範例 IAM 政策 - AWS Artifact

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

範例 IAM 政策

您可以建立許可政策,將許可授與 IAM 使用者。您可以授與使用者存取 AWS Artifact 報表,以及代表單一帳戶或組織接受和下載合約的能力。

下列範例政策顯示您可以根據他們需要的存取層級指派給 IAM 使用者的許可。

範例 透過精細權限管理 AWS 報表的範例原則
提示

您應該考慮使用受AWSArtifactReportsReadOnlyAccess 管政策,而不是定義自己的策略。

下列原則授與透過精細權限下載所有 AWS 報表的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:ListReports", "artifact:GetReportMetadata", "artifact:GetReport", "artifact:GetTermForReport" ], "Resource": "*" } ] }

下列政策授予透過精細權限僅下載 AWS SOC、PCI 和 ISO 報告的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:ListReports", "artifact:GetReportMetadata", "artifact:GetReport", "artifact:GetTermForReport" ], "Resource": "*", "Condition": { "StringEquals": { "artifact:ReportSeries": [ "SOC", "PCI", "ISO" ], "artifact:ReportCategory": [ "Certifications And Attestations" ] } } } ] }
範例 管理第三方報告的原則範例
提示

您應該考慮使用受AWSArtifactReportsReadOnlyAccess 管政策,而不是定義自己的策略。

第三方報告由 IAM 資源report表示。

下列原則會授與所有協力廠商報告功能的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:ListReports", "artifact:GetReportMetadata", "artifact:GetReport", "artifact:GetTermForReport" ], "Resource": "*" } ] }

下列原則授與下載協力廠商報告的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetReport", "artifact:GetTermForReport" ], "Resource": "*" } ] }

下列原則授與列出第三方報告的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:ListReport" ], "Resource": "*" } ] }

下列政策授與檢視協力廠商報告詳細資料的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetReportMetadata" ], "Resource": [ "arn:aws:artifact:us-east-1::report/report-jRVRFP8HxUN5zpPh" ] } ] }
範例 管理合約的原則範例

下列原則授與下載所有合約的權限。IAM 使用者也必須擁有此權限才能接受協議。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:DownloadAgreement" ], "Resource": [ "*" ] } ] }

下列原則授與接受合約的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement" ], "Resource": [ "*" ] } ] }

下列原則授與終止合約的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:TerminateAgreement" ], "Resource": [ "*" ] } ] }

下列政策授與管理單一帳戶合約的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] } ] }
範例 要整合的原則範例 AWS Organizations

下列政策授予建立 AWS Artifact 用於整合的 IAM 角色的權限 AWS Organizations。您組織的管理帳戶必須具有這些權限,才能開始使用組織合約。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact" } ] }

下列原則授與授與使 AWS Artifact 用權限的權限 AWS Organizations。您組織的管理帳戶必須具有這些權限,才能開始使用組織合約。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" } ] }
範例 管理管理帳戶合約的範例原則

下列策略授與管理帳戶管理合約的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact" }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:EnableAWSServiceAccess", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" } ] }
範例 管理組織協議的原則範例

下列原則授與管理組織合約的權限。其他具有必要權限的使用者必須設定組織合約。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] }

下列原則授與檢視組織合約的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:DownloadAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] }
範例 管理通知的原則範例

下列原則授與使用 AWS Artifact 通知的完整權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetAccountSettings", "artifact:PutAccountSettings", "notifications:AssociateChannel", "notifications:CreateEventRule", "notifications:CreateNotificationConfiguration", "notifications:DeleteEventRule", "notifications:DeleteNotificationConfiguration", "notifications:DisassociateChannel", "notifications:GetEventRule", "notifications:GetNotificationConfiguration", "notifications:ListChannels", "notifications:ListEventRules", "notifications:ListNotificationConfigurations", "notifications:ListNotificationHubs", "notifications:ListTagsForResource", "notifications:TagResource", "notifications:UntagResource", "notifications:UpdateEventRule", "notifications:UpdateNotificationConfiguration", "notifications-contacts:CreateEmailContact", "notifications-contacts:DeleteEmailContact", "notifications-contacts:GetEmailContact", "notifications-contacts:ListEmailContacts", "notifications-contacts:SendActivationCode" ], "Resource": [ "*" ] } ] }

下列原則授與列出所有組態的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetAccountSettings", "notifications:ListChannels", "notifications:ListEventRules", "notifications:ListNotificationConfigurations", "notifications:ListNotificationHubs", "notifications-contacts:GetEmailContact" ], "Resource": [ "*" ] } ] }

下列原則授與建立組態的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetAccountSettings", "artifact:PutAccountSettings", "notifications-contacts:CreateEmailContact", "notifications-contacts:SendActivationCode", "notifications:AssociateChannel", "notifications:CreateEventRule", "notifications:CreateNotificationConfiguration", "notifications:ListEventRules", "notifications:ListNotificationHubs", "notifications:TagResource", "notifications-contacts:ListEmailContacts" ], "Resource": [ "*" ] } ] }

下列原則授與編輯組態的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetAccountSettings", "artifact:PutAccountSettings", "notifications:AssociateChannel", "notifications:DisassociateChannel", "notifications:GetNotificationConfiguration", "notifications:ListChannels", "notifications:ListEventRules", "notifications:ListTagsForResource", "notifications:TagResource", "notifications:UntagResource", "notifications:UpdateEventRule", "notifications:UpdateNotificationConfiguration", "notifications-contacts:GetEmailContact", "notifications-contacts:ListEmailContacts" ], "Resource": [ "*" ] } ] }

下列原則授與刪除組態的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "notifications:DeleteNotificationConfiguration", "notifications:ListEventRules" ], "Resource": [ "*" ] } ] }

下列原則授與檢視組態詳細資料的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "notifications:GetNotificationConfiguration", "notifications:ListChannels", "notifications:ListEventRules", "notifications:ListTagsForResource", "notifications-contacts:GetEmailContact" ], "Resource": [ "*" ] } ] }

下列原則授與註冊或取消註冊通知中樞的權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "notifications:DeregisterNotificationHub", "notifications:RegisterNotificationHub" ], "Resource": [ "*" ] } ] }