使用主控台大量遷移您的政策 - AWS 帳單
必要條件確認您的遷移

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用主控台大量遷移您的政策

注意

下列 AWS Identity and Access Management (IAM) 動作已於 2023 年 7 月達到標準支援結束:

  • aws-portal 命名空間

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

如果您使用的是 AWS Organizations,則可以使用大量政策模擬器指令碼或大量政策模擬器,從您的付款人帳戶更新政策。您也可以使用舊動作映射參考來驗證需要新增IAM的動作。

如果您有 AWS 帳戶、 或 是 2023 年 3 月 6 日上午 11:00 (PDT) 或之後 AWS Organizations 建立的 的一部分,則精細動作已在組織中生效。

本節說明如何使用AWS Billing and Cost Management 主控台,將舊版政策從 Organizations 帳戶或標準帳戶大量遷移至精細動作。您可以使用 主控台,以兩種方式完成遷移舊版政策:

使用AWS建議的遷移程序

這是一個簡化的單一動作程序,您可以將舊版動作遷移至由 映射的精細動作 AWS。如需詳細資訊,請參閱使用建議的動作來大量遷移舊版政策

使用自訂遷移程序

此程序可讓您檢閱和變更大量遷移 AWS 之前 建議的動作,以及自訂組織中要遷移哪些帳戶。如需詳細資訊,請參閱自訂動作以大量遷移舊版政策

使用主控台大量遷移的先決條件

這兩個遷移選項都需要您在 主控台中同意,以便 AWS 可以向您指派的舊版動作建議精細IAM動作。若要這麼做,您需要以IAM主體身分登入 AWS 您的帳戶,並採取下列IAM動作才能繼續更新政策。

Management account
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced",
"aws-portal:UpdateConsoleActionSetEnforced",
"purchase-orders:UpdateConsoleActionSetEnforced",
"iam:GetAccountAuthorizationDetails",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"scheduler:GetSchedule", 
"scheduler:DeleteSchedule",
"scheduler:CreateSchedule",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:CreateStackSet",
"cloudformation:CreateStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStackSets",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:ListStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackSetOperations",
"cloudformation:CreateStack",
"cloudformation:UpdateStackInstances",
"cloudformation:UpdateStackSet",
"cloudformation:DescribeStacks",
"ec2:DescribeRegions",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"iam:GenerateOrganizationsAccessReport",
"iam:GetOrganizationsAccessReport",
"organizations:ListAccounts",
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DescribeOrganization",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"sts:AssumeRole",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:GetInlinePolicyForPermissionSet",
"sso:DescribePermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
Member account or standard account
// Required to view page
"ce:GetConsoleActionSetEnforced",
"aws-portal:GetConsoleActionSetEnforced",
"purchase-orders:GetConsoleActionSetEnforced",
"ce:UpdateConsoleActionSetEnforced", // Not needed for member account
"aws-portal:UpdateConsoleActionSetEnforced", // Not needed for member account
"purchase-orders:UpdateConsoleActionSetEnforced", // Not needed for member account
"iam:GetAccountAuthorizationDetails",
"ec2:DescribeRegions",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:PutBucketAcl", 
"s3:PutEncryptionConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetGroupPolicy",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:PutUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetails",
"notifications:ListNotificationHubs" // Added to ensure Notifications API does not return 403
主題

確認您的遷移

您可以使用遷移工具查看是否有任何 AWS Organizations 帳戶仍需要遷移。

確認所有帳戶是否已遷移

  1. 登入 AWS Management Console

  2. 在頁面頂端的搜尋列中,輸入 Bulk Policy Migrator

  3. 管理新IAM動作頁面上,選擇遷移帳戶索引標籤。

如果資料表未顯示任何剩餘的帳戶,則所有帳戶都已成功遷移。