SQSPollerPolicy LambdaInvokePolítica CloudWatchDescribeAlarmHistoryPolicy CloudWatchPutMetricPolítica EC2DescribePolicy DynamoDBCrudPolicy DynamoDBReadPolicy DynamoDBWritePolicy DynamoDBReconfigurePolicy SESSendBouncePolítica ElasticsearchHttpPostPolicy S3ReadPolicy S3WritePolicy S3CrudPolicy AMIDescribePolicy CloudFormationDescribeStacksPolítica RekognitionDetectOnlyPolicy RekognitionNoDataAccessPolítica RekognitionReadPolítica RekognitionWriteOnlyAccessPolítica SQSSendMessagePolítica SNSPublishMessagePolítica VPCAccessPolicy DynamoDBStreamReadPolítica KinesisStreamReadPolicy SESCrudPolicy SNSCrudPolicy KinesisCrudPolítica KMSDecryptPolicy KMSEncryptPolicy PollyFullAccessPolicy S3FullAccessPolítica CodePipelineLambdaExecutionPolítica ServerlessRepoReadWriteAccessPolicy EC2CopyImagePolítica AWSSecretsManagerRotationPolicy AWSSecretsManagerGetSecretValuePolicy CodePipelineReadOnlyPolítica CloudWatchDashboardPolicy RekognitionFacesManagementPolicy RekognitionFacesPolítica RekognitionLabelsPolítica DynamoDBBackupFullAccessPolicy DynamoDBRestoreFromBackupPolicy ComprehendBasicAccessPolicy MobileAnalyticsWriteOnlyAccessPolicy PinpointEndpointAccessPolicy FirehoseWritePolítica FirehoseCrudPolítica EKSDescribePolicy CostExplorerReadOnlyPolítica OrganizationsListAccountsPolicy SESBulkTemplatedCrudPolicy SESEmailTemplateCrudPolicy FilterLogEventsPolicy SSMParameterReadPolítica StepFunctionsExecutionPolicy CodeCommitCrudPolicy CodeCommitReadPolicy AthenaQueryPolítica TextractPolicy TextractDetectAnalyzePolicy TextractGetResultPolicy EventBridgePutEventsPolítica ElasticMapReduceModifyInstanceFleetPolítica ElasticMapReduceSetTerminationProtectionPolítica ElasticMapReduceModifyInstanceGroupsPolítica ElasticMapReduceCancelStepsPolicy ElasticMapReduceTerminateJobFlowsPolítica ElasticMapReduceAddJobFlowStepsPolicy SageMakerCreateEndpointPolítica SageMakerCreateEndpointConfigPolicy EcsRunTaskPolicy EFSWriteAccessPolítica Route53ChangeResourceRecordSetsPolítica AcmGetCertificatePolicy

Lista de modelos de política

A tabela a seguir estão os modelos de política disponíveis, juntamente com as permissões aplicadas a cada um.AWS Serverless Application Model(AWS SAM) preencherá automaticamente os itens de espaço reservado (comoAWSRegion e account ID) com as informações apropriadas.

SQSPollerPolicy

Concede permissão para pesquisar uma fila do Amazon Simple Queue Service (Amazon SQS).



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "sqs:ChangeMessageVisibility",
              "sqs:ChangeMessageVisibilityBatch",
              "sqs:DeleteMessage",
              "sqs:DeleteMessageBatch",
              "sqs:GetQueueAttributes",
              "sqs:ReceiveMessage"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
                {
                  "queueName": {
                    "Ref": "QueueName"
                  }
                }
              ]
            }
          }
        ]

LambdaInvokePolítica

Concede permissão para invocar umAWS Lambdafunção, alias ou versão.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "lambda:InvokeFunction"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*",
                {
                  "functionName": {
                    "Ref": "FunctionName"
                  }
                }
              ]
            }
          }
        ]

CloudWatchDescribeAlarmHistoryPolicy

Concede permissão para descrever a AmazonCloudWatchhistórico de alarme.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "cloudwatch:DescribeAlarmHistory"
            ],
            "Resource": "*"
          }
        ]

CloudWatchPutMetricPolítica

Concede permissão para enviar métricas paraCloudWatch.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
          }
        ]

EC2DescribePolicy

Concede permissão para descrever instâncias do Amazon Elastic Compute Cloud (Amazon EC2).



