設定 的許可AWS IoT Events警報 - AWS IoT SiteWise

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

設定 的許可AWS IoT Events警報

當您使用AWS IoT Events警報模型來監控AWS IoT SiteWise資產屬性,您必須擁有下列 IAM 許可:

  • 同時AWS IoT Events服務角色,允許AWS IoT Events以傳送資料到AWS IoT SiteWise。如需詳細資訊,請參閱「」適用於 的 Identity and Access ManagementAWS IoT Events中的AWS IoT Events開發人員指南

  • 您必須有以下項目:AWS IoT SiteWise動作權限:iotsitewise:DescribeAssetModeliotsitewise:UpdateAssetModelPropertyRouting。這些權限允許AWS IoT SiteWise將資產屬性值傳送至AWS IoT Events警示模式。

如需詳細資訊,請參閱「」以資源為基礎的政策中的IAM User Guide

所需的操作權限

管理員可以使用 AWS JSON 政策來指定誰可以存取哪些內容。也就是說,哪個主體在什麼條件下可以對什麼資源執行哪些動作。JSON 政策的 Action 元素描述您可以用來允許或拒絕政策中存取的動作。

定義AWS IoT Events警報模型,您必須授予以下權限,以允許AWS IoT SiteWise以將資產屬性值傳送至警報模型。

  • iotsitewise:DescribeAssetModel— 允許AWS IoT Events來檢查資產屬性是否存在。

  • iotsitewise:UpdateAssetModelPropertyRouting— 允許AWS IoT SiteWise自動創建啟用AWS IoT SiteWise傳送資料到AWS IoT Events。

如需有關 的詳細資訊AWS IoT SiteWise支援的動作,請參閲定義的動作AWS IoT SiteWise中的服務授權參考

範例 許可政策範例 1

以下政策允許AWS IoT SiteWise將資產屬性值傳送至任何AWS IoT Events警示模型。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }

範例 許可政策範例 2

以下政策允許AWS IoT SiteWise將指定資產屬性的值發送到指定AWS IoT Events警示模式。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": [ "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef" ], "Condition": { "StringLike": { "iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890", "iotevents:alarmModelArn": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel" } } } ] }

(選用) ListInputRoutings 允許

當您更新或刪除資產模型時,AWS IoT SiteWise可以檢查警報模型是否AWS IoT Events正在監視與此資產模型關聯的資產屬性。這樣可以防止您刪除AWS IoT Events警報當前正在使用。若要在AWS IoT SiteWise,您必須具有iotevents:ListInputRoutings許可。此權限允許AWS IoT SiteWise來調用列表輸入支援的 API 操作AWS IoT Events。

注意

強烈建議您將ListInputRoutings許可。

範例 許可政策範例

以下策略允許您更新和刪除資產模型,並使用ListInputRoutings中的 APIAWS IoT SiteWise。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModel", "iotsitewise:DeleteAssetModel", "iotevents:ListInputRoutings" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }

所需的許可 SiteWise 監控

如果您希望使用 SiteWise 監視門户,您必須更新SiteWise 監控服務角色採用下列政策:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:DescribePortal", "iotsitewise:CreateProject", "iotsitewise:DescribeProject", "iotsitewise:UpdateProject", "iotsitewise:DeleteProject", "iotsitewise:ListProjects", "iotsitewise:BatchAssociateProjectAssets", "iotsitewise:BatchDisassociateProjectAssets", "iotsitewise:ListProjectAssets", "iotsitewise:CreateDashboard", "iotsitewise:DescribeDashboard", "iotsitewise:UpdateDashboard", "iotsitewise:DeleteDashboard", "iotsitewise:ListDashboards", "iotsitewise:CreateAccessPolicy", "iotsitewise:DescribeAccessPolicy", "iotsitewise:UpdateAccessPolicy", "iotsitewise:DeleteAccessPolicy", "iotsitewise:ListAccessPolicies", "iotsitewise:DescribeAsset", "iotsitewise:ListAssets", "iotsitewise:ListAssociatedAssets", "iotsitewise:DescribeAssetProperty", "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetAssetPropertyValueHistory", "iotsitewise:GetAssetPropertyAggregates", "iotsitewise:BatchPutAssetPropertyValue", "iotsitewise:ListAssetRelationships", "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels", "iotsitewise:UpdateAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting", "sso-directory:DescribeUsers", "sso-directory:DescribeUser", "iotevents:DescribeAlarmModel", "iotevents:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotevents:BatchAcknowledgeAlarm", "iotevents:BatchSnoozeAlarm", "iotevents:BatchEnableAlarm", "iotevents:BatchDisableAlarm" ], "Resource": "*", "Condition": { "Null": { "iotevents:keyValue": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:TagResource" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:UpdateAlarmModel", "iotevents:DeleteAlarmModel" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "iotevents.amazonaws.com" ] } } } ] }