AWS访问 AppStream 2.0 资源所需的托管策略 - 亚马逊 AppStream 2.0

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS访问 AppStream 2.0 资源所需的托管策略

要提供对 AppStream 2.0 的完全管理或只读访问权限,您必须将以下AWS托管策略之一附加到需要这些权限的 IAM 用户或组。AWS 托管策略 是由 AWS 创建和管理的独立策略。有关更多信息,请参阅《IAM 用户指南》中的 AWS 托管策略

AmazonAppStreamFullAccess

此托管策略提供对 AppStream 2.0 资源的完全管理访问权限。要管理 AppStream 2.0 资源并通过AWS命令行界面 (AWSCLI)、AWS SDK 或AWS管理控制台执行 API 操作,您必须拥有本政策中定义的权限。

如果您以 IAM 用户身份登录 AppStream 2.0 控制台,则必须将此策略附加到您的AWS 账户。如果您通过控制台联合登录,则必须将此策略附加到用于联合身份验证的 IAM 角色。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "appstream:" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScheduledAction", "application-autoscaling:DeleteScheduledAction" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints" ], "Effect": "Allow", "Resource": "" }, { "Action": "iam:ListRoles", "Effect": "Allow", "Resource": "" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "arn:aws:iam:::role/service-role/ApplicationAutoScalingForAmazonAppStreamAccess", "Condition": { "StringLike": { "iam:PassedToService": "application-autoscaling.amazonaws.com" } } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam:::role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet (http://appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet)", "Condition": { "StringLike": { "iam:AWSServiceName": "appstream.application-autoscaling.amazonaws.com" } } } ] }
AmazonAppStreamReadOnlyAccess

此托管策略提供对 AppStream 2.0 资源的只读访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "appstream:Get*", "appstream:List*", "appstream:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }

AppStream2.0 控制台使用另外两个操作,提供无法通过 AWS CLI 或 AWS SDK 提供的功能。AmazonAppStreamFullAccessAmazonAppStreamReadOnlyAccess策略都为这些操作提供权限。

操作 描述 访问级别
GetImageBuilders 授予权限以检索描述一个或多个指定映像生成器的列表(如果提供了映像生成器名称)。否则,将描述账户中的所有映像生成器。 Read
GetParametersForThemeAssetUpload 授予权限以上传自定义品牌化的主题资产。有关更多信息,请参阅将您的自定义品牌添加到亚马逊 AppStream 2.0 Write
AmazonAppStreamPCAccess

此托管策略提供对AWS您AWS账户中的 Certificate Manager Private CA 资源的完全管理访问权限,以进行基于证书的身份验证。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm-pca:IssueCertificate", "acm-pca:GetCertificate", "acm-pca:DescribeCertificateAuthority" ], "Resource": "arn:*:acm-pca:*:*:*", "Condition": { "StringLike": { "aws:ResourceTag/euc-private-ca": "*" } } } ] }
AmazonAppStreamServiceAccess

此托管策略是 AppStream 2.0 服务角色的默认策略。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcEndpoints", "s3:ListAllMyBuckets", "ds:DescribeDirectories" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:PutEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::appstream2-36fb080bb8-*", "arn:aws:s3:::appstream-app-settings-*", "arn:aws:s3:::appstream-logs-*" ] } ] }
ApplicationAutoScalingForAmazonAppStreamAccess

此托管策略支持 AppStream 2.0 版的应用程序自动扩展。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:UpdateFleet", "appstream:DescribeFleets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }
AWSApplicationAutoscalingAppStreamFleetPolicy

此托管策略授予Application Auto Scaling 访问 AppStream 2.0 和的权限CloudWatch。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:UpdateFleet", "appstream:DescribeFleets", "cloudwatch:PutMetricAlarm", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms" ], "Resource": [ "*" ] } ] }

AppStream2.0 对AWS托管策略的更新

查看有关 AppStream 2.0 的托AWS管策略更新的详细信息(从该服务开始跟踪这些更改开始)。要获得有关此页面更改的自动提示,请订阅 亚马逊文件历史记录 AppStream 2.0 页面上的 RSS 源。

更改 说明 日期

AppStream2.0 已开始跟踪更改

AppStream2.0 已开始跟踪其AWS托管策略的更改

2022 年 10 月 31 日