolicy
Kinesis Data Firehose デリバリーストリームの作成、書き込み、更新、および削除権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
EKSDescribePolicy
(Amazon Elastic Kubernetes Service) クラスターを記述または一覧表示する権限を与えます。Amazon EKS
"Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ]
CostExplorerReadOnlyPolicy
請求履歴に対する読み取り専用の AWS Cost Explorer (Cost Explorer) APIs に読み取り専用権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues", "ce:GetReservationCoverage", "ce:GetReservationPurchaseRecommendation", "ce:GetReservationUtilization", "ce:GetTags" ], "Resource": "*" }]
OrganizationsListAccountsPolicy
子アカウント名と IDs を一覧表示する読み取り専用権限を与えます。
"Statement": [{ "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" }]
SESBulkTemplatedCrudPolicy
E メール、テンプレート化された E メール、およびテンプレート化されたバルク E メールの送信、および ID を確認する権限を与えます。Amazon SES
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SESEmailTemplateCrudPolicy
E メールテンプレートを作成、取得、一覧表示、更新、削除する権限を与えます。Amazon SES
"Statement": [{ "Effect": "Allow", "Action": [ "ses:CreateTemplate", "ses:GetTemplate", "ses:ListTemplates", "ses:UpdateTemplate", "ses:DeleteTemplate", "ses:TestRenderTemplate" ], "Resource": "*" }]
FilterLogEventsPolicy
指定したロググループから CloudWatch Logs イベントをフィルタリングする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "logs:FilterLogEvents" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": { "Ref": "LogGroupName" } } ] } } ]
SSMParameterReadPolicy
(Amazon EC2 Systems Manager) パラメータストアからパラメータにアクセスして、このアカウントのシークレットをロードするアクセス許可を付与します。SSM
デフォルトのキーを使用していない場合は、KMSDecryptPolicy ポリシーも必要です。
"Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": { "Ref": "ParameterName" } } ] } } ]
StepFunctionsExecutionPolicy
Step Functions ステートマシンの実行を開始する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": { "Ref": "StateMachineName" } } ] } } ]
CodeCommitCrudPolicy
特定の CodeCommit リポジトリ内のオブジェクトを作成、読み取り、更新、および削除する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:MergeBranchesByFastForward", "codecommit:MergeBranchesBySquash", "codecommit:MergeBranchesByThreeWay", "codecommit:UpdateDefaultBranch", "codecommit:BatchDescribeMergeConflicts", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:CreatePullRequest", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:MergePullRequestByFastForward", "codecommit:MergePullRequestBySquash", "codecommit:MergePullRequestByThreeWay", "codecommit:PostCommentForPullRequest", "codecommit:UpdatePullRequestDescription", "codecommit:UpdatePullRequestStatus", "codecommit:UpdatePullRequestTitle", "codecommit:DeleteFile", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:PutFile", "codecommit:DeleteCommentContent", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:PostCommentForComparedCommit", "codecommit:PostCommentReply", "codecommit:UpdateComment", "codecommit:BatchGetCommits", "codecommit:CreateCommit", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:UpdateRepositoryDescription", "codecommit:ListTagsForResource", "codecommit:TagResource", "codecommit:UntagResource", "codecommit:GetRepositoryTriggers", "codecommit:PutRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
CodeCommitReadPolicy
特定の CodeCommit リポジトリ内のオブジェクトを読み取る権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:BatchDescribeMergeConflicts", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:BatchGetCommits", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:ListTagsForResource", "codecommit:GetRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]
AthenaQueryPolicy
Athena クエリを実行する権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:GetExecutionEngine", "athena:GetExecutionEngines", "athena:GetNamespace", "athena:GetCatalogs", "athena:GetNamespaces", "athena:GetTables", "athena:GetTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryResults", "athena:DeleteNamedQuery", "athena:GetNamedQuery", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResultsStream", "athena:ListNamedQueries", "athena:CreateNamedQuery", "athena:GetQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", "athena:GetWorkGroup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", { "workgroupName": { "Ref": "WorkGroupName" } } ] } } ]
TextractPolicy
へのフルアクセスを付与します。Amazon Textract
"Statement": [ { "Effect": "Allow", "Action": [ "textract:*" ], "Resource": "*" } ]
TextractDetectAnalyzePolicy
を使用してドキュメントを検出および分析する権限を与えます。Amazon Textract
"Statement": [ { "Effect": "Allow", "Action": [ "textract:DetectDocumentText", "textract:StartDocumentTextDetection", "textract:StartDocumentAnalysis", "textract:AnalyzeDocument" ], "Resource": "*" } ]
TextractGetResultPolicy
から検出および分析されたドキュメントを取得するためのアクセス権を付与します。Amazon Textract
"Statement": [ { "Effect": "Allow", "Action": [ "textract:GetDocumentTextDetection", "textract:GetDocumentAnalysis" ], "Resource": "*" } ]
EventBridgePutEventsPolicy
にイベントを送信する権限を与えます。Amazon EventBridge
"Statement": [ { "Effect": "Allow", "Action": "events:PutEvents", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}", { "eventBusName": { "Ref": "EventBusName" } } ] } } ]
ElasticMapReduceModifyInstanceFleetPolicy
クラスター内のインスタンスフリートの詳細をリストし、容量を変更する権限を与えます。
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceFleet", "elasticmapreduce:ListInstanceFleets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceSetTerminationProtectionPolicy
クラスターの終了保護を設定する権限を与えます。
"Statement": [ { "Action": "elasticmapreduce:SetTerminationProtection", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceModifyInstanceGroupsPolicy
クラスター内のインスタンスグループの詳細を一覧表示し、設定を変更する権限を与えます。
"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceCancelStepsPolicy
実行中のクラスターで保留中のステップをキャンセルする権限を与えます。
"Statement": [ { "Action": "elasticmapreduce:CancelSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceTerminateJobFlowsPolicy
クラスターをシャットダウンする権限を与えます。
"Statement": [ { "Action": "elasticmapreduce:TerminateJobFlows", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
ElasticMapReduceAddJobFlowStepsPolicy
実行中のクラスターに新しいステップを追加する権限を与えます。
"Statement": [ { "Action": "elasticmapreduce:AddJobFlowSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]
SageMakerCreateEndpointPolicy
にエンドポイントを作成する権限を与えます。SageMaker
"Statement": [ { "Action": [ "sagemaker:CreateEndpoint" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}", { "endpointName": { "Ref": "EndpointName" } } ] }, "Effect": "Allow" } ]
SageMakerCreateEndpointConfigPolicy
でエンドポイント設定を作成する権限を与えます。SageMaker
"Statement": [ { "Action": [ "sagemaker:CreateEndpointConfig" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}", { "endpointConfigName": { "Ref": "EndpointConfigName" } } ] }, "Effect": "Allow" } ]
EcsRunTaskPolicy
タスク定義の新しいタスクを開始する権限を与えます。
"Statement": [ { "Action": [ "ecs:RunTask" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}", { "taskDefinition": { "Ref": "TaskDefinition" } } ] }, "Effect": "Allow" } ]
EFSWriteAccessPolicy
書き込みアクセス権を持つ Amazon EFS ファイルシステムをマウントする権限を与えます。
"Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}", { "FileSystem": { "Ref": "FileSystem" } } ] }, "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}", { "AccessPoint": { "Ref": "AccessPoint" } } ] } } } } ]
