本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 在 AWS SAM 範本中設定和管理資源存取
若要讓您的 AWS 資源彼此互動,必須在資源之間設定適當的存取和許可。這樣做需要 AWS Identity and Access Management (IAM) 使用者、角色和政策的組態,才能以安全的方式完成您的互動。
本節中的主題都與設定對範本中定義之資源的存取有關。本節從一般最佳實務開始。以下兩個主題會檢閱您在無伺服器應用程式中參考的資源之間設定存取和許可的兩個選項: AWS SAM 連接器和 AWS SAM 政策範本。最後一個主題提供使用相同的機制來管理使用者存取的詳細資訊, CloudFormation 以管理使用者。
若要進一步了解,請參閱*AWS CloudFormation 《 使用者指南*》中的[使用 控制存取 AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html)。
AWS Serverless Application Model (AWS SAM) 提供兩個選項,可簡化無伺服器應用程式的存取和許可管理。
1. AWS SAM 連接器
1. AWS SAM 政策範本
## AWS SAM 連接器
連接器是在兩個資源之間佈建許可的一種方式。您可以透過描述它們如何在 AWS SAM 範本中彼此互動來執行此操作。您可以使用`Connectors`資源屬性或`AWS::Serverless::Connector`資源類型來定義它們。連接器支援佈建`Read`和`Write`存取 AWS 資源組合之間的資料和事件。若要進一步了解 AWS SAM 連接器,請參閱 [使用 AWS SAM 連接器管理資源許可](managing-permissions-connectors.md)。
## AWS SAM 政策範本
AWS SAM 政策範本是預先定義的一組許可,您可以將這些許可新增至範本 AWS SAM ,以管理 AWS Lambda 函數、 AWS Step Functions 陳述機器與其互動的資源之間的存取和許可。若要進一步了解 AWS SAM 政策範本,請參閱 [AWS SAM 政策範本](serverless-policy-templates.md)。
## AWS CloudFormation 機制
CloudFormation 機制包括設定 IAM 使用者、角色和政策,以管理 AWS 資源之間的許可。如需詳細資訊,請參閱 [使用 CloudFormation 機制管理 AWS SAM 許可](sam-permissions-cloudformation.md)。
## 最佳實務
在整個無伺服器應用程式中,您可以使用多種方法來設定 資源之間的許可。因此,您可以為每個案例選取最佳選項,並在整個應用程式中一起使用多個選項。以下是選擇最適合您的選項時需要考慮的一些事項:
+ AWS SAM 連接器和政策範本都降低了促進 AWS 資源之間安全互動所需的 IAM 專業知識。支援時使用連接器和政策範本。
+ AWS SAM 連接器提供簡單且直覺式的速記語法,以定義 AWS SAM 範本中的許可,並需要最少的 IAM 專業知識。當同時支援 AWS SAM 連接器和政策範本時,請使用 AWS SAM 連接器。
+ AWS SAM 連接器可以在支援的 AWS SAM 來源和目的地資源之間佈建`Read`和`Write`存取資料和事件。如需支援的資源清單,請參閱 [AWS SAM 連接器參考](reference-sam-connector.md)。支援時,請使用 AWS SAM 連接器。
+ 雖然 AWS SAM 政策範本僅限於 Lambda 函數、Step Functions 狀態機器與其互動 AWS 的資源之間的許可,但政策範本確實支援所有 CRUD 操作。支援時,以及當您案例 AWS SAM 的政策範本可用時,請使用 AWS SAM 政策範本。如需可用政策範本的清單,請參閱 [AWS SAM 政策範本](serverless-policy-templates.md)。
+ 對於所有其他案例,或需要精細程度時,請使用 CloudFormation 機制。
# 使用 AWS SAM 連接器管理資源許可
連接器是一種 AWS Serverless Application Model (AWS SAM) 抽象資源類型,識別為 `AWS::Serverless::Connector`,可在無伺服器應用程式資源之間提供簡單且範圍廣泛的許可。
## AWS SAM 連接器的優點
透過在資源之間自動編寫適當的存取政策,連接器可讓您撰寫無伺服器應用程式並專注於應用程式架構,而不需要 AWS 授權功能、政策語言和服務特定安全設定的專業知識。因此,連接器對於可能剛接觸無伺服器開發的開發人員,或想要提高其開發速度的經驗豐富的開發人員來說,是很大的好處。
## 使用 AWS SAM 連接器
在**來源**`Connectors`資源中內嵌資源,以使用資源屬性。然後,定義**目的地**資源,並描述資料或事件應如何在這些資源之間流動。 AWS SAM 然後, 編寫必要的存取政策,以促進必要的互動。
以下概述如何寫入此資源屬性:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
:
Type:
...