         "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ec2:DescribeRegions",
              "ec2:DescribeInstances"
            ],
            "Resource": "*"
          }
        ]

DynamoDBCrudPolicy

Concede permissões de criação, leitura, atualização e exclusão para uma tabela do Amazon DynamoDB.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:GetItem",
              "dynamodb:DeleteItem",
              "dynamodb:PutItem",
              "dynamodb:Scan",
              "dynamodb:Query",
              "dynamodb:UpdateItem",
              "dynamodb:BatchWriteItem",
              "dynamodb:BatchGetItem",
              "dynamodb:DescribeTable",
              "dynamodb:ConditionCheckItem"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
                  {
                    "tableName": {
                      "Ref": "TableName"
                    }
                  }
                ]
              },
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
                  {
                    "tableName": {
                      "Ref": "TableName"
                    }
                  }
                ]
              }
            ]
          }
        ]

DynamoDBReadPolicy

Concede permissão somente leitura a uma tabela do DynamoDB.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:GetItem",
              "dynamodb:Scan",
              "dynamodb:Query",
              "dynamodb:BatchGetItem",
              "dynamodb:DescribeTable"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
                  {
                    "tableName": {
                      "Ref": "TableName"
                    }
                  }
                ]
              },
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
                  {
                    "tableName": {
                      "Ref": "TableName"
                    }
                  }
                ]
              }
            ]
          }
        ]

DynamoDBWritePolicy

Concede permissão somente gravação a uma tabela do DynamoDB.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:PutItem",
              "dynamodb:UpdateItem",
              "dynamodb:BatchWriteItem"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
                  {
                    "tableName": {
                      "Ref": "TableName"
                    }
                  }
                ]
              },
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
                  {
                    "tableName": {
                      "Ref": "TableName"
                    }
                  }
                ]
              }
            ]
          }
        ]

DynamoDBReconfigurePolicy

Concede permissão para reconfigurar uma tabela do DynamoDB.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:UpdateTable"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
                {
                  "tableName": {
                    "Ref": "TableName"
                  }
                }
              ]
            }
          }
        ]

SESSendBouncePolítica

Concede aoSendBounceConcede permissão para uma identidade do Amazon Simple Email Service (Amazon SES).



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ses:SendBounce"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
                {
                  "identityName": {
                    "Ref": "IdentityName"
                  }
                }
              ]
            }
          }
        ]

ElasticsearchHttpPostPolicy

Dá permissão POST e PUT à AmazonOpenSearchServiço.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "es:ESHttpPost",
              "es:ESHttpPut"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*",
                {
                  "domainName": {
                    "Ref": "DomainName"
                  }
                }
              ]
            }
          }
        ]

S3ReadPolicy

Concede permissão somente leitura para ler objetos em um bucket do Amazon Simple Storage Service (Amazon S3).



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:GetObject",
              "s3:ListBucket",
              "s3:GetBucketLocation",
              "s3:GetObjectVersion",
              "s3:GetLifecycleConfiguration"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              },
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}/*",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              }
            ]
          }
        ]

S3WritePolicy

Concede permissão de gravação para gravar objetos em um bucket do Amazon S3.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:PutObject",
              "s3:PutObjectAcl",
              "s3:PutLifecycleConfiguration"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              },
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}/*",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              }
            ]
          }
        ]

S3CrudPolicy

Dá permissão de criação, leitura, atualização e exclusão para agir sobre os objetos em um bucket do Amazon S3.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:GetObject",
              "s3:ListBucket",
              "s3:GetBucketLocation",
              "s3:GetObjectVersion",
              "s3:PutObject",
              "s3:PutObjectAcl",
              "s3:GetLifecycleConfiguration",
              "s3:PutLifecycleConfiguration",
              "s3:DeleteObject"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              },
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}/*",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              }
            ]
          }
        ]

AMIDescribePolicy

Concede permissão para descrever imagens de máquina da Amazon (AMIs).



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ec2:DescribeImages"
            ],
            "Resource": "*"
          }
        ]

CloudFormationDescribeStacksPolítica

Dá permissão para descreverAWS CloudFormationpilhas.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "cloudformation:DescribeStacks"
            ],
            "Resource": {
              "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
            }
          }
        ]

RekognitionDetectOnlyPolicy

Concede permissão para detectar faces, rótulos e texto.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "rekognition:DetectFaces",
              "rekognition:DetectLabels",
              "rekognition:DetectModerationLabels",
              "rekognition:DetectText"
            ],
            "Resource": "*"
          }
        ]

RekognitionNoDataAccessPolítica

Concede permissão para comparar e detectar faces e rótulos.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "rekognition:CompareFaces",
              "rekognition:DetectFaces",
              "rekognition:DetectLabels",
              "rekognition:DetectModerationLabels"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
                {
                  "collectionId": {
                    "Ref": "CollectionId"
                  }
                }
              ]
            }
          }
        ]

