AWSTrustedAdvisorPriorityFullAccess AWSTrustedAdvisorPriorityReadOnlyAccess AWSTrustedAdvisorServiceRolePolicy AWSTrustedAdvisorReportingServiceRolePolicy 政策更新

AWS 的受管政策 AWS Trusted Advisor

Trusted Advisor 具有下列 AWS 受管政策。

內容

AWS 受管政策：AWSTrustedAdvisorPriorityFullAccess

AWSTrustedAdvisorPriorityFullAccess 政策會授予 Trusted Advisor Priority 的完整存取權。此政策也允許使用者使用新增 Trusted Advisor 作為受信任的服務， AWS Organizations 並指定 Trusted Advisor 優先順序的委派管理員帳戶。

許可詳細資訊

在第一個陳述式中，政策包含 trustedadvisor 的以下許可：

說明您的帳戶和組織。
描述來自 Trusted Advisor Priority 的已識別風險。許可允許您下載和更新風險狀態。
描述優先順序 Trusted Advisor 電子郵件通知的組態。許可允許您設定電子郵件通知，並針對委派的管理員停用這些通知。
設定 Trusted Advisor 以便您的帳戶可以啟用 AWS Organizations。

在第二個陳述式中，政策包含 organizations 的以下許可：

描述 Trusted Advisor 您的帳戶和組織。
列出 AWS 服務您啟用使用 Organizations 的。

在第三個陳述式中，政策包含 organizations 的以下許可：

列出 Trusted Advisor 優先順序的委派管理員。
啟用和停用 Organizations 的受信任存取權。

在第四個陳述式中，政策包含 iam 的以下許可：

建立 AWSServiceRoleForTrustedAdvisorReporting 服務連結角色。

在第五個陳述式中，政策包含 organizations 的以下許可：

允許您註冊和取消註冊 Trusted Advisor Priority 的委派管理員。


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityFullAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:UpdateRiskStatus",
				"trustedadvisor:DescribeNotificationConfigurations",
				"trustedadvisor:UpdateNotificationConfigurations",
				"trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin",
				"trustedadvisor:SetOrganizationAccess"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeAccount",
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators",
				"organizations:EnableAWSServiceAccess",
				"organizations:DisableAWSServiceAccess"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "AllowCreateServiceLinkedRole",
			"Effect": "Allow",
			"Action": "iam:CreateServiceLinkedRole",
			"Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AllowRegisterDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:RegisterDelegatedAdministrator",
				"organizations:DeregisterDelegatedAdministrator"
			],
			"Resource": "arn:aws:organizations::*:*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS 受管政策：AWSTrustedAdvisorPriorityReadOnlyAccess

AWSTrustedAdvisorPriorityReadOnlyAccess 政策授予 Trusted Advisor Priority 唯讀許可，包括檢視委派管理員帳戶的許可。

許可詳細資訊

在第一個陳述式中，政策包含 trustedadvisor 的以下許可：

描述 Trusted Advisor 您的帳戶和組織。
描述來自 Trusted Advisor Priority 的已識別風險，並允許您下載這些風險。
描述 Trusted Advisor 優先順序電子郵件通知的組態。

在第二個和第三個陳述式中，政策包含 organizations 的以下許可：

使用 Organizations 說明您的組織。
列出 AWS 服務您啟用使用 Organizations 的。
列出 Trusted Advisor 優先順序的委派管理員


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess",
			"Effect": "Allow",
			"Action": [
				"trustedadvisor:DescribeAccount*",
				"trustedadvisor:DescribeOrganization",
				"trustedadvisor:DescribeRisk*",
				"trustedadvisor:DownloadRisk",
				"trustedadvisor:DescribeNotificationConfigurations"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAccessForOrganization",
			"Effect": "Allow",
			"Action": [
				"organizations:DescribeOrganization",
				"organizations:ListAWSServiceAccessForOrganization"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowListDelegatedAdministrators",
			"Effect": "Allow",
			"Action": [
				"organizations:ListDelegatedAdministrators"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"organizations:ServicePrincipal": [
						"reporting.trustedadvisor.amazonaws.com"
					]
				}
			}
		}
	]
}

AWS 受管政策：AWSTrustedAdvisorServiceRolePolicy

此政策連接至 AWSServiceRoleForTrustedAdvisor 服務連結角色。它允許服務連結角色為您執行動作。您無法連接 AWSTrustedAdvisorServiceRolePolicy 至您的 AWS Identity and Access Management (IAM) 實體。如需詳細資訊，請參閱使用 Trusted Advisor的服務連結角色。