Connectors:
:
Properties:
Destination:
Permissions:
...
```
## 連接器的運作方式
**注意**
本節說明連接器如何在幕後佈建必要的資源。使用連接器時,會自動發生這種情況。
首先,內嵌`Connectors`資源屬性會轉換為 `AWS::Serverless::Connector` 資源類型。其邏輯 ID 會自動建立為 **。
例如,以下是內嵌連接器:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Lambda::Function
Connectors:
MyConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Read
- Write
MyTable:
Type: AWS::DynamoDB::Table
```
這將產生下列`AWS::Serverless::Connector`資源:
```
Transform: AWS::Serverless-2016-10-31
Resources:
...
MyFunctionMyConn:
Type: AWS::Serverless::Connector
Properties:
Source:
Id: MyFunction
Destination:
Id: MyTable
Permissions:
- Read
- Write
```
**注意**
您也可以使用此語法在 AWS SAM 範本中定義連接器。當您的來源資源在與連接器不同的範本上定義時,建議使用此選項。
接下來,會自動編寫此連線的必要存取政策。如需連接器產生之資源的詳細資訊,請參閱 [CloudFormation 當您指定 時產生的資源 AWS::Serverless::Connector](sam-specification-generated-resources-connector.md)。
## 連接器範例
下列範例示範如何使用連接器將 AWS Lambda 函數中的資料寫入 Amazon DynamoDB 資料表。
![\[Lambda 函數使用 AWS SAM 連接器將資料寫入 DynamoDB 資料表。\]](http://docs.aws.amazon.com/zh_tw/serverless-application-model/latest/developerguide/images/managing-connectors-example.png)
```
Transform: AWS::Serverless-2016-10-31
Resources:
MyTable:
Type: AWS::Serverless::SimpleTable
MyFunction:
Type: AWS::Serverless::Function
Connectors:
MyConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Write
Properties:
Runtime: nodejs16.x
Handler: index.handler
InlineCode: |
const AWS = require("aws-sdk");
const docClient = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event, context) => {
await docClient.put({
TableName: process.env.TABLE_NAME,
Item: {
id: context.awsRequestId,
event: JSON.stringify(event)
}
}).promise();
}
Environment:
Variables:
TABLE_NAME: !Ref MyTable
```
`Connectors` 資源屬性內嵌在 Lambda 函數來源資源中。DynamoDB 資料表是使用 `Id` 屬性定義為目的地資源。連接器將在這兩個資源之間佈建`Write`許可。
當您將 AWS SAM 範本部署到 時 CloudFormation, AWS SAM 會自動編寫此連線運作所需的必要存取政策。
## 來源和目的地資源之間的支援連線
連接器支援來源和目的地資源連線的選取組合之間的 `Read`和`Write`資料和事件許可類型。例如,連接器支援`AWS::ApiGateway::RestApi`來源資源與`AWS::Lambda::Function`目的地資源之間的`Write`連線。
您可以使用支援的屬性組合來定義來源和目的地資源。屬性需求將取決於您正在進行的連線,以及定義資源的位置。
**注意**
連接器可以在支援的無伺服器和非無伺服器資源類型之間佈建許可。
如需支援的資源連線及其屬性需求的清單,請參閱 [連接器支援的來源和目的地資源類型](reference-sam-connector.md#supported-connector-resource-types)。
# 在 中定義讀取和寫入許可 AWS SAM
在 `Read`和 `Write` 中 AWS SAM,許可可以在單一連接器中佈建:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Lambda::Function
Connectors:
MyTableConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Read
- Write
MyTable:
Type: AWS::DynamoDB::Table
```
如需使用連接器的詳細資訊,請參閱 [AWS SAM 連接器參考](reference-sam-connector.md)。
# 在 中使用其他支援的屬性來定義資源 AWS SAM
對於來源和目的地資源,當在相同範本中定義時,請使用 `Id` 屬性。或者,`Qualifier`可以新增 來縮小已定義資源的範圍。當資源不在相同的範本內時,請使用支援的屬性組合。
+ 如需來源和目的地資源支援的屬性組合清單,請參閱 [連接器支援的來源和目的地資源類型](reference-sam-connector.md#supported-connector-resource-types)。
+ 如需可與連接器搭配使用的屬性說明,請參閱 [AWS::Serverless::Connector](sam-resource-connector.md)。
當您使用 以外的屬性定義來源資源時`Id`,請使用 `SourceReference` 屬性。
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
:
Type:
...
