AWS适用于 AWS Config 的托管策略 - AWS Config

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS适用于 AWS Config 的托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 AWS 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 AWS 托管式策略。这些策略涵盖常见使用案例,可在您的 AWS 账户 中使用。有关 AWS 托管式策略的更多信息,请参阅 IAM 用户指南中的AWS 托管式策略

AWS 服务 负责维护和更新 AWS 托管式策略。您无法更改 AWS 托管式策略中的权限。服务偶尔会向 AWS 托管式策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 AWS 托管式策略。服务不会从 AWS 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,AWS 还支持跨多种服务的工作职能的托管式策略。例如,ViewOnlyAccess AWS 托管式策略提供对许多 AWS 服务 服务和资源的只读访问权限。当服务启动新功能时,AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 AWS 托管策略

AWS 托管策略:AWSConfigServiceRolePolicy

AWS Config使用名AWSServiceRoleForConfig为的服务相关角色代表您调用其他AWS服务。当您使用AWS Management Console进行设置时AWS Config,AWS Config如果您选择使用 SLR 代替您自己的AWS Identity and Access Management (IAM) 服务角色,则会自动创建此AWS Config SLR。

S AWSServiceRoleForConfigLR 包含托管策略AWSConfigServiceRolePolicy。此托管策略包含对AWS Config资源的只读和只写权限,以及对AWS Config支持的其他服务中的资源的只读权限。有关更多信息,请参阅 支持的资源类型对 AWS Config 使用服务相关角色

查看政策:AWSConfigServiceRolePolicy.

AWS托管策略:AWS_ConfigRole

要记录您的AWS资源配置,AWS Config需要 IAM 权限才能获取有关您的资源的配置详细信息。如果您要创建 IAM 角色AWS Config,您可以使用托管策略AWS_ConfigRole并将其附加到您的 IAM 角色。

每次AWS Config增加对AWS资源类型的支持时,此 IAM 政策都会更新。这意味着,只要 AWS_ConfigRole 角色附加了此托管策略,它AWS Config就会继续拥有记录支持资源类型的配置数据所需的权限。有关更多信息,请参阅 支持的资源类型分配给 IAM 角色的权限AWS Config

查看政策:AWS_ConfigRole

AWS托管策略:ConfigConformsServiceRolePolicy

要部署和管理一致性包,AWS Config需要 IAM 权限和其他AWS服务的某些权限。它们允许您部署和管理具有完整功能的合规包,并且每次为一致性包AWS Config添加新功能时都会更新。有关一致性包的更多信息,请参阅一致性包

查看政策:ConfigConformsServiceRolePolicy.

AWS托管策略:AWSConfigRulesExecutionRole

要部署AWS自定义 Lambda 规则,AWS Config需要 IAM 权限和其他AWS服务的某些权限。这些允许AWS Lambda函数访问定期AWS Config提供给 Amazon S3 的AWS Config API 和配置快照。评估AWS自定义 Lambda 规则的配置更改的函数需要此访问权限,并且每次AWS Config添加新功能时都会更新。有关AWS自定义 Lambda 规则的更多信息,请参阅创建AWS Config自定义 Lambda 规则AWS Config规则组件。有关配置快照的更多信息,请参阅概念 | 配置快照。有关配置快照交付的更多信息,请参阅管理交付渠道

查看政策:AWSConfigRulesExecutionRole.

AWS托管策略:AWSConfigMultiAccountSetupPolicy

要在的组织内跨成员账户集中部署、更新和删除AWS Config规则和一致性包AWS Organizations,AWS Config需要 IAM 权限和其他AWS服务的某些权限。每次为多账户设置AWS Config添加新功能时,此托管策略都会更新。有关更多信息,请参阅管理组织中的所有账户管理AWS Config规则管理组织中的所有账户的合规性包

查看政策:AWSConfigMultiAccountSetupPolicy.

AWS托管策略:AWSConfigRoleForOrganizations

AWS Config要允许调用只读AWS Organizations API,AWS Config需要 IAM 权限和其他AWS服务的某些权限。每次为多账户设置AWS Config添加新功能时,此托管策略都会更新。有关更多信息,请参阅管理组织中的所有账户管理AWS Config规则管理组织中的所有账户的合规性包

查看政策:AWSConfigRoleForOrganizations.

AWS托管策略:AWSConfigRemediationServiceRolePolicy

AWS Config要允许代表您修复NON_COMPLIANT资源,AWS Config需要 IAM 权限和其他AWS服务的某些权限。每次AWS Config添加新的补救功能时,此托管策略都会更新。有关补救的更多信息,请参阅使用AWS Config规则修复不合规资源。有关启动可能的AWS Config评估结果的条件的更多信息,请参阅概念 |AWS Config 规则

查看政策:AWSConfigRemediationServiceRolePolicy.

对 AWS 托管式策略的 AWS Config 更新

查看有关 AWS Config 的 AWS 托管式策略更新的详细信息(从该服务开始跟踪这些更改开始)。要自动接收有关此页面更改的提示,请订阅AWS Config文档历史记录页面上的 RSS 源。

更改 说明 日期
AWSConfigServiceRolePolicy— 添加amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, GetInstanceTypesFromInstanceRequirement ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations.