此政策會授予管理許可，允許服務連結角色存取 AWS 服務。這些許可允許的檢查 Trusted Advisor 評估您的帳戶。

許可詳細資訊

此政策包含以下許可。

accessanalyzer – 描述 AWS Identity and Access Management Access Analyzer 資源
Auto Scaling – 描述 Amazon EC2 Auto Scaling 帳戶配額和資源
cloudformation – Describes AWS CloudFormation (CloudFormation) 帳戶配額和堆疊
cloudfront – 描述 Amazon CloudFront 分佈
cloudtrail – Describes AWS CloudTrail (CloudTrail) 追蹤
dynamodb - 描述 Amazon DynamoDB 帳戶配額和資源
dynamodbaccelerator – 描述 DynamoDB Accelerator 資源
ec2 – 描述 Amazon Elastic Compute Cloud (Amazon EC2) 帳戶配額和資源
elasticloadbalancing – 描述 Elastic Load Balancing (ELB) 帳戶配額和資源
iam – 取得 IAM 資源，例如憑證、密碼政策和憑證
networkfirewall – 描述 AWS Network Firewall 資源
kinesis - 描述 Amazon Kinesis (Kinesis) 帳戶配額
rds – 描述 Amazon Relational Database Service (Amazon RDS) 資源
redshift - 描述 Amazon Redshift 資源
route53 - 描述 Amazon Route 53 帳戶配額和資源
s3 - 描述 Amazon Simple Storage Service (Amazon S3) 資源
ses – 取得 Amazon Simple Email Service (Amazon SES) 傳送配額
sqs – 列出 Amazon Simple Queue Service (Amazon SQS) 佇列
cloudwatch – 取得 Amazon CloudWatch Events (CloudWatch Events) 指標統計資料
ce - 取得 Cost Explorer Service (Cost Explorer) 建議
route53resolver – 取得 Amazon Route 53 Resolver Resolver 端點和資源
kafka – 取得 Amazon Managed Streaming for Apache Kafka 資源
ecs – 取得 Amazon ECS 資源
outposts – 取得 AWS Outposts 資源


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid" : "TrustedAdvisorServiceRolePermissions",
            "Effect": "Allow",
            "Action": [
                "access-analyzer:ListAnalyzers"
                "autoscaling:DescribeAccountLimits",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "ce:GetReservationPurchaseRecommendation",
                "ce:GetSavingsPlansPurchaseRecommendation",
                "cloudformation:DescribeAccountLimits",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudfront:ListDistributions",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:GetEventSelectors",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "dax:DescribeClusters",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:DescribeAddresses",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeInstances",
                "ec2:DescribeVpcs",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeImages",
                "ec2:DescribeNatGateways",
                "ec2:DescribeVolumes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSnapshots",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:GetManagedPrefixListEntries",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTaskDefinitions"
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetCredentialReport",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "iam:ListSAMLProviders",
                "kinesis:DescribeLimits",
                "kafka:DescribeClusterV2",
                "kafka:ListClustersV2",
                "kafka:ListNodes",
                "network-firewall:ListFirewalls",
                "network-firewall:DescribeFirewall",
                "outposts:GetOutpost",
                "outposts:ListAssets",
                "outposts:ListOutposts",
                "rds:DescribeAccountAttributes",
                "rds:DescribeDBClusters",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeEvents",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "redshift:DescribeClusters",
                "redshift:DescribeReservedNodeOfferings",
                "redshift:DescribeReservedNodes",
                "route53:GetAccountLimit",
                "route53:GetHealthCheck",
                "route53:GetHostedZone",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:ListResolverEndpointIpAddresses",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "ses:GetSendQuota",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        }
    ]
}

AWS 受管政策：AWSTrustedAdvisorReportingServiceRolePolicy

此政策會連接至AWSServiceRoleForTrustedAdvisorReporting服務連結角色， Trusted Advisor 允許為組織檢視功能執行動作。您無法連接 AWSTrustedAdvisorReportingServiceRolePolicy 到您的 IAM 實體。如需詳細資訊，請參閱使用 Trusted Advisor的服務連結角色。

此政策會授予允許服務連結角色執行 AWS Organizations 動作的管理許可。

許可詳細資訊

此政策包含以下許可。

organizations - 描述您的組織，並列出服務存取權、帳戶、父系、子系和組織單位


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListDelegatedAdministrators",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribeAccount"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Trusted Advisor 受管政策的 AWS 更新

檢視自這些服務開始追蹤這些變更 Trusted Advisor 以來 AWS Support ，受 AWS 管政策更新的詳細資訊。如需此頁面變更的自動提醒，請訂閱文件歷史紀錄頁面上的 RSS 摘要。