Connectors:
:
Properties:
SourceReference:
Qualifier:
Destination:
Permissions:
```
以下是使用 `Qualifier`縮小 Amazon API Gateway 資源範圍的範例:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyApi:
Type: AWS::Serverless::Api
Connectors:
ApiToLambdaConn:
Properties:
SourceReference:
Qualifier: Prod/GET/foobar
Destination:
Id: MyFunction
Permissions:
- Write
...
```
以下是範例,使用支援的 `Arn`和 組合`Type`,從另一個範本定義目的地資源:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
TableConn:
Properties:
Destination:
Type: AWS::DynamoDB::Table
Arn: !GetAtt MyTable.Arn
...
```
如需使用連接器的詳細資訊,請參閱 [AWS SAM 連接器參考](reference-sam-connector.md)。
# 在 中從單一來源建立多個連接器 AWS SAM
在來源資源中,您可以定義多個連接器,每個連接器都有不同的目的地資源。
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
BucketConn:
Properties:
Destination:
Id: amzn-s3-demo-bucket
Permissions:
- Read
- Write
SQSConn:
Properties:
Destination:
Id: MyQueue
Permissions:
- Read
- Write
TableConn:
Properties:
Destination:
Id: MyTable
Permissions:
- Read
- Write
TableConnWithTableArn:
Properties:
Destination:
Type: AWS::DynamoDB::Table
Arn: !GetAtt MyTable.Arn
Permissions:
- Read
- Write
...
```
如需使用連接器的詳細資訊,請參閱 [AWS SAM 連接器參考](reference-sam-connector.md)。
# 在 中建立多目的地連接器 AWS SAM
在來源資源中,您可以定義具有多個目的地資源的單一連接器。以下是連線至 Amazon Simple Storage Service (Amazon S3) 儲存貯體和 DynamoDB 資料表的 Lambda 函數來源資源範例:
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
WriteAccessConn:
Properties:
Destination:
- Id: OutputBucket
- Id: CredentialTable
Permissions:
- Write
...
OutputBucket:
Type: AWS::S3::Bucket
CredentialTable:
Type: AWS::DynamoDB::Table
```
如需使用連接器的詳細資訊,請參閱 [AWS SAM 連接器參考](reference-sam-connector.md)。
# 在 中使用連接器定義資源屬性 AWS SAM
您可以為資源定義資源屬性,以指定其他行為和關係。若要進一步了解資源屬性,請參閱*AWS CloudFormation 《 使用者指南*》中的[資源屬性參考](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-product-attribute-reference.html)。
您可以在與連接器屬性相同的層級上定義資源屬性,以將資源屬性新增至內嵌連接器。在部署時轉換 AWS SAM 範本時,屬性會傳遞至產生的資源。
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Connectors:
MyConn:
DeletionPolicy: Retain
DependsOn: AnotherFunction
Properties:
...