该政策现在支持AWS Amplify、、、亚马逊、、亚马逊 Elastic Compute CloudAWS App Mesh、AWS App Runner A CloudFront mazon KendraAWS CodeArtifact、Amazon Macie、Amazon Route 53、亚马逊、亚马逊 Amazon Pinpoint、Resilience Hub、AWS Migration Hub亚马逊、DAWS irectory Service 等的亚马逊 CloudWatch托管工作流程的额外权限AWS WAF。 SageMakerAWS Transfer FamilyAWS

2023 年 4 月 13 日
AWS_ConfigRole— 添加amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, ec2:GetInstanceTypesFromInstanceRequirement, ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations

该政策现在支持AWS Amplify、、、亚马逊、、亚马逊 Elastic Compute CloudAWS App Mesh、AWS App Runner A CloudFront mazon KendraAWS CodeArtifact、Amazon Macie、Amazon Route 53、亚马逊、亚马逊 Amazon Pinpoint、Resilience Hub、AWS Migration Hub亚马逊、DAWS irectory Service 等的亚马逊 CloudWatch托管工作流程的额外权限AWS WAF。 SageMakerAWS Transfer FamilyAWS

2023 年 4 月 13 日
AWSConfigServiceRolePolicy— 添加appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudfront:GetResponseHeadersPolicy, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions

该政策现在支持亚马逊、亚马逊 AppStream 2.0、亚马逊、亚马逊 AppFlow、、、、、、亚马逊 E CloudWatch vidlyAWS App Runner、Amaz CloudFront on Forecast CloudWatch、AWS CodeArtifact、AWS Identity and Access Management (IAM)AWS Device Farm、Amazon MemoryDB for RedisAWS Ground Station、Amazon PinpointAWS IoT、、、、Amazon Relational Database Service (Amazon RDS)AWS Panorama、Amazon Redshift ft 和亚马逊的亚马逊托管工作流程的额外权限 SageMaker。AWS CodeCommitAWS Network Manager

2023 年 3 月 30 日
AWS_ConfigRole— 添加appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudformation:ListTypes, cloudfront:GetResponseHeadersPolicy, cloudfront:ListDistributions, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, ec2:DescribeTrafficMirrorFilters, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions

该政策现在支持亚马逊、亚马逊 AppStream 2.0、亚马逊、亚马逊 AppFlow、亚马逊、、、、AWS App Runner亚马逊弹性计算云 (Amazon EC2) CloudFront、A CloudWatch mazon E CloudWatch vidlyAWS Device Farm、Amazon Forecast、AWS Identity and Access Management (IAM)、适用于 Redis 的亚马逊 MemoryDBAWS Ground Station、亚马逊 PinpointAWS IoT、、、、、、Amazon Relational Database Service (Amazon RDS)、亚马逊 Redishift 和亚马逊的亚马逊托管工作流程的额外权限 SageMaker。AWS CloudFormationAWS CodeArtifactAWS CodeCommitAWS Network ManagerAWS Panorama

2023 年 3 月 30 日

AWSConfigRulesExecutionRole—AWS Config 开始跟踪此AWS托管策略的更改

此策略允许AWS Lambda函数访问定期提交到 Amazon S3 的AWS ConfigAWS Config API 和配置快照。评估AWS自定义 Lambda 规则配置变更的函数需要此访问权限

2023 月 7 日 7 日 7 日

AWSConfigRoleForOrganizations—AWS Config 开始跟踪此AWS托管策略的更改

此策略允许调AWS Config用只读AWS Organizations API。

2023 月 7 日 7 日 7 日

AWSConfigRemediationServiceRolePolicy—AWS Config 开始跟踪此AWS托管策略的更改

此策略AWS Config允许代表您修复NON_COMPLIANT资源。

2023 月 7 日 7 日 7 日

AWSConfigServiceRolePolicy— 添加auditmanager:GetAccountStatus

此政策现在授予返回中账户注册状态的权限AWS Audit Manager。

2023 年 3 月 3 日

AWS_ConfigRole— 添加auditmanager:GetAccountStatus

此政策现在授予返回中账户注册状态的权限AWS Audit Manager。

2023 年 3 月 3 日

AWSConfigMultiAccountSetupPolicy—AWS Config 开始跟踪此AWS托管策略的更改

此策略AWS Config允许使用在组织内调用AWS服务和部署AWS Config资源AWS Organizations。

2023 年 2 月 27 日

AWSConfigServiceRolePolicy— 添加airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries

该政策现在支持对 Apache Airflow、AWS IoT Amazon AppStream 2.0、Amazon CodeGuru Reviewer、亚马逊、亚马逊 HealthLake Kinesis Video Streams、亚马逊 Route 53 应用程序恢复控制器、AWS Device Farm亚马逊弹性计算云 (Amazon EC2)、亚马逊 Pinpoint、AWS Identity and Access Management (IAM)、亚马逊和亚马逊 CloudWatch 日志的亚马逊 GuardDuty托管工作流程的额外权限。

2023 年 2 月 1 日

AWS_ConfigRole— 添加airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries

该政策现在支持对 Apache Airflow、AWS IoT Amazon AppStream 2.0、Amazon CodeGuru Reviewer、亚马逊、亚马逊 HealthLake Kinesis Video Streams、亚马逊 Route 53 应用程序恢复控制器、AWS Device Farm亚马逊弹性计算云 (Amazon EC2)、亚马逊 Pinpoint、AWS Identity and Access Management (IAM)、亚马逊和亚马逊 CloudWatch 日志的亚马逊 GuardDuty托管工作流程的额外权限。

2023 年 2 月 1 日

ConfigConformsServiceRolePolicy— 更新config:DescribeConfigRules

作为安全最佳实践,该策略现在取消了对的广泛资源级权限config:DescribeConfigRules

2023 年 1 月 12 日

AWSConfigServiceRolePolicy— 添加APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, AWS Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource

该政策现在支持对 Prometheus、、、AWS Audit Manager ()、亚马逊Elastic Compute CloudAWS Database Migration Service (Amazon EC2AWS DMS)AWS Directory Service、、、、Amazon LightsailAWS IoT、AWS Ele MediaPackage mental、、Ama QuickSight zon Route 53 应用程序恢复控制器AWS Resource Access Manager、亚马逊简单存储服务 (Amazon S3) 和亚马逊 TAmazon Timestream 托管服务的额外权限。AWS Device FarmAWS GlueAWS Network Manager

2 月 15 15 15 日 15 日 15 日 15 日 15

AWS_ConfigRole— 添加APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource

该政策现在支持对 Prometheus、、、AWS Audit Manager ()、亚马逊Elastic Compute CloudAWS Database Migration Service (Amazon EC2AWS DMS)AWS Directory Service、、、、Amazon LightsailAWS IoT、AWS Ele MediaPackage mental、、Ama QuickSight zon Route 53 应用程序恢复控制器AWS Resource Access Manager、亚马逊简单存储服务 (Amazon S3) 和亚马逊 TAmazon Timestream 托管服务的额外权限。AWS Device FarmAWS GlueAWS Network Manager

2 月 15 15 15 日 15 日 15 日 15 日 15

AWSConfigServiceRolePolicy— 添加cloudformation:ListStackResources and cloudformation:ListStacks

此策略现在授予权限,以返回指定AWS CloudFormation堆栈的所有资源的描述并返回其状态与指定堆栈匹配的堆栈的摘要信息StackStatusFilter。

2022 年 11 月 7 日

AWS_ConfigRole— 添加cloudformation:ListStackResources and cloudformation:ListStacks

此策略现在授予权限,以返回指定AWS CloudFormation堆栈的所有资源的描述并返回其状态与指定堆栈匹配的堆栈的摘要信息StackStatusFilter。

2022 年 11 月 7 日

AWSConfigServiceRolePolicy— 添加acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups

该政策现在支持对 Apache Airflow 的亚马逊托管工作流程、AWS Amplify、、、Amazon KeyspacesAWS AppConfig、Amaz CloudWatch on Elastic Compute Cloud (Amazon EC2)、亚马逊、Amazon Fraud Detector、Amazon Fraud DatectorAWS Fault Injection Simulator、Amazon Location Service、A GameLift mazon Location Service (Amazon EKS)、亚马逊、Amazon Relation QuickSight al Database Service (亚马逊) 的额外权限AWS Certificate ManagerAWS Glue DataBrew EventBridgeAWS IoTAWS OpsWorksAWS PanoramaAWS Resource Access ManagerRDS)、Amazon Rekognition、、AWS RoboMakerAWS Resource Groups、Amazon Route 53、Simple Storage Service (Amazon S3) 和AWS Security Token Service。AWS Cloud Map

2022 年 10 月 19 日

AWS_ConfigRole— 添加acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups

该政策现在支持对 Apache Airflow 的亚马逊托管工作流程、AWS Amplify、、、Amazon KeyspacesAWS AppConfig、Amaz CloudWatch on Elastic Compute Cloud (Amazon EC2)、亚马逊、Amazon Fraud Detector、Amazon Fraud DatectorAWS Fault Injection Simulator、Amazon Location Service、A GameLift mazon Location Service (Amazon EKS)、亚马逊、Amazon Relation QuickSight al Database Service (亚马逊) 的额外权限AWS Certificate ManagerAWS Glue DataBrew EventBridgeAWS IoTAWS OpsWorksAWS PanoramaAWS Resource Access ManagerRDS)、Amazon Rekognition、、AWS RoboMakerAWS Resource Groups、Amazon Route 53、Simple Storage Service (Amazon S3) 和AWS Security Token Service。AWS Cloud Map

2022 年 10 月 19 日

AWSConfigServiceRolePolicy— 添加Glue::GetTable

此策略现在授予在数据目录中检索指定AWS Glue表的表定义的权限。

2022 年 9 月 14 日

AWS_ConfigRole— 添加Glue::GetTable

此策略现在授予在数据目录中检索指定AWS Glue表的表定义的权限。

2022 年 9 月 14 日

AWSConfigServiceRolePolicy— 添加appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource

该政策现在支持亚马逊 AppFlow、亚马逊、亚马 CloudWatch逊 RU CloudWatch M、Amazon SynteSynth CloudWatch etics、Amazon Connect 客户资料、Amazon Connect Voice ID、Amazon DevOps Guru、亚马逊Elastic Compute Cloud (Amazon EC2)、Amazon EC2 Amage BAuto Scaling ilder、亚马逊 EMR、亚马逊 EventBridge Amazon Lex ightsailAmazon FinSpace、Amazon S EventBridge chemas GameLift、亚马逊Fraud Detector、亚马逊、亚马逊互动视频服务 (亚马逊 IVS)、Amazon Kinesis Data Analytics、EC2 Image Builder、亚马逊 Lightsail、亚马逊Location Service、亚马逊观景台适用于设备、Amazon Lookout for Metrics、Amazon Lookout for Vision、Amazon Managed Blockchain、Amazon MQ、亚马逊 QuickSight Nimble StudioAmazon Pinpoint、亚马逊 Route 53 应用程序恢复控制器Amazon Route 53 Resolver、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、AWS AppConfig、、AWS AppSync、、AWS Auto Scaling、、AWS Backup、、、AWS Budgets、、AWS Cost Explorer、、AWS Cloud9、、AWS Directory Service、、AWS DataSync、、、、 MediaPackage、、、、、AWS Glue、、AWS IoT、、AWS IoT Analytics、、AWS IoT Events、、AWS IoT SiteWise、、AWS IoT TwinMaker、AWS Lake Formation、AWS License ManagerAWS Resilience Hub、AWS Signer、和AWS Transfer Family。