RekognitionReadPolítica

Dá permissão para listar e pesquisar rostos.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "rekognition:ListCollections",
              "rekognition:ListFaces",
              "rekognition:SearchFaces",
              "rekognition:SearchFacesByImage"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
                {
                  "collectionId": {
                    "Ref": "CollectionId"
                  }
                }
              ]
            }
          }
        ]

RekognitionWriteOnlyAccessPolítica

Dá permissão para criar faces de coleta e índice.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "rekognition:CreateCollection",
              "rekognition:IndexFaces"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
                {
                  "collectionId": {
                    "Ref": "CollectionId"
                  }
                }
              ]
            }
          }
        ]

SQSSendMessagePolítica

Concede permissão para enviar mensagem para uma fila do Amazon SQS.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "sqs:SendMessage*"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
                {
                  "queueName": {
                    "Ref": "QueueName"
                  }
                }
              ]
            }
          }
        ]

SNSPublishMessagePolítica

Concede permissão para publicar uma mensagem em um tópico do Amazon Simple Notification Service (Amazon SNS).



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "sns:Publish"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}",
                {
                  "topicName": {
                    "Ref": "TopicName"
                  }
                }
              ]
            }
          }
        ]

VPCAccessPolicy

Dá acesso para criar, excluir, descrever e desanexar interfaces de rede elásticas.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ec2:CreateNetworkInterface",
              "ec2:DeleteNetworkInterface",
              "ec2:DescribeNetworkInterfaces",
              "ec2:DetachNetworkInterface"
            ],
            "Resource": "*"
          }
        ]

DynamoDBStreamReadPolítica

Dá permissão para descrever e ler fluxos e registros do DynamoDB.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:DescribeStream",
              "dynamodb:GetRecords",
              "dynamodb:GetShardIterator"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}",
                {
                  "tableName": {
                    "Ref": "TableName"
                  },
                  "streamName": {
                    "Ref": "StreamName"
                  }
                }
              ]
            }
          },
         {
            "Effect": "Allow",
            "Action": [
              "dynamodb:ListStreams"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*",
                {
                  "tableName": {
                    "Ref": "TableName"
                  }
                }
              ]
            }
          }          
        ]

KinesisStreamReadPolicy

Concede permissão para listar e ler um fluxo do Amazon Kinesis.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kinesis:ListStreams",
              "kinesis:DescribeLimits"
            ],
            "Resource": {
              "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*"
            }
          },
          {
            "Effect": "Allow",
            "Action": [
              "kinesis:DescribeStream",
              "kinesis:DescribeStreamSummary",
              "kinesis:GetRecords",
              "kinesis:GetShardIterator"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
                {
                  "streamName": {
                    "Ref": "StreamName"
                  }
                }
              ]
            }
          }
        ]

SESCrudPolicy

Dá permissão para enviar e-mail e verificar a identidade.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ses:GetIdentityVerificationAttributes",
              "ses:SendEmail",
              "ses:SendRawEmail",
              "ses:VerifyEmailIdentity"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
                {
                  "identityName": {
                    "Ref": "IdentityName"
                  }
                }
              ]
            }
          }
        ]

Dá permissão para criar, publicar e assinar tópicos do Amazon SNS.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "sns:ListSubscriptionsByTopic",
              "sns:CreateTopic",
              "sns:SetTopicAttributes",
              "sns:Subscribe",
              "sns:Publish"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*",
                {
                  "topicName": {
                    "Ref": "TopicName"
                  }
                }
              ]
            }
          }
        ]

KinesisCrudPolítica

Dá permissão para criar, publicar e excluir um stream do Amazon Kinesis.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kinesis:AddTagsToStream",
              "kinesis:CreateStream",
              "kinesis:DecreaseStreamRetentionPeriod",
              "kinesis:DeleteStream",
              "kinesis:DescribeStream",
              "kinesis:DescribeStreamSummary",
              "kinesis:GetShardIterator",
              "kinesis:IncreaseStreamRetentionPeriod",
              "kinesis:ListTagsForStream",
              "kinesis:MergeShards",
              "kinesis:PutRecord",
              "kinesis:PutRecords",
              "kinesis:SplitShard",
              "kinesis:RemoveTagsFromStream"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
                {
                  "streamName": {
                    "Ref": "StreamName"
                  }
                }
              ]
            }
          }
        ]

KMSDecryptPolicy

Dá permissão para descriptografar com umAWS Key Management Service(AWS KMSchave). Observe quekeyIddeve ser umAWS KMSID da chave, e não um alias de chave.



        "Statement": [
          {
            "Action": "kms:Decrypt",
            "Effect": "Allow",
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
                {
                  "keyId": {
                    "Ref": "KeyId"
                  }
                }
              ]
            }
          }
        ]

KMSEncryptPolicy

Dá permissão para criptografar com umAWS KMSchave. Observe que o KeyID deve ser umAWS KMSID da chave, e não um alias de chave.