```
如需使用連接器的詳細資訊,請參閱 [AWS SAM 連接器參考](reference-sam-connector.md)。
## 進一步了解
如需使用 AWS SAM 連接器的詳細資訊,請參閱下列主題:
+ [AWS::Serverless::Connector](sam-resource-connector.md)
+ [在 中定義讀取和寫入許可 AWS SAM](connector-usage-define.md)
+ [在 中使用其他支援的屬性來定義資源 AWS SAM](connector-usage-other-properties.md)
+ [在 中從單一來源建立多個連接器 AWS SAM](connector-usage-single-source.md)
+ [在 中建立多目的地連接器 AWS SAM](connector-usage-multi-destination.md)
+ [在 中定義讀取和寫入許可 AWS SAM](connector-usage-define.md)
+ [在 中使用連接器定義資源屬性 AWS SAM](connector-usage-resource-attributes.md)
## 提供意見回饋
若要提供連接器的意見回饋,請在 *serverless-application-model AWS GitHub儲存庫*[提交新問題](https://github.com/aws/serverless-application-model/issues/new?assignees=&labels=area%2Fconnectors,stage%2Fneeds-triage&template=other.md&title=%28Feature%20Request%29)。
# AWS SAM 政策範本
AWS Serverless Application Model (AWS SAM) 可讓您從政策範本清單中選擇,將 Lambda 函數和 AWS Step Functions 狀態機器的許可範圍限定為應用程式使用的資源。
AWS SAM 中使用 AWS Serverless Application Repository 政策範本的應用程式不需要任何特殊的客戶確認,即可從 部署應用程式 AWS Serverless Application Repository。
若您希望申請增加新的政策範本,請執行以下動作:
1. 針對 AWS SAM GitHub 專案`develop`分支中的 policy\$1templates.json 來源檔案提交提取請求。您可以在 GitHub 網站上的 [policy\$1templates.json](https://github.com/aws/serverless-application-model/blob/develop/samtranslator/policy_templates_data/policy_templates.json) 中找到來源檔案。
1. 在 AWS SAM GitHub 專案中提交問題,其中包含提取請求的原因和請求的連結。使用此連結提交新問題:[AWS Serverless Application Model:問題](https://github.com/aws/serverless-application-model/issues/new)。
## 語法
對於您在 AWS SAM 範本檔案中指定的每個政策範本,您必須一律指定包含政策範本預留位置值的物件。如果政策範本不需要任何預留位置值,您必須指定空物件。
### YAML
```
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- PolicyTemplateName1: # Policy template with placeholder value
Key1: Value1
- PolicyTemplateName2: {} # Policy template with no placeholder value
```
**注意**
如果您已設定一般 IAM 政策或透過 Lambda 擁有受管政策,則可以設定政策範本而不使用空白物件。
## 範例
### 範例 1:帶有預留位置值的政策範本
以下範例顯示 [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) 政策範本應將 `QueueName` 視為資源。 AWS SAM 範本會擷取「`MyQueue`」Amazon SQS 佇列的名稱,您可以在相同的應用程式中建立該佇列,或請求該佇列做為應用程式的參數。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - SQSPollerPolicy:
9. QueueName:
10. !GetAtt MyQueue.QueueName
```
### 範例 2:無預留位置值的政策範本
以下範例包含 [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) 政策範本,其並無任何預留位置值。
**注意**
即使沒有預留位置值,您仍必須指定空物件,否則會產生錯誤。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - CloudWatchPutMetricPolicy: {}
```
### 範例 3:具有預留位置值和一般 IAM 政策的政策範本
下列範例包含 AmazonSQSFullAcess 政策和[DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy)政策範本。AmazonSQSFullAccess 政策是 IAM 政策而非 AWS SAM 政策,因此您不需要指定空物件,因為政策會直接傳遞給 CloudFormation。
```
1. MyFunction:
2. Type: 'AWS::Serverless::Function'
3. Properties:
4. CodeUri: ${codeuri}
5. Handler: hello.handler
6. Runtime: python2.7
7. Policies:
8. - AmazonSQSFullAccess // IAM policy could be set without passing an empty object
9. - DynamoDBCrudPolicy: // SAM specific policy, has a defined structure
10. TableName:
11. !Ref SampleTable
```
## 政策範本資料表
以下是可用政策範本的資料表。
****
| 政策範本 | Description |
| --- | --- |