2022 年 9 月 7 日

AWS_ConfigRole— 添加appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource

该政策现在支持亚马逊 AppFlow、亚马逊、亚马 CloudWatch逊 RU CloudWatch M、Amazon SynteSynth CloudWatch etics、Amazon Connect 客户资料、Amazon Connect Voice ID、Amazon DevOps Guru、亚马逊Elastic Compute Cloud (Amazon EC2)、Amazon EC2 Amage BAuto Scaling ilder、亚马逊 EMR、亚马逊 EventBridge Amazon Lex ightsailAmazon FinSpace、Amazon S EventBridge chemas GameLift、亚马逊Fraud Detector、亚马逊、亚马逊互动视频服务 (亚马逊 IVS)、Amazon Kinesis Data Analytics、EC2 Image Builder、亚马逊 Lightsail、亚马逊Location Service、亚马逊观景台适用于设备、Amazon Lookout for Metrics、Amazon Lookout for Vision、Amazon Managed Blockchain、Amazon MQ、亚马逊 QuickSight Nimble StudioAmazon Pinpoint、亚马逊 Route 53 应用程序恢复控制器Amazon Route 53 Resolver、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、AWS AppConfig、、AWS AppSync、、AWS Auto Scaling、、AWS Backup、、、AWS Budgets、、AWS Cost Explorer、、AWS Cloud9、、AWS Directory Service、、AWS DataSync、、、、 MediaPackage、、、、、AWS Glue、、AWS IoT、、AWS IoT Analytics、、AWS IoT Events、、AWS IoT SiteWise、、AWS IoT TwinMaker、AWS Lake FormationAWS License Manager、AWS Resilience Hub、AWS Signer、和AWS Transfer Family

2022 年 9 月 7 日
AWSConfigServiceRolePolicy— 添加airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries 该政策现在支持对 Apache Airflow、AWS IoT Amazon AppStream 2.0、Amazon CodeGuru Reviewer、亚马逊、亚马逊 HealthLake Kinesis Video Streams、亚马逊 Route 53 应用程序恢复控制器、AWS Device Farm亚马逊弹性计算云 (Amazon EC2)、亚马逊 Pinpoint、AWS Identity and Access Management (IAM)、亚马逊和亚马逊 CloudWatch 日志的亚马逊 GuardDuty托管工作流程的额外权限。 2023 年 2 月 1 日

AWS_ConfigRole— 添加airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries

该政策现在支持对 Apache Airflow、AWS IoT Amazon AppStream 2.0、Amazon CodeGuru Reviewer、亚马逊、亚马逊 HealthLake Kinesis Video Streams、亚马逊 Route 53 应用程序恢复控制器、AWS Device Farm亚马逊弹性计算云 (Amazon EC2)、亚马逊 Pinpoint、AWS Identity and Access Management (IAM)、亚马逊和亚马逊 CloudWatch 日志的亚马逊 GuardDuty托管工作流程的额外权限。

2023 年 2 月 1 日

ConfigConformsServiceRolePolicy— 更新config:DescribeConfigRules

作为安全最佳实践,该策略现在取消了对的广泛资源级权限config:DescribeConfigRules

2023 年 1 月 12 日

AWSConfigServiceRolePolicy— 添加APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, AWS Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource

该政策现在支持对 Prometheus、、、AWS Audit Manager ()、亚马逊Elastic Compute CloudAWS Database Migration Service (Amazon EC2AWS DMS)AWS Directory Service、、、、Amazon LightsailAWS IoT、AWS Ele MediaPackage mental、、Ama QuickSight zon Route 53 应用程序恢复控制器AWS Resource Access Manager、亚马逊简单存储服务 (Amazon S3) 和亚马逊 TAmazon Timestream 托管服务的额外权限。AWS Device FarmAWS GlueAWS Network Manager

2 月 15 15 15 日 15 日 15 日 15 日 15

AWS_ConfigRole— 添加APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource

该政策现在支持对 Prometheus、、、AWS Audit Manager ()、亚马逊Elastic Compute CloudAWS Database Migration Service (Amazon EC2AWS DMS)AWS Directory Service、、、、Amazon LightsailAWS IoT、AWS Ele MediaPackage mental、、Ama QuickSight zon Route 53 应用程序恢复控制器AWS Resource Access Manager、亚马逊简单存储服务 (Amazon S3) 和亚马逊 TAmazon Timestream 托管服务的额外权限。AWS Device FarmAWS GlueAWS Network Manager

2 月 15 15 15 日 15 日 15 日 15 日 15

AWSConfigServiceRolePolicy— 添加cloudformation:ListStackResources and cloudformation:ListStacks

此策略现在授予权限,以返回指定AWS CloudFormation堆栈的所有资源的描述并返回其状态与指定堆栈匹配的堆栈的摘要信息StackStatusFilter。

2022 年 11 月 7 日

AWS_ConfigRole— 添加cloudformation:ListStackResources and cloudformation:ListStacks

此策略现在授予权限,以返回指定AWS CloudFormation堆栈的所有资源的描述并返回其状态与指定堆栈匹配的堆栈的摘要信息StackStatusFilter。

2022 年 11 月 7 日

AWSConfigServiceRolePolicy— 添加acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups

该政策现在支持对 Apache Airflow 的亚马逊托管工作流程、AWS Amplify、、、Amazon KeyspacesAWS AppConfig、Amaz CloudWatch on Elastic Compute Cloud (Amazon EC2)、亚马逊、Amazon Fraud Detector、Amazon Fraud DatectorAWS Fault Injection Simulator、Amazon Location Service、A GameLift mazon Location Service (Amazon EKS)、亚马逊、Amazon Relation QuickSight al Database Service (亚马逊) 的额外权限AWS Certificate ManagerAWS Glue DataBrew EventBridgeAWS IoTAWS OpsWorksAWS PanoramaAWS Resource Access ManagerRDS)、Amazon Rekognition、、AWS RoboMakerAWS Resource Groups、Amazon Route 53、Simple Storage Service (Amazon S3) 和AWS Security Token Service。AWS Cloud Map

2022 年 10 月 19 日

AWS_ConfigRole— 添加acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups

该政策现在支持对 Apache Airflow 的亚马逊托管工作流程、AWS Amplify、、、Amazon KeyspacesAWS AppConfig、Amaz CloudWatch on Elastic Compute Cloud (Amazon EC2)、亚马逊、Amazon Fraud Detector、Amazon Fraud DatectorAWS Fault Injection Simulator、Amazon Location Service、A GameLift mazon Location Service (Amazon EKS)、亚马逊、Amazon Relation QuickSight al Database Service (亚马逊) 的额外权限AWS Certificate ManagerAWS Glue DataBrew EventBridgeAWS IoTAWS OpsWorksAWS PanoramaAWS Resource Access ManagerRDS)、Amazon Rekognition、、AWS RoboMakerAWS Resource Groups、Amazon Route 53、Simple Storage Service (Amazon S3) 和AWS Security Token Service。AWS Cloud Map

2022 年 10 月 19 日

AWSConfigServiceRolePolicy— 添加Glue::GetTable

此策略现在授予在数据目录中检索指定AWS Glue表的表定义的权限。

2022 年 9 月 14 日

AWS_ConfigRole— 添加Glue::GetTable

此策略现在授予在数据目录中检索指定AWS Glue表的表定义的权限。

2022 年 9 月 14 日

AWSConfigServiceRolePolicy— 添加appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource

该政策现在支持亚马逊 AppFlow、亚马逊、亚马 CloudWatch逊 RU CloudWatch M、Amazon SynteSynth CloudWatch etics、Amazon Connect 客户资料、Amazon Connect Voice ID、Amazon DevOps Guru、亚马逊Elastic Compute Cloud (Amazon EC2)、Amazon EC2 Amage BAuto Scaling ilder、亚马逊 EMR EventBridge、亚马逊、亚马逊 LightsailAmazon FinSpace、亚马逊Loc EventBridge ation Service GameLift、亚马逊互动视频服务 (亚马逊 IVS)、Amazon Kinesis Data Analytics、EC2 Image Builder、Amazon Lightsail、Amazon Lightsail、亚马逊定位服务、亚马逊观景台适用于设备、Amazon Lookout for Metrics、Amazon Lookout for Vision、Amazon Managed Blockchain、Amazon MQ、亚马逊 QuickSight Nimble StudioAmazon Pinpoint、亚马逊 Route 53 应用程序恢复控制器Amazon Route 53 Resolver、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、AWS AppConfig、、AWS AppSync、、AWS Auto Scaling、、AWS Backup、、、AWS Budgets、、AWS Cost Explorer、、AWS Cloud9、、AWS Directory Service、、AWS DataSync、、、、 MediaPackage、、、、、AWS Glue、、AWS IoT、、AWS IoT Analytics、、AWS IoT Events、、AWS IoT SiteWise、、AWS IoT TwinMaker、AWS Lake Formation、AWS License ManagerAWS Resilience Hub、AWS Signer、和AWS Transfer Family。

2022 年 9 月 7 日

AWS_ConfigRole— 添加appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource

该政策现在支持亚马逊 AppFlow、亚马逊、亚马 CloudWatch逊 RU CloudWatch M、Amazon SynteSynth CloudWatch etics、Amazon Connect 客户资料、Amazon Connect Voice ID、Amazon DevOps Guru、亚马逊Elastic Compute Cloud (Amazon EC2)、Amazon EC2 Amage BAuto Scaling ilder、亚马逊 EMR EventBridge、亚马逊、亚马逊 LightsailAmazon FinSpace、亚马逊Loc EventBridge ation Service GameLift、亚马逊互动视频服务 (亚马逊 IVS)、Amazon Kinesis Data Analytics、EC2 Image Builder、Amazon Lightsail、Amazon Lightsail、亚马逊定位服务、亚马逊观景台适用于设备、Amazon Lookout for Metrics、Amazon Lookout for Vision、Amazon Managed Blockchain、Amazon MQ、亚马逊 QuickSight Nimble StudioAmazon Pinpoint、亚马逊 Route 53 应用程序恢复控制器Amazon Route 53 Resolver、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、AWS AppConfig、、AWS AppSync、、AWS Auto Scaling、、AWS Backup、、、AWS Budgets、、AWS Cost Explorer、、AWS Cloud9、、AWS Directory Service、、AWS DataSync、、、、 MediaPackage、、、、、AWS Glue、、AWS IoT、、AWS IoT Analytics、、AWS IoT Events、、AWS IoT SiteWise、、AWS IoT TwinMaker、AWS Lake FormationAWS License Manager、AWS Resilience Hub、AWS Signer、和AWS Transfer Family

2022 年 9 月 7 日

AWSConfigServiceRolePolicy— 添加datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists

该政策现在允许返回账户中的AWS DataSync代理、 DataSync 来源和目标位置以及 DataSync 任务列表;列出与AWS账户中一个或多个指定命名空间相关的AWS Cloud Map命名空间和服务的摘要信息;以及列出AWS账户中所有可用的 Amazon Simple Email Service (Amazon SES) 联系人列表。AWS

