本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Artifact 现在允许客户对协议使用细粒度的权限。通过这些细粒度的权限,客户可以精细控制访问功能,例如查看和接受保密协议,以及接受和终止协议。
要通过细粒度权限访问协议,您可以使用AWSArtifactAgreementsReadOnlyAccess 或 AWSArtifactAgreementsFullAccess托管策略或根据以下建议更新您的权限。
注意
IAM 操作artifact:DownloadAgreement将于 2025 年 7 月 1 日在该 AWS GovCloud (US) 分区中被弃用。2025 年 3 月 3 日,该 AWS 分区中已弃用同样的操作。
迁移到新权限
旧版 IAM 操作 DownloadAgreement “” 已被用于下载未接受协议的 GetAgreement “” 操作和用于下载已接受协议的 GetCustomerAgreement “” 操作所取代。此外,还引入了更精细的操作来控制查看和接受保密协议的访问权限()NDAs。要利用这些精细操作并保持查看和执行协议的能力,用户必须将包含旧权限的现有策略替换为包含细粒度权限的策略。
将权限迁移到账户级别的下载协议
旧策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:DownloadAgreement"
],
"Resource": [
"arn:aws:artifact::*:customer-agreement/*",
"arn:aws:artifact:::agreement/*"
]
}
]
}
具有精细权限的新策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAgreementsActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "GetAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:GetAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptNdaForAgreement"
],
"Resource": [
"arn:aws:artifact::*:customer-agreement/*",
"arn:aws:artifact:::agreement/*"
]
}
]
}
将非资源特定权限迁移到账户级别的下载、接受和终止协议
旧策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:AcceptAgreement",
"artifact:DownloadAgreement",
"artifact:TerminateAgreement"
],
"Resource": [
"arn:aws:artifact::*:customer-agreement/*",
"arn:aws:artifact:::agreement/*"
]
}
]
}
具有精细权限的新策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
}
]
}
将非资源特定权限迁移到组织级别的下载、接受和终止协议
旧策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:AcceptAgreement",
"artifact:DownloadAgreement",
"artifact:TerminateAgreement"
],
"Resource": [
"arn:aws:artifact::*:customer-agreement/*",
"arn:aws:artifact:::agreement/*"
]
},
{
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "arn:aws:iam:::role/*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam:::role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact"
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:EnableAWSServiceAccess",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
}
]
}
具有精细权限的新策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
},
{
"Sid": "CreateServiceLinkedRoleForOrganizationsIntegration",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"artifact.amazonaws.com"
]
}
}
},
{
"Sid": "GetRoleToCheckForRoleExistence",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact"
},
{
"Sid": "EnableServiceTrust",
"Effect": "Allow",
"Action": [
"organizations:EnableAWSServiceAccess",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeOrganization"
],
"Resource": "*"
}
]
}
迁移特定资源的权限,以便在账户级别下载、接受和终止协议
旧策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:AcceptAgreement",
"artifact:DownloadAgreement"
],
"Resource": [
"arn:aws:artifact:::agreement/AWS Business Associate Addendum"
]
},
{
"Effect": "Allow",
"Action": [
"artifact:TerminateAgreement"
],
"Resource": [
"arn:aws:artifact::*:customer-agreement/*"
]
}
]
}
具有精细权限的新策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/agreement-9c1kBcYznTkcpRIm"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
}
]
}
迁移特定资源的权限,以便在组织层面下载、接受和终止协议
旧策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:AcceptAgreement",
"artifact:DownloadAgreement",
"artifact:TerminateAgreement"
],
"Resource": [
"arn:aws:artifact::*:customer-agreement/*",
"arn:aws:artifact:::agreement/AWS Organizations Business Associate Addendum"
]
},
{
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "arn:aws:iam:::role/*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam:::role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact"
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:EnableAWSServiceAccess",
"organizations:ListAccounts",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
}
]
}
具有精细权限的新策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/agreement-y03aUwMAEorHtqjv"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
},
{
"Sid": "CreateServiceLinkedRoleForOrganizationsIntegration",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"artifact.amazonaws.com"
]
}
}
},
{
"Sid": "GetRoleToCheckForRoleExistence",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact"
},
{
"Sid": "EnableServiceTrust",
"Effect": "Allow",
"Action": [
"organizations:EnableAWSServiceAccess",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeOrganization"
],
"Resource": "*"
}
]
}
协议的传统资源到细粒度的资源映射
协议 ARN 已更新,以获得更精细的权限。以前提及旧协议资源的任何内容都应替换为新的 ARN。以下是传统资源与细粒度资源之间的协议 ARN 映射。
| 协议名称 | 旧版权限的 Artifact ARN | 用于精细权限的 Artifact ARN |
|---|---|---|
AWS 商业伙伴附录 |
arn: aws: artifact::: 协议/AWS 商业助理附录 |
arn: aws: artifact::: 协议/协议-9c1 Tkcp kBcYzn RIm |
AWS 新西兰应通报数据泄露附录 |
arn: aws: artifact::: 协议/AWS 新西兰应通报数据泄露附录 |
arn: aws: artifact::: 协议/协议-3 Gt YRq9r GUIu72r7 |
AWS 澳大利亚应通报数据泄露附录 |
arn: aws: artifact::: 协议/AWS 澳大利亚应通报数据泄露附录 |
arn: aws: artifact::: 协议/协议-sb LSDe8bitm AXNr9 |
AWS SEC 规则 17a-4 附录 |
arn: aws: artifact::: 协议/AWS SEC 规则 17a-4 附录 |
arn: aws: artifact::: 协议/协议-bexgr7sjv Gxu XAW4 |
AWS SEC 规则 18a-6 附录 |
arn: aws: artifact::: 协议/AWS SEC 规则 18a-6 附录 |
arn: aws: arnactifact::: 协议/协议-XC HZTd NwJuq OKLRe |
AWS Organizations 商业伙伴 |
arn: aws: artifact::: 协议/AWS 组织商业伙伴附录 |
arn: aws: artifact::: 协议/协议-y03auw Htqjv MAEor |
AWS Organiations 澳大利亚应通报数据泄露附录 |
arn: aws: artifact::: 协议/AWS 组织澳大利亚应通报数据泄露附录 |
arn: aws: artifact::: 协议/协议-yp eg4b DMFXTe PE7k |
AWS Organizations 新西兰应通报数据泄露附录 |
arn: aws: artifact::: 协议/AWS 组织新西兰应通报的数据泄露附录 |
arn: aws: artifact::: 协议/协议-uojejr3vonvrhv52 |