| [AcmGetCertificatePolicy](serverless-policy-template-list.md#acm-get-certificate-policy) | 授予從中讀取憑證的許可 AWS Certificate Manager。 |
| [AMIDescribePolicy](serverless-policy-template-list.md#ami-describe-policy) | 提供描述 Amazon Machine Image (AMIs許可。 |
| [AthenaQueryPolicy](serverless-policy-template-list.md#athena-query-policy) | 提供執行 Athena 查詢的許可。 |
| [AWSSecretsManagerGetSecretValuePolicy](serverless-policy-template-list.md#secrets-manager-get-secret-value-policy) | 准許取得指定 AWS Secrets Manager 秘密的秘密值。 |
| [AWSSecretsManagerRotationPolicy](serverless-policy-template-list.md#secrets-manager-rotation-policy) | 授予在其中輪換秘密的許可 AWS Secrets Manager。 |
| [CloudFormationDescribeStacksPolicy](serverless-policy-template-list.md#cloud-formation-describe-stacks-policy) | 提供描述 CloudFormation 堆疊的許可。 |
| [CloudWatchDashboardPolicy](serverless-policy-template-list.md#cloudwatch-dashboard-policy) | 授予在 CloudWatch 儀表板上操作指標的許可。 |
| [CloudWatchDescribeAlarmHistoryPolicy](serverless-policy-template-list.md#cloudwatch-describe-alarm-history-policy) | 提供描述 CloudWatch 警示歷史記錄的許可。 |
| [CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy) | 提供將指標傳送至 CloudWatch 的許可。 |
| [CodeCommitCrudPolicy](serverless-policy-template-list.md#codecommit-crud-policy) | 授予在特定 CodeCommit 儲存庫中create/read/update/刪除物件的許可。 |
| [CodeCommitReadPolicy](serverless-policy-template-list.md#codecommit-read-policy) | 准許讀取特定 CodeCommit 儲存庫中的物件。 |
| [CodePipelineLambdaExecutionPolicy](serverless-policy-template-list.md#code-pipeline-lambda-execution-policy) | 准許 CodePipeline 調用 Lambda 函數來報告任務的狀態。 |
| [CodePipelineReadOnlyPolicy](serverless-policy-template-list.md#code-pipeline-readonly-policy) | 提供讀取許可,以取得 CodePipeline 管道的詳細資訊。 |
| [ComprehendBasicAccessPolicy](serverless-policy-template-list.md#comprehend-basic-access-policy) | 提供偵測實體、金鑰片語、語言和情緒的許可。 |
| [CostExplorerReadOnlyPolicy](serverless-policy-template-list.md#cost-explorer-readonly-policy) | 為帳單歷史記錄的唯讀 Cost Explorer APIs提供唯讀許可。 |
| [DynamoDBBackupFullAccessPolicy](serverless-policy-template-list.md#ddb-back-full-policy) | 為資料表的 DynamoDB 隨需備份提供讀取和寫入許可。 |
| [DynamoDBCrudPolicy](serverless-policy-template-list.md#dynamo-db-crud-policy) | 為 Amazon DynamoDB 資料表提供建立、讀取、更新和刪除許可。 |
| [DynamoDBReadPolicy](serverless-policy-template-list.md#dynamo-db-read-policy) | 為 DynamoDB 資料表提供唯讀許可。 |
| [DynamoDBReconfigurePolicy](serverless-policy-template-list.md#dynamo-db-reconfigure-policy) | 提供重新設定 DynamoDB 資料表的許可。 |
| [DynamoDBRestoreFromBackupPolicy](serverless-policy-template-list.md#ddb-restore-from-backup-policy) | 提供從備份還原 DynamoDB 資料表的許可。 |
| [DynamoDBStreamReadPolicy](serverless-policy-template-list.md#dynamo-db-stream-read-policy) | 提供描述和讀取 DynamoDB 串流和記錄的許可。 |
| [DynamoDBWritePolicy](serverless-policy-template-list.md#dynamo-db-write-policy) | 為 DynamoDB 資料表提供唯寫許可。 |
| [EC2CopyImagePolicy](serverless-policy-template-list.md#ec2-copy-image-policy) | 提供複製 Amazon EC2 映像的許可。 |
| [EC2DescribePolicy](serverless-policy-template-list.md#ec2-describe-policy) | 提供描述 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體的許可。 |
