入門 AWS Supply Chain - AWS Supply Chain
使用主控台

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

入門 AWS Supply Chain

在本節中,您可以學習建立 AWS Supply Chain 執行個體、授予使用者許可角色、登入 AWS Supply Chain Web 應用程式,以及建立自訂使用者許可角色。 AWS 帳戶 最多可以有 10 個 AWS Supply Chain 執行個體處於作用中或初始化狀態。

主題

使用 AWS Supply Chain 主控台

注意

如果您的 AWS 帳戶是 AWS 組織的成員帳戶,並包含 Service Control 政策 (SCP),請確保組織將下列許可SCP授予成員帳戶。如果組織的SCP政策不包含下列許可, AWS Supply Chain 執行個體建立將會失敗。

若要存取 AWS Supply Chain 主控台,您必須具有一組最低許可。這些許可必須允許您列出和檢視 中 AWS Supply Chain 資源的詳細資訊 AWS 帳戶。如果您建立比最基本必要許可更嚴格的身分型政策,則對於具有該政策的實體 (使用者或角色) 而言,主控台就無法如預期運作。

對於僅對 AWS CLI 或 進行呼叫的使用者,您不需要允許最低主控台許可 AWS API。相反地,僅允許存取與其API嘗試執行的操作相符的動作。

為了確保使用者和角色仍然可以使用 AWS Supply Chain 主控台,也請將 AWS Supply Chain ConsoleAccessReadOnly AWS 受管政策連接到實體。如需詳細資訊,請參閱 IAM 使用者指南 中的新增許可給使用者

主控台管理員需要下列許可,才能成功建立和更新 AWS Supply Chain 執行個體。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": "scn:*",
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:ListBucket",
				"s3:CreateBucket",
				"s3:PutBucketVersioning",
				"s3:PutBucketObjectLockConfiguration",
				"s3:PutEncryptionConfiguration",
				"s3:PutBucketPolicy",
				"s3:PutLifecycleConfiguration",
				"s3:PutBucketPublicAccessBlock",
				"s3:DeleteObject",
				"s3:ListAllMyBuckets",
				"s3:PutBucketOwnershipControls",
				"s3:PutBucketNotification",
				"s3:PutAccountPublicAccessBlock",
				"s3:PutBucketLogging",
				"s3:PutBucketTagging"
			],
			"Resource": "arn:aws:s3:::aws-supply-chain-*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"cloudtrail:CreateTrail",
				"cloudtrail:PutEventSelectors",
				"cloudtrail:GetEventSelectors",
				"cloudtrail:StartLogging"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"events:DescribeRule",
				"events:PutRule",
				"events:PutTargets"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"chime:CreateAppInstance",
				"chime:DeleteAppInstance",
				"chime:PutAppInstanceRetentionSettings",
				"chime:TagResource"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"cloudwatch:PutMetricData",
				"cloudwatch:Describe*",
				"cloudwatch:Get*",
				"cloudwatch:List*"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"organizations:DescribeOrganization",
				"organizations:EnableAWSServiceAccess"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"kms:CreateGrant",
				"kms:RetireGrant",
				"kms:DescribeKey"
			],
			"Resource": key_arn,
			"Effect": "Allow"
		},
		{
			"Action": [
				"kms:ListAliases"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"iam:CreateRole",
				"iam:CreatePolicy",
				"iam:GetRole",
				"iam:PutRolePolicy",
				"iam:AttachRolePolicy",
				"iam:CreateServiceLinkedRole"
			],
			"Resource": "*",
			"Effect": "Allow"
		},
		{
			"Action": [
				"sso:StartPeregrine",
				"sso:DescribeRegisteredRegions",
				"sso:ListDirectoryAssociations",
				"sso:GetPeregrineStatus",
				"sso:GetSSOStatus",
				"sso:ListProfiles",
				"sso:GetProfile",
				"sso:AssociateProfile",
				"sso:AssociateDirectory",
				"sso:RegisterRegion",
				"sso:StartSSO",
				"sso:CreateManagedApplicationInstance",
				"sso:DeleteManagedApplicationInstance",
				"sso:GetManagedApplicationInstance",
				"sso-directory:SearchUsers"
			],
			"Resource": "*",
			"Effect": "Allow"
		}
	]
}

key_arn 指定您要用於 AWS Supply Chain 執行個體的金鑰。如需最佳實務並限制僅對您要用於 之金鑰的存取 AWS Supply Chain,請參閱IAM政策陳述式 中的指定KMS金鑰。若要代表所有KMS金鑰,請單獨使用萬用字元 ("*")。