AWS访问 AppStream 2.0 资源所需的托管策略 - Amazon AppStream on

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS访问 AppStream 2.0 资源所需的托管策略

要提供对 AppStream 2.0 的完全管理或只读访问权限,您必须将以下AWS托管策略之一附加到需要这些权限的 IAM 用户或组。AWS托管策略是由AWS 创建和管理的独立策略。有关更多信息,请参阅《IAM 用户指南》中的 AWS 托管策略

AmazonAppStreamFullAccess

此托管策略提供对 AppStream 2.0 资源的完全管理访问权限。要管理 AppStream 2.0 资源并通过AWS命令行接口 (AWSCLI)、AWS SDK 或AWS管理控制台执行 API 操作,您必须拥有此策略中定义的权限。

如果您以 IAM 用户身份登录 AppStream 2.0 控制台,则必须将此策略附加到您的AWS 账户。如果您通过控制台联合登录,则必须将此策略附加到用于联合的 IAM 角色。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "appstream:" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScheduledAction", "application-autoscaling:DeleteScheduledAction" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm" ], "Effect": "Allow", "Resource": "" }, { "Action": [ "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcEndpoints" ], "Effect": "Allow", "Resource": "" }, { "Action": "iam:ListRoles", "Effect": "Allow", "Resource": "" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "arn:aws:iam:::role/service-role/ApplicationAutoScalingForAmazonAppStreamAccess", "Condition": { "StringLike": { "iam:PassedToService": "application-autoscaling.amazonaws.com" } } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam:::role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet (http://appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet)", "Condition": { "StringLike": { "iam:AWSServiceName": "appstream.application-autoscaling.amazonaws.com" } } } ] }
AmazonAppStreamReadOnlyAccess

此托管策略提供对 AppStream 2.0 资源的只读访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "appstream:Get*", "appstream:List*", "appstream:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }

AppStream 2.0 控制台使用另外两个操作来提供AWS CLI 或AWS SDK 无法提供的功能。AmazonAppStreamFullAccessAmazonAppStreamReadOnlyAccess策略都为这些操作提供权限。

操作 描述 访问级别
GetImageBuilders 授予权限以检索描述一个或多个指定映像生成器的列表(如果提供了映像生成器名称)。否则,将描述账户中的所有映像生成器。 Read
GetParametersForThemeAssetUpload 授予权限以上传自定义品牌化的主题资产。有关更多信息,请参阅将您的自定义品牌添加至 Amazon AppStream 2.0 Write
AmazonAppStreamPCAaccess

此托管策略提供对AWS您AWS账户中的 Certificate Manager 私有 CA 资源的完全管理访问权限,以进行基于证书的身份验证。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm-pca:IssueCertificate", "acm-pca:GetCertificate", "acm-pca:DescribeCertificateAuthority" ], "Resource": "arn:*:acm-pca:*:*:*", "Condition": { "StringLike": { "aws:ResourceTag/euc-private-ca": "*" } } } ] }
AmazonAppStreamServiceAccess

此托管策略是 AppStream 2.0 服务角色的默认策略。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:AssociateAddress", "ec2:DisassociateAddress", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcEndpoints", "s3:ListAllMyBuckets", "ds:DescribeDirectories" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:PutEncryptionConfiguration" ], "Resource": [ "arn:aws:s3:::appstream2-36fb080bb8-*", "arn:aws:s3:::appstream-app-settings-*", "arn:aws:s3:::appstream-logs-*" ] } ] }
ApplicationAutoScalingForAmazonAppStream存取

此托管策略支持 AppStream 2.0 的应用程序自动扩展。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:UpdateFleet", "appstream:DescribeFleets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }
AWSApplicationAutoscalingAppStreamFleetPolicy

此托管策略授予Application Auto Scaling 访问 AppStream 2.0 和 CloudWatch 。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:UpdateFleet", "appstream:DescribeFleets", "cloudwatch:PutMetricAlarm", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms" ], "Resource": [ "*" ] } ] }

AppStream 2.0 对AWS托管策略的更新

查看有关 AppStream 2.0 的托AWS管策略的更新的详细信息(此服务开始跟踪这些更改)。要获得有关此页面更改的自动提示,请订阅 Amazon AppStream 2.0 文档历史记录 页面上的 RSS 源。

更改 说明 日期

AppStream 2.0 开始跟踪更改

AppStream 2.0 开始跟踪其AWS托管策略的更改

2022 年 10 月 31 日