| [EcsRunTaskPolicy](serverless-policy-template-list.md#ecs-run-task-policy) | 提供為任務定義啟動新任務的許可。 |
| [EFSWriteAccessPolicy](serverless-policy-template-list.md#efs-write-access-policy) | 准許掛載具有寫入存取權的 Amazon EFS 檔案系統。 |
| [EKSDescribePolicy](serverless-policy-template-list.md#eks-describe-policy) | 提供描述或列出 Amazon EKS 叢集的許可。 |
| [ElasticMapReduceAddJobFlowStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-add-job-flows-policy) | 准許將新步驟新增至執行中的叢集。 |
| [ElasticMapReduceCancelStepsPolicy](serverless-policy-template-list.md#elastic-map-reduce-cancel-steps-policy) | 准許取消執行中叢集中的待處理步驟。 |
| [ElasticMapReduceModifyInstanceFleetPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-fleet-policy) | 准許列出叢集內執行個體機群的詳細資訊和修改容量。 |
| [ElasticMapReduceModifyInstanceGroupsPolicy](serverless-policy-template-list.md#elastic-map-reduce-modify-instance-groups-policy) | 准許列出叢集內執行個體群組的詳細資訊和修改設定。 |
| [ElasticMapReduceSetTerminationProtectionPolicy](serverless-policy-template-list.md#elastic-map-reduce-set-termination-protection-policy) | 提供為叢集設定終止保護的許可。 |
| [ElasticMapReduceTerminateJobFlowsPolicy](serverless-policy-template-list.md#elastic-map-reduce-terminate-job-flows-policy) | 提供關閉叢集的許可。 |
| [ElasticsearchHttpPostPolicy](serverless-policy-template-list.md#elastic-search-http-post-policy) | 將 POST 許可提供給 Amazon OpenSearch Service。 |
| [EventBridgePutEventsPolicy](serverless-policy-template-list.md#eventbridge-put-events-policy) | 提供將事件傳送至 EventBridge 的許可。 |
| [FilterLogEventsPolicy](serverless-policy-template-list.md#filter-log-events-policy) | 提供從指定日誌群組篩選 CloudWatch Logs 事件的許可。 |
| [FirehoseCrudPolicy](serverless-policy-template-list.md#firehose-crud-policy) | 提供建立、寫入、更新和刪除 Firehose 交付串流的許可。 |
| [FirehoseWritePolicy](serverless-policy-template-list.md#firehose-write-policy) | 提供寫入 Firehose 交付串流的許可。 |
| [KinesisCrudPolicy](serverless-policy-template-list.md#kinesis-crud-policy) | 提供建立、發佈和刪除 Amazon Kinesis 串流的許可。 |
| [KinesisStreamReadPolicy](serverless-policy-template-list.md#kinesis-stream-read-policy) | 提供列出和讀取 Amazon Kinesis 串流的許可。 |
| [KMSDecryptPolicy](serverless-policy-template-list.md#kms-decrypt-policy) | 提供使用 AWS Key Management Service (AWS KMS) 金鑰解密的許可。 |
| [KMSEncryptPolicy](serverless-policy-template-list.md#kms-encrypt-policy) | 提供使用 AWS Key Management Service (AWS KMS) 金鑰加密的許可。 |
| [LambdaInvokePolicy](serverless-policy-template-list.md#lambda-invoke-policy) | 提供叫用 AWS Lambda 函數、別名或版本的許可。 |
| [MobileAnalyticsWriteOnlyAccessPolicy](serverless-policy-template-list.md#mobile-analytics-write-only-access-policy) | 提供僅寫入許可,以放置所有應用程式資源的事件資料。 |
| [OrganizationsListAccountsPolicy](serverless-policy-template-list.md#organizations-list-accounts-policy) | 提供唯讀許可,以列出子帳戶名稱和 IDs。 |
| [PinpointEndpointAccessPolicy](serverless-policy-template-list.md#pinpoint-endpoint-access-policy) | 准許取得和更新 Amazon Pinpoint 應用程式的端點。 |
| [PollyFullAccessPolicy](serverless-policy-template-list.md#polly-full-access-policy) | 提供 Amazon Polly 語彙資源的完整存取許可。 |