        "Statement": [
          {
            "Action": "kms:Encrypt",
            "Effect": "Allow",
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
                {
                  "keyId": {
                    "Ref": "KeyId"
                  }
                }
              ]
            }
          }
        ]

PollyFullAccessPolicy

Dá permissão de acesso total aos recursos do Amazon Polly lexicon.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "polly:GetLexicon",
              "polly:DeleteLexicon"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}",
                  {
                    "lexiconName": {
                      "Ref": "LexiconName"
                    }
                  }
                ]
              }
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "polly:DescribeVoices",
              "polly:ListLexicons",
              "polly:PutLexicon",
              "polly:SynthesizeSpeech"
            ],
            "Resource": [
              {
                "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*"
              }
            ]
          }
        ]

S3FullAccessPolítica

Dá permissão de acesso total para agir sobre os objetos em um bucket do Amazon S3.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:GetObject",
              "s3:GetObjectAcl",
              "s3:GetObjectVersion",
              "s3:PutObject",
              "s3:PutObjectAcl",
              "s3:DeleteObject",
              "s3:DeleteObjectTagging",
              "s3:DeleteObjectVersionTagging",
              "s3:GetObjectTagging",
              "s3:GetObjectVersionTagging",
              "s3:PutObjectTagging",
              "s3:PutObjectVersionTagging"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}/*",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              }
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "s3:ListBucket",
              "s3:GetBucketLocation",
              "s3:GetLifecycleConfiguration",
              "s3:PutLifecycleConfiguration"
            ],
            "Resource": [
              {
                "Fn::Sub": [
                  "arn:${AWS::Partition}:s3:::${bucketName}",
                  {
                    "bucketName": {
                      "Ref": "BucketName"
                    }
                  }
                ]
              }
            ]
          }
        ]

CodePipelineLambdaExecutionPolítica

Dá permissão para uma função do Lambda invocada porAWS CodePipelinepara relatar o status do trabalho.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "codepipeline:PutJobSuccessResult",
              "codepipeline:PutJobFailureResult"
            ],
            "Resource": "*"
          }
        ]

ServerlessRepoReadWriteAccessPolicy

Concede permissão para criar e listar aplicativos noAWS Serverless Application Repository(AWS SAM) serviço.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "serverlessrepo:CreateApplication",
              "serverlessrepo:CreateApplicationVersion",
              "serverlessrepo:GetApplication",
              "serverlessrepo:ListApplications",
              "serverlessrepo:ListApplicationVersions"
            ],
            "Resource": [
              {
                "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*"
              }
            ]
          }
        ]

EC2CopyImagePolítica

Concede permissão para copiar imagens do Amazon EC2.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ec2:CopyImage"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}",
                {
                  "imageId": {
                    "Ref": "ImageId"
                  }
                }
              ]
            }
          }
        ]

AWSSecretsManagerRotationPolicy

Dá permissão para girar um segredo emAWS Secrets Manager.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:DescribeSecret",
              "secretsmanager:GetSecretValue",
              "secretsmanager:PutSecretValue",
              "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": {
              "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*"
            },
            "Condition": {
              "StringEquals": {
                "secretsmanager:resource/AllowRotationLambdaArn": {
                  "Fn::Sub": [
                    "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}",
                    {
                      "functionName": {
                        "Ref": "FunctionName"
                      }
                    }
                  ]
                }
              }
            }
          },
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:GetRandomPassword"
            ],
            "Resource": "*"
          }
        ]

AWSSecretsManagerGetSecretValuePolicy

Concede permissão para obter o valor secreto do especificadoAWS Secrets Managersegredo do.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:GetSecretValue"
            ],
            "Resource": {
              "Fn::Sub": [
                "${secretArn}",
                {
                  "secretArn": {
                    "Ref": "SecretArn"
                  }
                }
              ]
            }
          }
        ]

CodePipelineReadOnlyPolítica

Concede permissão de leitura para obter detalhes sobre umCodePipelinepipeline.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "codepipeline:ListPipelineExecutions"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}",
                {
                  "pipelinename": {
                    "Ref": "PipelineName"
                  }
                }
              ]
            }
          }
        ]

CloudWatchDashboardPolicy

Dá permissões para colocar métricas para operarCloudWatchPainéis do.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "cloudwatch:GetDashboard",
              "cloudwatch:ListDashboards",
              "cloudwatch:PutDashboard",
              "cloudwatch:ListMetrics"
            ],
            "Resource": "*"
          }
        ]