下表說明自 2021 年 8 月 10 日起受 Trusted Advisor 管政策的重要更新。

Trusted Advisor
變更	描述	日期
AWSTrustedAdvisorServiceRolePolicy 更新至現有政策。	Trusted Advisor 新增了動作，以授予 `elasticloadbalancing:DescribeListeners,`和 `elasticloadbalancing:DescribeRules`許可。	2024 年 10 月 30 日
AWSTrustedAdvisorServiceRolePolicy 更新至現有政策。	Trusted Advisor 新增了動作，以授予 `access-analyzer:ListAnalyzers`、`cloudwatch:ListMetrics`、`dax:DescribeClusters`、`ec2:DescribeNatGatewaysec2:DescribeRouteTables`、`ec2:DescribeVpcEndpoints`、`ec2:GetManagedPrefixListEntries`、、 `elasticloadbalancing:DescribeTargetHealth` `iam:ListSAMLProviderskafka:DescribeClusterV2network-firewall:ListFirewallsnetwork-firewall:DescribeFirewall`和 `sqs:GetQueueAttributes`許可。	2024 年 6 月 11 日
AWSTrustedAdvisorServiceRolePolicy 更新至現有政策。	Trusted Advisor 新增了動作，以授予 `cloudtrail:GetTrail` `cloudtrail:ListTrails` `cloudtrail:GetEventSelectors` `outposts:GetOutpost`、 `outposts:ListAssets`和 `outposts:ListOutposts`許可。	2024 年 1 月 18 日
AWSTrustedAdvisorPriorityFullAccess 更新至現有政策。	Trusted Advisor 已更新`AWSTrustedAdvisorPriorityFullAccess` AWS 受管政策，以包含陳述式 IDs。	2023 年 12 月 6 日
AWSTrustedAdvisorPriorityReadOnlyAccess 更新至現有政策。	Trusted Advisor 已更新 `AWSTrustedAdvisorPriorityReadOnlyAccess` AWS 受管政策，以包含陳述式 IDs。	2023 年 12 月 6 日
AWSTrustedAdvisorServiceRolePolicy – 更新現有政策	Trusted Advisor 新增了動作，以授予 `ec2:DescribeRegionss3:GetLifecycleConfigurationecs:DescribeTaskDefinition`和 `ecs:ListTaskDefinitions`許可。	2023 年 11 月 9 日
AWSTrustedAdvisorServiceRolePolicy – 更新現有政策	Trusted Advisor 已新增新的 IAM 動作 `route53resolver:ListResolverEndpoints`、`ec2:DescribeSubnets`、 `route53resolver:ListResolverEndpointIpAddresseskafka:ListClustersV2`和 `kafka:ListNodes`，以加入新的彈性檢查。	2023 年 9 月 14 日
AWSTrustedAdvisorReportingServiceRolePolicy 連接到 Trusted Advisor `AWSServiceRoleForTrustedAdvisorReporting`服務連結角色的受管政策 V2	將 Trusted Advisor `AWSServiceRoleForTrustedAdvisorReporting`服務連結角色的 AWS 受管政策升級至 V2。V2 將新增另一個 IAM 動作 `organizations:ListDelegatedAdministrators`	2023 年 2 月 28 日
AWSTrustedAdvisorPriorityFullAccess 和 AWSTrustedAdvisorPriorityReadOnlyAccess 適用於的新 AWS 受管政策 Trusted Advisor	Trusted Advisor 新增了兩個新的受管政策，您可以使用這些政策來控制對 Trusted Advisor Priority 的存取。	2022 年 8 月 17 日
AWSTrustedAdvisorServiceRolePolicy – 更新現有政策	Trusted Advisor 新增了動作，以授予 `DescribeTargetGroups`和 `GetAccountPublicAccessBlock`許可。進行 Auto Scaling 群組運作狀態檢查需要 `DescribeTargetGroup` 許可，才能擷取 Classic Load Balancer 以外連接至 Auto Scaling 群組的負載平衡器。進行 Simple Storage Service (Amazon S3) 儲存貯體許可檢查需要 `GetAccountPublicAccessBlock` 許可，才能擷取 AWS 帳戶的區塊公有存取設定。	2021 年 8 月 10 日
變更發佈的日誌	Trusted Advisor 已開始追蹤其 AWS 受管政策的變更。	2021 年 8 月 10 日

您的瀏覽器已停用或無法使用 Javascript。

您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。

文件慣用形式

AWS Slack 中 AWS Support 應用程式的受管政策

AWSAWS Support Plans 的受管政策

AWS 的 受管政策 AWS Trusted Advisor

內容

AWS 受管政策：AWSTrustedAdvisorPriorityFullAccess

AWS 受管政策：AWSTrustedAdvisorPriorityReadOnlyAccess

AWS 受管政策：AWSTrustedAdvisorServiceRolePolicy

AWS 受管政策：AWSTrustedAdvisorReportingServiceRolePolicy

Trusted Advisor 受管政策的 AWS 更新

AWS 的受管政策 AWS Trusted Advisor