本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS 受管理的政策 AWS Clean Rooms
受 AWS 管理的策略是由建立和管理的獨立策略 AWS。 AWS 受管理的策略旨在為許多常見使用案例提供權限,以便您可以開始將權限指派給使用者、群組和角色。
請記住, AWS 受管理的政策可能不會為您的特定使用案例授與最低權限權限,因為這些權限可供所有 AWS 客戶使用。我們建議您定義使用案例專屬的客戶管理政策,以便進一步減少許可。
您無法變更受 AWS 管理策略中定義的權限。如果 AWS 更新 AWS 受管理原則中定義的權限,則此更新會影響附加原則的所有主體識別 (使用者、群組和角色)。 AWS 當新的啟動或新 AWS 服務 的 API 操作可用於現有服務時,最有可能更新 AWS 受管理策略。
如需詳細資訊,請參閱《IAM 使用者指南》中的 AWS 受管政策。
AWS 受管理的策略:AWSCleanRoomsReadOnlyAccess
您可以附加AWSCleanRoomsReadOnlyAccess至 IAM 主體。
此原則會將唯讀權限授與AWSCleanRoomsReadOnlyAccess協同作業中的資源和中繼資料。
許可詳細資訊
此政策包含以下許可:
-
CleanRoomsRead— 允許主參與者對服務的唯讀存取權。 -
ConsoleDisplayTables— 允許主參與者唯讀存取所需的中 AWS Glue 繼資料,以便在主控台上顯示基礎資料 AWS Glue 表的相關資料。 -
ConsoleLogSummaryQueryLogs— 允許主參與者查看查詢記錄檔。 -
ConsoleLogSummaryObtainLogs-允許主參與者擷取記錄結果。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsRead", "Effect": "Allow", "Action": [ "cleanrooms:BatchGet*", "cleanrooms:Get*", "cleanrooms:List*" ], "Resource": "*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "ConsoleLogSummaryQueryLogs", "Effect": "Allow", "Action": [ "logs:StartQuery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*" }, { "Sid": "ConsoleLogSummaryObtainLogs", "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": "*" } ] }
AWS 受管理的策略:AWSCleanRoomsFullAccess
您可以附加AWSCleanRoomsFullAccess至 IAM 主體。
此原則會授與管理權限,允許在 AWS Clean Rooms 協同作業中對資源和中繼資料的完整存取 (讀取、寫入和更新)。此原則包括執行查詢的存取權。
許可詳細資訊
此政策包含以下許可:
-
CleanRoomsAccess— 授予對所有資源的所有動作的完整存取權 AWS Clean Rooms。 -
PassServiceRole— 授與僅將服務角色傳遞給其名稱中具有 "cleanrooms" 的服務 (PassedToService條件) 的存取權。 -
ListRolesToPickServiceRole— 可讓主參與者列出其所有角色,以便在使用 AWS Clean Rooms時選擇服務角色。 -
GetRoleAndListRolePoliciesToInspectServiceRole— 允許主體在 IAM 中查看服務角色和對應的政策。 -
ListPoliciesToInspectServiceRolePolicy— 允許主體在 IAM 中查看服務角色和對應的政策。 -
GetPolicyToInspectServiceRolePolicy— 允許主體在 IAM 中查看服務角色和對應的政策。 -
ConsoleDisplayTables— 允許主參與者唯讀存取所需的中 AWS Glue 繼資料,以便在主控台上顯示基礎資料 AWS Glue 表的相關資料。 -
ConsolePickQueryResultsBucketListAll— 允許主體從寫入查詢結果的所有可用 S3 儲存貯體清單中選擇 Amazon S3 儲存貯體。 -
SetQueryResultsBucket— 允許主體選擇要寫入其查詢結果的 S3 儲存貯體。 -
ConsoleDisplayQueryResults— 允許主體向客戶顯示查詢結果,並從 S3 儲存貯體讀取。 -
WriteQueryResults— 允許主體將查詢結果寫入客戶擁有的 S3 儲存貯體。 -
EstablishLogDeliveries— 允許主體將查詢日誌傳遞到客戶的 Amazon CloudWatch 日誌日誌群組。 -
SetupLogGroupsDescribe— 允許主體使用 Amazon CloudWatch 日誌記錄群組建立程序。 -
SetupLogGroupsCreate— 允許主體建立 Amazon CloudWatch 日誌日誌群組。 -
SetupLogGroupsResourcePolicy— 允許主體在 Amazon CloudWatch 日誌日誌群組上設定資源政策。 -
ConsoleLogSummaryQueryLogs— 允許主參與者查看查詢記錄檔。 -
ConsoleLogSummaryObtainLogs-允許主參與者擷取記錄結果。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsAccess", "Effect": "Allow", "Action": [ "cleanrooms:*" ], "Resource": "*" }, { "Sid": "PassServiceRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*", "Condition": { "StringEquals": { "iam:PassedToService": "cleanrooms.amazonaws.com" } } }, { "Sid": "ListRolesToPickServiceRole", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "GetRoleAndListRolePoliciesToInspectServiceRole", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*" }, { "Sid": "ListPoliciesToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "GetPolicyToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource": "arn:aws:iam::*:policy/*cleanrooms*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "ConsolePickQueryResultsBucketListAll", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "SetQueryResultsBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketVersions" ], "Resource": "arn:aws:s3:::cleanrooms-queryresults*" }, { "Sid": "WriteQueryResults", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject" ], "Resource": "arn:aws:s3:::cleanrooms-queryresults*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "ConsoleDisplayQueryResults", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::cleanrooms-queryresults*" }, { "Sid": "EstablishLogDeliveries", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsDescribe", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsCreate", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsResourcePolicy", "Effect": "Allow", "Action": [ "logs:DescribeResourcePolicies", "logs:PutResourcePolicy" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "ConsoleLogSummaryQueryLogs", "Effect": "Allow", "Action": [ "logs:StartQuery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*" }, { "Sid": "ConsoleLogSummaryObtainLogs", "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": "*" } ] }
AWS 受管理的策略:AWSCleanRoomsFullAccessNoQuerying
您可以附加AWSCleanRoomsFullAccessNoQuerying到您的IAM
principals.
此原則會授與管理權限,允許在 AWS Clean Rooms 協同作業中對資源和中繼資料的完整存取 (讀取、寫入和更新)。此原則會排除執行查詢的存取權。
許可詳細資訊
此政策包含以下許可:
-
CleanRoomsAccess— 授予對所有資源上所有動作的完整存取權 AWS Clean Rooms,但在協同作業中查詢除外。 -
CleanRoomsNoQuerying— 明確拒絕StartProtectedQuery並防UpdateProtectedQuery止查詢。 -
PassServiceRole— 授與僅將服務角色傳遞給其名稱中具有 "cleanrooms" 的服務 (PassedToService條件) 的存取權。 -
ListRolesToPickServiceRole— 可讓主參與者列出其所有角色,以便在使用 AWS Clean Rooms時選擇服務角色。 -
GetRoleAndListRolePoliciesToInspectServiceRole— 允許主體在 IAM 中查看服務角色和對應的政策。 -
ListPoliciesToInspectServiceRolePolicy— 允許主體在 IAM 中查看服務角色和對應的政策。 -
GetPolicyToInspectServiceRolePolicy— 允許主體在 IAM 中查看服務角色和對應的政策。 -
ConsoleDisplayTables— 允許主參與者唯讀存取所需的中 AWS Glue 繼資料,以便在主控台上顯示基礎資料 AWS Glue 表的相關資料。 -
EstablishLogDeliveries— 允許主體將查詢日誌傳遞到客戶的 Amazon CloudWatch 日誌日誌群組。 -
SetupLogGroupsDescribe— 允許主體使用 Amazon CloudWatch 日誌記錄群組建立程序。 -
SetupLogGroupsCreate— 允許主體建立 Amazon CloudWatch 日誌日誌群組。 -
SetupLogGroupsResourcePolicy— 允許主體在 Amazon CloudWatch 日誌日誌群組上設定資源政策。 -
ConsoleLogSummaryQueryLogs— 允許主參與者查看查詢記錄檔。 -
ConsoleLogSummaryObtainLogs-允許主參與者擷取記錄結果。 -
cleanrooms— 管理服務內的協作、分析範本、已配置的表格、成員資格和相關資源。 AWS Clean Rooms 執行各種作業,例如建立、更新、刪除、列出和擷取這些資源的相關資訊。 -
iam— 將名稱包含 "cleanrooms" 的服務角色傳遞給 AWS Clean Rooms 服務。列出角色、原則,並檢查與服務相關的 AWS Clean Rooms 服務角色和原則。 -
glue— 擷取有關資料庫、表格、分割區和結構描述的資訊 AWS Glue。這是 AWS Clean Rooms 服務顯示和與基礎資料來源互動所必需的。 -
logs— 管理日誌的日誌傳遞, CloudWatch 日誌組和資源策略。查詢和擷取與 AWS Clean Rooms 服務相關的記錄。這些權限對於服務內的監視、稽核和疑難排解是必要的。
此原則也明確拒絕這些動作,cleanrooms:StartProtectedQuery並cleanrooms:UpdateProtectedQuery防止使用者直接執行或更新受保護的查詢,而這些查詢應透過受 AWS Clean Rooms