RekognitionFacesManagementPolicy

Dá permissão para adicionar, excluir e pesquisar faces em uma coleção do Amazon Rekognition.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "rekognition:IndexFaces",
            "rekognition:DeleteFaces",
            "rekognition:SearchFaces",
            "rekognition:SearchFacesByImage",
            "rekognition:ListFaces"
          ],
          "Resource": {
            "Fn::Sub": [
              "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
              {
                "collectionId": {
                  "Ref": "CollectionId"
                }
              }
            ]
          }
        }]

RekognitionFacesPolítica

Concede permissão para comparar e detectar faces e rótulos.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "rekognition:CompareFaces",
            "rekognition:DetectFaces"
          ],
          "Resource": "*"
          }
        ]

RekognitionLabelsPolítica

Dá permissão para detectar rótulos de objeto e moderação.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "rekognition:DetectLabels",
            "rekognition:DetectModerationLabels"
          ],
          "Resource": "*"
         }
        ]

DynamoDBBackupFullAccessPolicy

Concede permissão de leitura e gravação aos backups sob demanda do DynamoDB para uma tabela.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "dynamodb:CreateBackup",
            "dynamodb:DescribeContinuousBackups"
          ],
          "Resource": {
            "Fn::Sub": [
              "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
              {
                "tableName": {
                  "Ref": "TableName"
                }
              }
            ]
          }
        },
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:DeleteBackup",
              "dynamodb:DescribeBackup",
              "dynamodb:ListBackups"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
                {
                  "tableName": {
                    "Ref": "TableName"
                  }
                }
              ]
            }
          }
        ]

DynamoDBRestoreFromBackupPolicy

Dá permissão para restaurar uma tabela do DynamoDB a partir do backup.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "dynamodb:RestoreTableFromBackup"
          ],
          "Resource": {
            "Fn::Sub": [
              "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
              {
                "tableName": {
                  "Ref": "TableName"
                }
              }
            ]
          }
        },
          {
            "Effect": "Allow",
            "Action": [
              "dynamodb:PutItem",
              "dynamodb:UpdateItem",
              "dynamodb:DeleteItem",
              "dynamodb:GetItem",
              "dynamodb:Query",
              "dynamodb:Scan",
              "dynamodb:BatchWriteItem"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
                {
                  "tableName": {
                    "Ref": "TableName"
                  }
                }
              ]
            }
          }
        ]

ComprehendBasicAccessPolicy

Concede permissão para detectar entidades, frases-chave, linguagens e sentimentos.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "comprehend:BatchDetectKeyPhrases",
            "comprehend:DetectDominantLanguage",
            "comprehend:DetectEntities",
            "comprehend:BatchDetectEntities",
            "comprehend:DetectKeyPhrases",
            "comprehend:DetectSentiment",
            "comprehend:BatchDetectDominantLanguage",
            "comprehend:BatchDetectSentiment"
          ],
          "Resource": "*"
          }
        ]

MobileAnalyticsWriteOnlyAccessPolicy

Concede permissão somente gravação para colocar dados de eventos para todos os recursos do aplicativo.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "mobileanalytics:PutEvents"
            ],
            "Resource": "*"
          }
        ]

PinpointEndpointAccessPolicy

Concede permissão para obter e atualizar endpoints para um aplicativo Amazon Pinpoint.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "mobiletargeting:GetEndpoint",
              "mobiletargeting:UpdateEndpoint",
              "mobiletargeting:UpdateEndpointsBatch"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*",
                {
                  "pinpointApplicationId": {
                    "Ref": "PinpointApplicationId"
                  }
                }
              ]
            }
          }
        ]

FirehoseWritePolítica

Concede permissão para gravar em um fluxo de entrega do Kinesis Data Firehose.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "firehose:PutRecord",
              "firehose:PutRecordBatch"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
                {
                  "deliveryStreamName": {
                    "Ref": "DeliveryStreamName"
                  }
                }
              ]
            }
          }
        ]

FirehoseCrudPolítica

Concede permissão para criar, gravar, atualizar e excluir um fluxo de entrega do Kinesis Data Firehose.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "firehose:CreateDeliveryStream",
              "firehose:DeleteDeliveryStream",
              "firehose:DescribeDeliveryStream",
              "firehose:PutRecord",
              "firehose:PutRecordBatch",
              "firehose:UpdateDestination"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
                {
                  "deliveryStreamName": {
                    "Ref": "DeliveryStreamName"
                  }
                }
              ]
            }
          }
        ]

EKSDescribePolicy

Concede permissão para descrever ou listar clusters do Amazon Elastic Kubernetes Service (Amazon EKS).