2022 年 8 月 22 日

AWS_ConfigRole— 添加datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists

该政策现在允许返回账户中的AWS DataSync代理、 DataSync 来源和目标位置以及 DataSync 任务列表;列出与AWS账户中一个或多个指定命名空间相关的AWS Cloud Map命名空间和服务的摘要信息;以及列出AWS账户中所有可用的 Amazon Simple Email Service (Amazon SES) 联系人列表。AWS

2022 年 8 月 22 日

ConfigConformsServiceRolePolicy— 添加cloudwatch:PutMetricData

此政策现在授予权限以将指标数据点发布到 Amazon CloudWatch。

2022 年 7 月 25 日

AWSConfigServiceRolePolicy— 添加amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet

该政策现在支持亚马逊弹性容器服务 (Amazon ECS)、亚马逊、亚马逊 FSx、A ElastiCache mazon Kinesis Data Analytics、亚马逊Location Service、适用于 Apache Kafka 的亚马逊 QuickSight托管直播、Amazon Rekognition、AWS RoboMaker亚马逊Simple Storage Service (Amazon S3)、、、、、、、AWS Amplify、、、、、、、、IAMAWS IAM Identity Center (successor to AWS Single Sign-On)(EC2 Imagnity Center)、EC2 镜像生成器和Elastic Load Balancing。 EventBridgeAWS AppConfigAWS AppSyncAWS Billing ConductorAWS DataSyncAWS Firewall ManagerAWS Glue

2022 年 7 月 15 日

AWS_ConfigRole— 添加amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet

该政策现在支持亚马逊弹性容器服务 (Amazon ECS)、亚马逊、亚马逊 FSx、A ElastiCache mazon Kinesis Data Analytics、亚马逊Location Service、适用于 Apache Kafka 的亚马逊 QuickSight托管直播、Amazon Rekognition、AWS RoboMaker亚马逊Simple Storage Service (Amazon S3)、、、、、、、AWS Amplify、、、、、、、、IAMAWS IAM Identity Center (successor to AWS Single Sign-On)(EC2 Imagnity Center)、EC2 镜像生成器和Elastic Load Balancing。 EventBridgeAWS AppConfigAWS AppSyncAWS Billing ConductorAWS DataSyncAWS Firewall ManagerAWS Glue

2022 年 7 月 15 日

AWSConfigServiceRolePolicy— 添加athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource

该政策现在授予以下权限:获取指定的 Amazon Athena 数据目录、列出AWS账户中的 Athena 数据目录以及列出与 Athena 工作组或数据目录资源关联的标签;获取 Amazon Detective 行为图表列表和Detective 行为图表的列表标签;获取给定AWS Glue开发终端节点名称列表的资源元数据列表、获取有关指定AWS Glue开发终端节点的信息、获取AWS账户中的所有AWS Glue开发终端节点、检索指定开发终端节点AWS Glue安全配置,获取所有AWS Glue安全配置,获取与AWS Glue资源关联的标签列表,获取有关具有指定名称AWS Glue的工作组的信息,检索账户中所有AWS Glue爬虫资源的名称,获取AWS账户中所有AWS GlueDevEndpoint资源的名称,列出AWS账户中所有AWS Glue任务资源的名称,获取有关AWS Glue成员AWS帐户的详细信息,列出在账户中创建AWS Glue的工作流的名称,并列出账户的可用AWS Glue工作组;检索 Amazon GuardDuty 筛选器的详细信息、检索 GuardDuty IPset GuardDutyThreatIntelSet、检索 IPset、检索 GuardDuty 成员账户、获取 GuardDuty筛选器列表、获取GuardDuty 服务的 IPsAmazon Macie t、检索 GuardDuty 服务的标签以及获取服务的当前状态和配置设置;检索AWS Resource Access Manager (AWS RAM) 资源共享的资源和主关联 GuardDuty ThreatIntelSets 并检索有关AWS RAM资源共享的详细信息;要获取有关亚马逊Simple Email Service (Amazon SES) 现有配置集的信息,获取与 Amazon SES 配置集关联的事件目标列表,并列出与 Amazon SES 账户关联的所有配置集;要获取身份中心目录属性列表,获取AWS IAM Identity Center (successor to AWS Single Sign-On)权限集的详细信息,获取附加到指定 IAM Identity Center 权限集的 IAM 托管策略,获取权限集 IAM身份中心实例,并获取 IAM 身份中心资源的标签。

2022 年 5 月 31 日

AWS_ConfigRole— 添加athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource

该政策现在授予以下权限:获取指定的 Amazon Athena 数据目录、列出AWS账户中的 Athena 数据目录以及列出与 Athena 工作组或数据目录资源关联的标签;获取 Amazon Detective 行为图表列表和Detective 行为图表的列表标签;获取给定AWS Glue开发终端节点名称列表的资源元数据列表、获取有关指定AWS Glue开发终端节点的信息、获取AWS账户中的所有AWS Glue开发终端节点、检索指定开发终端节点AWS Glue安全配置,获取所有AWS Glue安全配置,获取与AWS Glue资源关联的标签列表,获取有关具有指定名称AWS Glue的工作组的信息,检索账户中所有AWS Glue爬虫资源的名称,获取AWS账户中所有AWS GlueDevEndpoint资源的名称,列出AWS账户中所有AWS Glue任务资源的名称,获取有关AWS Glue成员AWS帐户的详细信息,列出在账户中创建AWS Glue的工作流的名称,并列出账户的可用AWS Glue工作组;检索 Amazon GuardDuty 筛选器的详细信息、检索 GuardDuty IPset GuardDutyThreatIntelSet、检索 IPset、检索 GuardDuty 成员账户、获取 GuardDuty筛选器列表、获取GuardDuty 服务的 IPsAmazon Macie t、检索 GuardDuty 服务的标签以及获取服务的当前状态和配置设置;检索AWS Resource Access Manager (AWS RAM) 资源共享的资源和主关联 GuardDuty ThreatIntelSets 并检索有关AWS RAM资源共享的详细信息;要获取有关亚马逊Simple Email Service (Amazon SES) 现有配置集的信息,获取与 Amazon SES 配置集关联的事件目标列表,并列出与 Amazon SES 账户关联的所有配置集;要获取身份中心目录属性列表,获取AWS IAM Identity Center (successor to AWS Single Sign-On)权限集的详细信息,获取附加到指定 IAM Identity Center 权限集的 IAM 托管策略,获取权限集 IAM身份中心实例,并获取 IAM 身份中心资源的标签。

