使用 Evidently 的 IAM 政策 - Amazon CloudWatch

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 Evidently 的 IAM 政策

若要完全 CloudWatch 管理,您必須以具有下列權限的 IAM 使用者或角色身分登入:

  • AmazonCloudWatchEvidentlyFullAccess 政策

  • ResourceGroupsandTagEditorReadOnlyAccess 政策

此外,若要建立將評估事件存放在 Amazon S3 或 CloudWatch 日誌中的專案,您需要下列許可:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:DescribeResourcePolicies",
                "logs:PutResourcePolicy"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

CloudWatch RUM 整合的其他權限

此外,如果您打算管理明顯的啟動或與 Amazon CloudWatch RUM 整合的實驗,並使用 CloudWatch RUM 指標進行監控,則需要 AmazonCloudWatchRUM FullAccess 政策。若要建立 IAM 角色以授與 CloudWatch RUM 網路用戶端將資料傳送至 CloudWatch RUM 的權限,您需要下列權限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:AttachRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:role/service-role/CloudWatchRUMEvidentlyRole-*",
                "arn:aws:iam::*:policy/service-role/CloudWatchRUMEvidentlyPolicy-*"
            ]
        }
    ]
}

Evidently 唯讀存取的許可

對於其他需要查看「明顯」數據但不需要創建 Eviatic 資源的用戶,您可以授予該AmazonCloudWatchEvidentlyReadOnlyAccess策略。