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "eks:DescribeCluster",
              "eks:ListClusters"
            ],
            "Resource": "*"
          }
        ]

CostExplorerReadOnlyPolítica

Concede permissão somente leitura ao somente leituraAWS Cost Explorer(Cost Explorer) APIs para histórico de faturamento.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "ce:GetCostAndUsage",
            "ce:GetDimensionValues",
            "ce:GetReservationCoverage",
            "ce:GetReservationPurchaseRecommendation",
            "ce:GetReservationUtilization",
            "ce:GetTags"
          ],
          "Resource": "*"
        }]

OrganizationsListAccountsPolicy

Dá permissão somente leitura para listar nomes e IDs de contas filho.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "organizations:ListAccounts"
          ],
          "Resource": "*"
        }]

SESBulkTemplatedCrudPolicy

Dá permissão para enviar e-mail do Amazon SES, e-mail com modelo e e-mails em massa modelados e para verificar a identidade.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ses:GetIdentityVerificationAttributes",
              "ses:SendEmail",
              "ses:SendRawEmail",
              "ses:SendTemplatedEmail",
              "ses:SendBulkTemplatedEmail",
              "ses:VerifyEmailIdentity"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
                {
                  "identityName": {
                    "Ref": "IdentityName"
                  }
                }
              ]
            }
          }
       ]

SESEmailTemplateCrudPolicy

Concede permissão para criar, obter, listar, atualizar e excluir modelos de e-mail do Amazon SES.



        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "ses:CreateTemplate",
            "ses:GetTemplate",
            "ses:ListTemplates",
            "ses:UpdateTemplate",
            "ses:DeleteTemplate",
            "ses:TestRenderTemplate"
          ],
          "Resource": "*"
        }]

FilterLogEventsPolicy

Dá permissão para filtrarCloudWatchRegistra eventos de um grupo de logs específico.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:FilterLogEvents"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*",
                {
                  "logGroupName": {
                    "Ref": "LogGroupName"
                  }
                }
              ]
            }
          }
        ]

SSMParameterReadPolítica

Dá permissão para acessar parâmetros de um armazenamento de parâmetros do Amazon EC2 Systems Manager (SSM) para carregar segredos nessa conta.

nota

Se você não estiver usando a tecla padrão, você também precisará doKMSDecryptPolicypolítica.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "ssm:DescribeParameters"
            ],
            "Resource": "*"
          },
          {
            "Effect": "Allow",
            "Action": [
              "ssm:GetParameters",
              "ssm:GetParameter",
              "ssm:GetParametersByPath"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
                {
                  "parameterName": {
                    "Ref": "ParameterName"
                  }
                }
              ]
            }
          }
        ]

StepFunctionsExecutionPolicy

Concede permissão para iniciar uma execução de máquina de estados do Step Functions.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "states:StartExecution"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
                {
                  "stateMachineName": {
                    "Ref": "StateMachineName"
                  }
                }
              ]
            }
          }
        ]

CodeCommitCrudPolicy

Concede permissões para criar, ler, atualizar e excluir objetos dentro de um específicoCodeCommitrepositório do.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "codecommit:GitPull",
              "codecommit:GitPush",
              "codecommit:CreateBranch",
              "codecommit:DeleteBranch",
              "codecommit:GetBranch",
              "codecommit:ListBranches",
              "codecommit:MergeBranchesByFastForward",
              "codecommit:MergeBranchesBySquash",
              "codecommit:MergeBranchesByThreeWay",
              "codecommit:UpdateDefaultBranch",
              "codecommit:BatchDescribeMergeConflicts",
              "codecommit:CreateUnreferencedMergeCommit",
              "codecommit:DescribeMergeConflicts",
              "codecommit:GetMergeCommit",
              "codecommit:GetMergeOptions",
              "codecommit:BatchGetPullRequests",
              "codecommit:CreatePullRequest",
              "codecommit:DescribePullRequestEvents",
              "codecommit:GetCommentsForPullRequest",
              "codecommit:GetCommitsFromMergeBase",
              "codecommit:GetMergeConflicts",
              "codecommit:GetPullRequest",
              "codecommit:ListPullRequests",
              "codecommit:MergePullRequestByFastForward",
              "codecommit:MergePullRequestBySquash",
              "codecommit:MergePullRequestByThreeWay",
              "codecommit:PostCommentForPullRequest",
              "codecommit:UpdatePullRequestDescription",
              "codecommit:UpdatePullRequestStatus",
              "codecommit:UpdatePullRequestTitle",
              "codecommit:DeleteFile",
              "codecommit:GetBlob",
              "codecommit:GetFile",
              "codecommit:GetFolder",
              "codecommit:PutFile",
              "codecommit:DeleteCommentContent",
              "codecommit:GetComment",
              "codecommit:GetCommentsForComparedCommit",
              "codecommit:PostCommentForComparedCommit",
              "codecommit:PostCommentReply",
              "codecommit:UpdateComment",
              "codecommit:BatchGetCommits",
              "codecommit:CreateCommit",
              "codecommit:GetCommit",
              "codecommit:GetCommitHistory",
              "codecommit:GetDifferences",
              "codecommit:GetObjectIdentifier",
              "codecommit:GetReferences",
              "codecommit:GetTree",
              "codecommit:GetRepository",
              "codecommit:UpdateRepositoryDescription",
              "codecommit:ListTagsForResource",
              "codecommit:TagResource",
              "codecommit:UntagResource",
              "codecommit:GetRepositoryTriggers",
              "codecommit:PutRepositoryTriggers",
              "codecommit:TestRepositoryTriggers",
              "codecommit:GetBranch",
              "codecommit:GetCommit",
              "codecommit:UploadArchive",
              "codecommit:GetUploadArchiveStatus",
              "codecommit:CancelUploadArchive"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
                {
                  "repositoryName": {
                    "Ref": "RepositoryName"
                  }
                }
              ]
            }
          }
        ]