控制的機制來完成。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsAccess", "Effect": "Allow", "Action": [ "cleanrooms:BatchGetCollaborationAnalysisTemplate", "cleanrooms:BatchGetSchema", "cleanrooms:BatchGetSchemaAnalysisRule", "cleanrooms:CreateAnalysisTemplate", "cleanrooms:CreateCollaboration", "cleanrooms:CreateConfiguredTable", "cleanrooms:CreateConfiguredTableAnalysisRule", "cleanrooms:CreateConfiguredTableAssociation", "cleanrooms:CreateMembership", "cleanrooms:DeleteAnalysisTemplate", "cleanrooms:DeleteCollaboration", "cleanrooms:DeleteConfiguredTable", "cleanrooms:DeleteConfiguredTableAnalysisRule", "cleanrooms:DeleteConfiguredTableAssociation", "cleanrooms:DeleteMember", "cleanrooms:DeleteMembership", "cleanrooms:GetAnalysisTemplate", "cleanrooms:GetCollaboration", "cleanrooms:GetCollaborationAnalysisTemplate", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetConfiguredTableAssociation", "cleanrooms:GetMembership", "cleanrooms:GetProtectedQuery", "cleanrooms:GetSchema", "cleanrooms:GetSchemaAnalysisRule", "cleanrooms:ListAnalysisTemplates", "cleanrooms:ListCollaborationAnalysisTemplates", "cleanrooms:ListCollaborations", "cleanrooms:ListConfiguredTableAssociations", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMembers", "cleanrooms:ListMemberships", "cleanrooms:ListProtectedQueries", "cleanrooms:ListSchemas", "cleanrooms:UpdateAnalysisTemplate", "cleanrooms:UpdateCollaboration", "cleanrooms:UpdateConfiguredTable", "cleanrooms:UpdateConfiguredTableAnalysisRule", "cleanrooms:UpdateConfiguredTableAssociation", "cleanrooms:UpdateMembership", "cleanrooms:ListTagsForResource", "cleanrooms:UntagResource", "cleanrooms:TagResource" ], "Resource": "*" }, { "Sid": "CleanRoomsNoQuerying", "Effect": "Deny", "Action": [ "cleanrooms:StartProtectedQuery", "cleanrooms:UpdateProtectedQuery" ], "Resource": "*" }, { "Sid": "PassServiceRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*", "Condition": { "StringEquals": { "iam:PassedToService": "cleanrooms.amazonaws.com" } } }, { "Sid": "ListRolesToPickServiceRole", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "GetRoleAndListRolePoliciesToInspectServiceRole", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource": "arn:aws:iam::*:role/service-role/*cleanrooms*" }, { "Sid": "ListPoliciesToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "GetPolicyToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource": "arn:aws:iam::*:policy/*cleanrooms*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "EstablishLogDeliveries", "Effect": "Allow", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsDescribe", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsCreate", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "SetupLogGroupsResourcePolicy", "Effect": "Allow", "Action": [ "logs:DescribeResourcePolicies", "logs:PutResourcePolicy" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cleanrooms.amazonaws.com" } } }, { "Sid": "ConsoleLogSummaryQueryLogs", "Effect": "Allow", "Action": [ "logs:StartQuery" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/cleanrooms*" }, { "Sid": "ConsoleLogSummaryObtainLogs", "Effect": "Allow", "Action": [ "logs:GetQueryResults" ], "Resource": "*" } ] }