2022 年 5 月 31 日

AWSConfigServiceRolePolicy— 添加cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies

此策略现在授予以下权限:获取有关所有或指定AWS CloudTrail事件数据存储 (EDS) 的信息、获取有关所有或指定AWS CloudFormation资源的信息、获取 DynamoDB Accelerator (DAXAWS DMS) 参数组或子网组的列表、获取当前正在访问的区域中您的账户的AWS Database Migration Service () 复制任务的信息,以及列出指定类型的所有策略。AWS Organizations

2022 年 4 月 7 日

AWS_ConfigRole— 添加cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies

此策略现在授予以下权限:获取有关所有或指定AWS CloudTrail事件数据存储 (EDS) 的信息、获取有关所有或指定AWS CloudFormation资源的信息、获取 DynamoDB Accelerator (DAXAWS DMS) 参数组或子网组的列表、获取当前正在访问的区域中您的账户的AWS Database Migration Service () 复制任务的信息,以及列出指定类型的所有策略。AWS Organizations

2022 年 4 月 7 日

AWSConfigServiceRolePolicy— 添加backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces

该政策现在支持AWS Backup、AWS Batch、DynamoDB 加速器、Amazon DynamoDB、AWS Database Migration Service亚马逊Elastic Compute Cloud (Amazon EC2)、Amazon Elastic Kubernetes Service、亚马逊 FSx、亚马逊、、、、A GuardDuty mazon Relational Database Service、AWS WAF V2 和亚马逊的额外权限 WorkSpaces。AWS Key Management ServiceAWS OpsWorks

2022 年 3 月 14 日

AWS_ConfigRole— 添加backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces

该政策现在支持AWS Backup、AWS Batch、DynamoDB 加速器、Amazon DynamoDB、AWS Database Migration Service亚马逊Elastic Compute Cloud (Amazon EC2)、Amazon Elastic Kubernetes Service、亚马逊 FSx、亚马逊、、、、A GuardDuty mazon Relational Database Service、AWS WAF V2 和亚马逊的额外权限 WorkSpaces。AWS Key Management ServiceAWS OpsWorks

2022 年 3 月 14 日

AWSConfigServiceRolePolicy— 添加elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies

该政策现在允许获取有关 Elastic Beanstalk 环境的详细信息以及指定 Elastic Beanstalk 配置集的设置描述、获取 OpenSearch 或 Elasticsearch 版本的地图、描述数据库可用的 Amazon RDS 选项组以及获取有关 CodeDeploy 部署配置的信息。该策略现在还授予以下权限:检索附加到AWS账户的指定备用联系人、检索有关AWS Organizations策略的信息、检索 Amazon ECR 存储库策略、检索有关存档AWS Config规则的信息、检索 Amazon ECS 任务定义系列列表、列出指定子组织单位或账户的根或上级组织单位 (OU),以及列出附加到指定目标根目录、组织单位或账户的策略。

2022 年 2 月 10 日

AWS_ConfigRole— 添加elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies

该政策现在允许获取有关 Elastic Beanstalk 环境的详细信息以及指定 Elastic Beanstalk 配置集的设置描述、获取 OpenSearch 或 Elasticsearch 版本的地图、描述数据库可用的 Amazon RDS 选项组以及获取有关 CodeDeploy 部署配置的信息。该策略现在还授予以下权限:检索附加到AWS账户的指定备用联系人、检索有关AWS Organizations策略的信息、检索 Amazon ECR 存储库策略、检索有关存档AWS Config规则的信息、检索 Amazon ECS 任务定义系列列表、列出指定子组织单位或账户的根或上级组织单位 (OU),以及列出附加到指定目标根目录、组织单位或账户的策略。

2022 年 2 月 10 日

AWSConfigServiceRolePolicy— 添加logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent

该政策现在授予创建 Amazon CloudWatch 日志组和流以及向创建的日志流写入日志的权限。

2021 年 12 月 15 日

AWS_ConfigRole— 添加logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent

该政策现在授予创建 Amazon CloudWatch 日志组和流以及向创建的日志流写入日志的权限。

2021 月 15 15 15 15 日 15 日 15 日 15

AWSConfigServiceRolePolicy— 添加es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots

该政策现在授予获取有关亚马逊 OpenSearch 服务(OpenSearch 服务)域/域的详细信息以及获取特定Amazon Relational Database Service (Amazon RDS) 数据库参数组的详细参数列表的权限。该政策还授予获取有关亚马逊 ElastiCache 快照的详细信息的权限。

2021 年 9 月 8 日

AWS_ConfigRole— 添加es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots

该政策现在授予获取有关亚马逊 OpenSearch 服务(OpenSearch 服务)域/域的详细信息以及获取特定Amazon Relational Database Service (Amazon RDS) 数据库参数组的详细参数列表的权限。该政策还授予获取有关亚马逊 ElastiCache 快照的详细信息的权限。