CodeCommitReadPolicy

Dá permissões para ler objetos dentro de um específicoCodeCommitrepositório do.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "codecommit:GitPull",
              "codecommit:GetBranch",
              "codecommit:ListBranches",
              "codecommit:BatchDescribeMergeConflicts",
              "codecommit:DescribeMergeConflicts",
              "codecommit:GetMergeCommit",
              "codecommit:GetMergeOptions",
              "codecommit:BatchGetPullRequests",
              "codecommit:DescribePullRequestEvents",
              "codecommit:GetCommentsForPullRequest",
              "codecommit:GetCommitsFromMergeBase",
              "codecommit:GetMergeConflicts",
              "codecommit:GetPullRequest",
              "codecommit:ListPullRequests",
              "codecommit:GetBlob",
              "codecommit:GetFile",
              "codecommit:GetFolder",
              "codecommit:GetComment",
              "codecommit:GetCommentsForComparedCommit",
              "codecommit:BatchGetCommits",
              "codecommit:GetCommit",
              "codecommit:GetCommitHistory",
              "codecommit:GetDifferences",
              "codecommit:GetObjectIdentifier",
              "codecommit:GetReferences",
              "codecommit:GetTree",
              "codecommit:GetRepository",
              "codecommit:ListTagsForResource",
              "codecommit:GetRepositoryTriggers",
              "codecommit:TestRepositoryTriggers",
              "codecommit:GetBranch",
              "codecommit:GetCommit",
              "codecommit:GetUploadArchiveStatus"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
                {
                  "repositoryName": {
                    "Ref": "RepositoryName"
                  }
                }
              ]
            }
          }
        ]

AthenaQueryPolítica

Dá permissões para executar consultas do Athena.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "athena:ListWorkGroups",
              "athena:GetExecutionEngine",
              "athena:GetExecutionEngines",
              "athena:GetNamespace",
              "athena:GetCatalogs",
              "athena:GetNamespaces",
              "athena:GetTables",
              "athena:GetTable"
            ],
            "Resource": "*"
          },
          {
            "Effect": "Allow",
            "Action": [
              "athena:StartQueryExecution",
              "athena:GetQueryResults",
              "athena:DeleteNamedQuery",
              "athena:GetNamedQuery",
              "athena:ListQueryExecutions",
              "athena:StopQueryExecution",
              "athena:GetQueryResultsStream",
              "athena:ListNamedQueries",
              "athena:CreateNamedQuery",
              "athena:GetQueryExecution",
              "athena:BatchGetNamedQuery",
              "athena:BatchGetQueryExecution",
              "athena:GetWorkGroup"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
                {
                  "workgroupName": {
                    "Ref": "WorkGroupName"
                  }
                }
              ]
            }
          }
        ]

TextractPolicy

Concede ao acesso total ao Amazon Textract.



        "Statement": [
         {
            "Effect": "Allow",
            "Action": [
              "textract:*"
            ],
            "Resource": "*"
          }
        ]

TextractDetectAnalyzePolicy

Dá acesso para detectar e analisar documentos com o Amazon Textract.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "textract:DetectDocumentText",
              "textract:StartDocumentTextDetection",
              "textract:StartDocumentAnalysis",
              "textract:AnalyzeDocument"
            ],
            "Resource": "*"
          }
        ]

TextractGetResultPolicy

Dá acesso para obter documentos detectados e analisados do Amazon Textract.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "textract:GetDocumentTextDetection",
              "textract:GetDocumentAnalysis"
            ],
            "Resource": "*"
          }
        ]

EventBridgePutEventsPolítica

Concede permissões para enviar eventos para a AmazonEventBridge.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": "events:PutEvents",
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}",
                {
                  "eventBusName": {
                    "Ref": "EventBusName"
                  }
                }
              ]
            }
          }
        ]

ElasticMapReduceModifyInstanceFleetPolítica

Dá permissão para listar detalhes e modificar capacidades para frotas de instâncias dentro de um cluster.