AWS 受管理的策略:AWSCleanRoomsMLReadOnlyAccess
您可以附加AWSCleanRoomsMLReadOnlyAccess至 IAM 主體。
此原則會將唯讀權限授與AWSCleanRoomsMLReadOnlyAccess協同作業中的資源和中繼資料。
此政策包含以下許可:
-
CleanRoomsConsoleNavigation— 授予檢視 AWS Clean Rooms 主控台畫面的存取權。 -
CleanRoomsMLRead— 允許主體以唯讀方式存取「清潔室 ML」服務。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsConsoleNavigation", "Effect": "Allow", "Action": [ "cleanrooms:GetCollaboration", "cleanrooms:GetConfiguredAudienceModelAssociation", "cleanrooms:GetMembership", "cleanrooms:ListAnalysisTemplates", "cleanrooms:ListCollaborationAnalysisTemplates", "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", "cleanrooms:ListCollaborations", "cleanrooms:ListConfiguredTableAssociations", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMembers", "cleanrooms:ListMemberships", "cleanrooms:ListProtectedQueries", "cleanrooms:ListSchemas", "cleanrooms:ListTagsForResource" ], "Resource": "*" }, { "Sid": "CleanRoomsMLRead", "Effect": "Allow", "Action": [ "cleanrooms-ml:Get*", "cleanrooms-ml:List*" ], "Resource": "*" } ] }
AWS 受管理的策略:AWSCleanRoomsMLFullAccess
您可以附加AWSCleanRoomsMLFullAcces至 IAM 主體。此原則授與允許 Clean Rooms ML 所需資源和中繼資料的完整存取權 (讀取、寫入和更新) 的管理權限。
許可詳細資訊
此政策包含以下許可:
-
CleanRoomsMLFullAccess— 授予對所有潔淨室 ML 動作的存取權。 -
PassServiceRole— 授與僅將服務角色傳遞給其名稱中具有 "cleanrooms-ml" 的服務 (PassedToService條件) 的存取權。 -
CleanRoomsConsoleNavigation— 授予檢視 AWS Clean Rooms 主控台畫面的存取權。 -
CollaborationMembershipCheck— 當您在協同作業中啟動對象產生 (相似區段) 工作時,Clean Rooms ML 服務會呼叫ListMembers以檢查共同作業是否有效、呼叫者是作用中成員,以及設定的對象模型擁有者是作用中成員。一律需要此權限;只有主控台使用者才需要主控台瀏覽 SID。 -
AssociateModels— 允許主參與者將「潔淨室」ML 模型與您的協同合作產生關聯。 -
TagAssociations— 允許主參與者將標籤新增至相似模型與協同合作之間的關聯。 -
ListRolesToPickServiceRole— 可讓主參與者列出其所有角色,以便在使用 AWS Clean Rooms時選擇服務角色。 -
GetRoleAndListRolePoliciesToInspectServiceRole— 允許主體在 IAM 中查看服務角色和對應的政策。 -
ListPoliciesToInspectServiceRolePolicy— 允許主體在 IAM 中查看服務角色和對應的政策。 -
GetPolicyToInspectServiceRolePolicy— 允許主體在 IAM 中查看服務角色和對應的政策。 -
ConsoleDisplayTables— 允許主參與者唯讀存取所需的中 AWS Glue 繼資料,以便在主控台上顯示基礎資料 AWS Glue 表的相關資料。 -
ConsolePickOutputBucket— 允許主體為已設定的受眾模型輸出選取 Amazon S3 儲存貯體。 -
ConsolePickS3Location— 可讓主參與者選取值區內的位置,以進行已配置的受眾模型輸出。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CleanRoomsMLFullAccess", "Effect": "Allow", "Action": [ "cleanrooms-ml:*" ], "Resource": "*" }, { "Sid": "PassServiceRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/cleanrooms-ml*" ], "Condition": { "StringEquals": { "iam:PassedToService": "cleanrooms-ml.amazonaws.com" } } }, { "Sid": "CleanRoomsConsoleNavigation", "Effect": "Allow", "Action": [ "cleanrooms:GetCollaboration", "cleanrooms:GetConfiguredAudienceModelAssociation", "cleanrooms:GetMembership", "cleanrooms:ListAnalysisTemplates", "cleanrooms:ListCollaborationAnalysisTemplates", "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", "cleanrooms:ListCollaborations", "cleanrooms:ListConfiguredTableAssociations", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMembers", "cleanrooms:ListMemberships", "cleanrooms:ListProtectedQueries", "cleanrooms:ListSchemas", "cleanrooms:ListTagsForResource" ], "Resource": "*" }, { "Sid": "CollaborationMembershipCheck", "Effect": "Allow", "Action": [ "cleanrooms:ListMembers" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["cleanrooms-ml.amazonaws.com"] } } }, { "Sid": "AssociateModels", "Effect": "Allow", "Action": [ "cleanrooms:CreateConfiguredAudienceModelAssociation" ], "Resource": "*" }, { "Sid": "TagAssociations", "Effect": "Allow", "Action": [ "cleanrooms:TagResource" ], "Resource": "arn:aws:cleanrooms:*:*:membership/*/configuredaudiencemodelassociation/*" }, { "Sid": "ListRolesToPickServiceRole", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" }, { "Sid": "GetRoleAndListRolePoliciesToInspectServiceRole", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/service-role/cleanrooms-ml*", "arn:aws:iam::*:role/role/cleanrooms-ml*" ] }, { "Sid": "ListPoliciesToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "GetPolicyToInspectServiceRolePolicy", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion" ], "Resource": "arn:aws:iam::*:policy/*cleanroomsml*" }, { "Sid": "ConsoleDisplayTables", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:GetSchema", "glue:GetSchemaVersion", "glue:BatchGetPartition" ], "Resource": "*" }, { "Sid": "ConsolePickOutputBucket", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ConsolePickS3Location", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*cleanrooms-ml*" } ] }
AWS Clean RoomsAWS 受管理策略的更新
檢視 AWS Clean Rooms 自此服務開始追蹤這些變更以來的 AWS 受管理策略更新詳細資料。如需有關此頁面變更的自動警示,請訂閱「 AWS Clean Rooms 文件歷史記錄」頁面上的 RSS 摘要。
| 變更 | 描述 | 日期 |
|---|---|---|
| AWSCleanRoomsFullAccessNoQuerying – 更新現有政策 | 已新增 cleanrooms:BatchGetSchemaAnalysisRule 到 CleanRoomsAccess。 | 2024年5月13日 |
| AWSCleanRoomsFullAccess – 更新現有政策 | 已ConsolePickQueryResultsBucket將此原則中的 [陳述式 ID] AWSCleanRoomsFullAccess 從SetQueryResultsBucket中更新至,以更好地表示權限,因為在使用和不使用主控台的情況下都需要使用權限來設定查詢結果值區。 | 2024年3月21日 |
|
添加AWSCleanRoomsMLReadOnlyAccessAWSCleanRoomsMLFullAccess並支持 AWS Clean Rooms ML。 |
2023 年 11 月 29 日 | |
| AWSCleanRoomsFullAccessNoQuerying – 更新現有政策 | 已新增cleanrooms:CreateAnalysisTemplatecleanrooms:GetAnalysisTemplate、cleanrooms:UpdateAnalysisTemplate、 cleanrooms:DeleteAnalysisTemplate、、cleanrooms:ListAnalysisTemplates、cleanrooms:GetCollaborationAnalysisTemplate、和cleanrooms:BatchGetCollaborationAnalysisTemplate,cleanrooms:ListCollaborationAnalysisTemplates以啟CleanRoomsAccess用新的分析範本功能。 | 2023 年 7 月 31 日 |
| AWSCleanRoomsFullAccessNoQuerying – 更新現有政策 | 已新增cleanrooms:ListTagsForResourcecleanrooms:UntagResource、和cleanrooms:TagResource以啟CleanRoomsAccess用資源標記。 | 2023 年 3 月 21 日 |
|
AWS Clean Rooms 開始追蹤變更 |
AWS Clean Rooms 開始追蹤其 AWS 受管理策略的變更。 |
2023 年 1 月 12 日 |