2021 年 9 月 8 日

AWSConfigServiceRolePolicy— 为AWS资源类型添加logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine和其他权限

此策略现在授予列出日志组标签、列出状态机的标签以及列出所有状态机的权限。此策略现在授予权限以获取有关状态机的详细信息。该政策现在还支持对亚马逊 EC2 系统管理器 (SSM)、亚马逊 Elastic Container Registry、亚马逊 Kinesis Data FSx irehose、Apache Kafka (亚马逊 MSK) 的亚马逊托管直播、Amazon Relational Database Service (Amazon RDS)、亚马逊 SageMaker Route 53、AWS Database Migration Service亚马逊、亚马逊简单通知服务等的额外权限AWS Storage Gateway。AWS Global Accelerator

2021 年 7 月 28 日

AWS_ConfigRole— 为AWS资源类型添加 logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine 和其他权限

此策略现在授予列出日志组标签、列出状态机的标签以及列出所有状态机的权限。此策略现在授予权限以获取有关状态机的详细信息。该政策现在还支持对亚马逊 EC2 系统管理器 (SSM)、亚马逊 Elastic Container Registry、亚马逊 Kinesis Data FSx irehose、Apache Kafka (亚马逊 MSK) 的亚马逊托管直播、Amazon Relational Database Service (Amazon RDS)、亚马逊 SageMaker Route 53、AWS Database Migration Service亚马逊、亚马逊简单通知服务等的额外权限AWS Storage Gateway。AWS Global Accelerator

2021 年 7 月 28 日

AWSConfigServiceRolePolicy— 为AWS资源类型添加ssm:DescribeDocumentPermission和其他权限

该政策现在授予查看有关 IAM Access Analyzer 的AWS Systems Manager文档和信息的权限。该政策现在支持Amazon Kinesis、亚马逊、亚马逊 EMR、亚马逊 ElastiCache Route 53 和Amazon Relational Database Service (Amazon RDS) 的其他AWS资源类型。AWS Network Firewall这些权限更改AWS Config允许调用支持这些资源类型所需的只读 API。该策略现在还支持筛选lambda-inside-vpcAWS Config托管规则的 Lambda @Edge 函数。

2021 年 6 月 8 日

AWS_ConfigRole— 为AWS资源类型添加ssm:DescribeDocumentPermission和其他权限

该政策现在授予查看有关 IAM Access Analyzer 的AWS Systems Manager文档和信息的权限。该政策现在支持Amazon Kinesis、亚马逊、亚马逊 EMR、亚马逊 ElastiCache Route 53 和Amazon Relational Database Service (Amazon RDS) 的其他AWS资源类型。AWS Network Firewall这些权限更改AWS Config允许调用支持这些资源类型所需的只读 API。该策略现在还支持筛选lambda-inside-vpcAWS Config托管规则的 Lambda @Edge 函数。

2021 年 6 月 8 日

AWSConfigServiceRolePolicy— 添加apigateway:GET对 API Gateway 进行只读 GET 调用的s3:GetAccessPointPolicy权限以及调用 Amazon S3 只读 API 的s3:GetAccessPointPolicyStatus权限和权限

此策略现在授予权限,AWS Config允许对 API Gateway 进行只读 GET 调用,以支持 API GatewayAWS Config 规则。该策略还添加了允许AWS Config调用亚马逊Simple Storage Service (Amazon S3) 只读 API 的权限,这些API是支持新AWS::S3::AccessPoint资源类型所必需的。

2021 年 5 月 10 日

AWS_ConfigRole — 添加apigateway:GET对 API Gateway 进行只读 GET 调用的s3:GetAccessPointPolicy权限以及调用 Amazon S3 只读 API 的s3:GetAccessPointPolicyStatus权限和权限

此策略现在授予权限,允许对 API GatewayAWS Config 进行只读 GET 调用,以支持 foAWS Config r API Gateway。该策略还添加了允许AWS Config调用亚马逊Simple Storage Service (Amazon S3) 只读 API 的权限,这些API是支持新AWS::S3::AccessPoint资源类型所必需的。

2021 年 5 月 10 日

AWSConfigServiceRolePolicy— 为AWS资源类型添加权限和其他ssm:ListDocuments权限

此策略现在授予权限以查看AWS Systems Manager指定文档的信息。该策略现在还AWS支持Amazon Elastic File Service (Amazon S3)、Amaz ElastiCache on Elastic Compute Cloud (Amazon EC2)、Amazon Kinesis、Amazon Route 53 SageMaker、AWS Database Migration Service Amazon Elastic ComputeAWS Backup 这些权限更改AWS Config允许调用支持这些资源类型所需的只读 API。

2021 年 4 月 1 日

AWS_ConfigRole— 为AWS资源类型添加权限和其他ssm:ListDocuments权限

此策略现在授予权限以查看AWS Systems Manager指定文档的信息。该策略现在还AWS支持Amazon Elastic File Service (Amazon S3)、Amaz ElastiCache on Elastic Compute Cloud (Amazon EC2)、Amazon Kinesis、Amazon Route 53 SageMaker、AWS Database Migration Service Amazon Elastic ComputeAWS Backup 这些权限更改AWS Config允许调用支持这些资源类型所需的只读 API。

2021 年 4 月 1 日

AWSConfigRole已过时

AWSConfigRole已过时。更换政策是AWS_ConfigRole

2021 年 4 月 1 日

AWS Config 已开启跟踪更改

AWS Config 为其 AWS 托管式策略开启了跟踪更改。

2021 年 4 月 1 日