        "Statement": [
          {
            "Action": [
              "elasticmapreduce:ModifyInstanceFleet",
              "elasticmapreduce:ListInstanceFleets"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
                {
                  "clusterId": {
                    "Ref": "ClusterId"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

ElasticMapReduceSetTerminationProtectionPolítica

Concede permissão para definir a proteção contra encerramento para um cluster.



        "Statement": [
          {
            "Action": "elasticmapreduce:SetTerminationProtection",
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
                {
                  "clusterId": {
                    "Ref": "ClusterId"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

ElasticMapReduceModifyInstanceGroupsPolítica

Dá permissão para listar detalhes e modificar configurações para grupos de instâncias em um cluster.



        "Statement": [
          {
            "Action": [
              "elasticmapreduce:ModifyInstanceGroups",
              "elasticmapreduce:ListInstanceGroups"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
                {
                  "clusterId": {
                    "Ref": "ClusterId"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

ElasticMapReduceCancelStepsPolicy

Concede permissão para cancelar uma etapa pendente ou etapas em um cluster em execução.



        "Statement": [
          {
            "Action": "elasticmapreduce:CancelSteps",
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
                {
                  "clusterId": {
                    "Ref": "ClusterId"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

ElasticMapReduceTerminateJobFlowsPolítica

Concede permissão para desligar um cluster.



        "Statement": [
          {
            "Action": "elasticmapreduce:TerminateJobFlows",
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
                {
                  "clusterId": {
                    "Ref": "ClusterId"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

ElasticMapReduceAddJobFlowStepsPolicy

Concede permissão para adicionar novas etapas a um cluster em execução.



        "Statement": [
          {
            "Action": "elasticmapreduce:AddJobFlowSteps",
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
                {
                  "clusterId": {
                    "Ref": "ClusterId"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

SageMakerCreateEndpointPolítica

Concede permissão para criar um endpoint noSageMaker.



        "Statement": [
          {
            "Action": [
              "sagemaker:CreateEndpoint"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}",
                {
                  "endpointName": {
                    "Ref": "EndpointName"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

SageMakerCreateEndpointConfigPolicy

Dá permissão para criar uma configuração de endpoint noSageMaker.



        "Statement": [
          {
            "Action": [
              "sagemaker:CreateEndpointConfig"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}",
                {
                  "endpointConfigName": {
                    "Ref": "EndpointConfigName"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

EcsRunTaskPolicy

Concede permissão para iniciar uma nova tarefa para uma definição de tarefa.



        "Statement": [
          {
            "Action": [
              "ecs:RunTask"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}",
                {
                  "taskDefinition": {
                    "Ref": "TaskDefinition"
                  }
                }
              ]
            },
            "Effect": "Allow"
          }
        ]

EFSWriteAccessPolítica

Dá permissão para montar um sistema de arquivos do Amazon EFS com acesso de gravação.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "elasticfilesystem:ClientMount",
              "elasticfilesystem:ClientWrite"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}",
                {
                  "FileSystem": {
                    "Ref": "FileSystem"
                  }
                }
              ]
            },
            "Condition": {
              "StringEquals": {
                "elasticfilesystem:AccessPointArn": {
                  "Fn::Sub": [
                    "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}",
                    {
                      "AccessPoint": {
                        "Ref": "AccessPoint"
                      }
                    }
                  ]
                }
              }
            }
          }
        ]

Route53ChangeResourceRecordSetsPolítica

Concede permissão para alterar conjuntos de registros de recursos no Route 53.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "route53:ChangeResourceRecordSets"
            ],
            "Resource": {
              "Fn::Sub": [
                "arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}",
                {
                  "HostedZoneId": {
                    "Ref": "HostedZoneId"
                  }
                }
              ]
            }
          }
        ]

AcmGetCertificatePolicy

Dá permissão para ler um certificado deAWS Certificate Manager.



        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "acm:GetCertificate"
            ],
            "Resource": {
              "Fn::Sub": [
                "${certificateArn}",
                {
                  "certificateArn": {
                    "Ref": "CertificateArn"
                  }
                }
              ]
            }
          }
        ]

Atenção O Javascript está desativado ou não está disponível no seu navegador.

Para usar a documentação da AWS, o Javascript deve estar ativado. Consulte as páginas de Ajuda do navegador para obter instruções.

Convenções do documento

AWS SAMModelos de política

Repositórios de imagens