| [RekognitionDetectOnlyPolicy](serverless-policy-template-list.md#rekognition-detect-only-policy) | 提供偵測臉部、標籤和文字的許可。 |
| [RekognitionFacesManagementPolicy](serverless-policy-template-list.md#rekognition-face-management-policy) | 授予在 Amazon Rekognition 集合中新增、刪除和搜尋臉部的許可。 |
| [RekognitionFacesPolicy](serverless-policy-template-list.md#rekognition-faces-policy) | 提供許可來比較和偵測臉部和標籤。 |
| [RekognitionLabelsPolicy](serverless-policy-template-list.md#rekognition-labels-policy) | 提供偵測物件和管制標籤的許可。 |
| [RekognitionNoDataAccessPolicy](serverless-policy-template-list.md#rekognition-no-data-access-policy) | 提供許可來比較和偵測臉部和標籤。 |
| [RekognitionReadPolicy](serverless-policy-template-list.md#rekognition-read-policy) | 提供列出和搜尋臉部的許可。 |
| [RekognitionWriteOnlyAccessPolicy](serverless-policy-template-list.md#rekognition-write-only-access-policy) | 提供建立集合和索引臉部的許可。 |
| [Route53ChangeResourceRecordSetsPolicy](serverless-policy-template-list.md#route53-change-resource-record-sets-policy) | 提供在 Route 53 中變更資源紀錄集的許可。 |
| [S3CrudPolicy](serverless-policy-template-list.md#s3-crud-policy) | 提供建立、讀取、更新和刪除許可,以對 Amazon S3 儲存貯體中的物件採取行動。 |
| [S3FullAccessPolicy](serverless-policy-template-list.md#s3-full-access-policy) | 提供對 Amazon S3 儲存貯體中物件採取動作的完整存取許可。 |
| [S3ReadPolicy](serverless-policy-template-list.md#s3-read-policy) | 提供唯讀許可,以讀取 Amazon Simple Storage Service (Amazon S3) 儲存貯體中的物件。 |
| [S3WritePolicy](serverless-policy-template-list.md#s3-write-policy) | 提供將物件寫入 Amazon S3 儲存貯體的寫入許可。 |
| [SageMakerCreateEndpointConfigPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-config-policy) | 提供在 SageMaker AI 中建立端點組態的許可。 |
| [SageMakerCreateEndpointPolicy](serverless-policy-template-list.md#sagemaker-create-endpoint-policy) | 提供在 SageMaker AI 中建立端點的許可。 |
| [ServerlessRepoReadWriteAccessPolicy](serverless-policy-template-list.md#serverlessrepo-read-write-access-policy) | 授予在 AWS Serverless Application Repository 服務中建立和列出應用程式的許可。 |
| [SESBulkTemplatedCrudPolicy](serverless-policy-template-list.md#ses-bulk-templated-crud-policy) | 提供傳送電子郵件、範本電子郵件、範本大量電子郵件和驗證身分的許可。 |
| [SESBulkTemplatedCrudPolicy\$1v2](serverless-policy-template-list.md#ses-bulk-templated-crud-policy-v2) | 准許傳送 Amazon SES 電子郵件、範本電子郵件和範本大量電子郵件,以及驗證身分。 |
| [SESCrudPolicy](serverless-policy-template-list.md#ses-crud-policy) | 提供傳送電子郵件和驗證身分的許可。 |
| [SESEmailTemplateCrudPolicy](serverless-policy-template-list.md#ses-email-template-crud-policy) | 提供建立、取得、列出、更新和刪除 Amazon SES 電子郵件範本的許可。 |
| [SESSendBouncePolicy](serverless-policy-template-list.md#ses-send-bounce-policy) | 將 SendBounce 許可授予 Amazon Simple Email Service (Amazon SES身分。 |
| [SNSCrudPolicy](serverless-policy-template-list.md#sns-crud-policy) | 提供建立、發佈和訂閱 Amazon SNS 主題的許可。 |
| [SNSPublishMessagePolicy](serverless-policy-template-list.md#sqs-publish-message-policy) | 准許將訊息發佈至 Amazon Simple Notification Service (Amazon SNS) 主題。 |
| [SQSPollerPolicy](serverless-policy-template-list.md#sqs-poller-policy) | 提供輪詢 Amazon Simple Queue Service (Amazon SQS) 佇列的許可。 |
| [SQSSendMessagePolicy](serverless-policy-template-list.md#sqs-send-message-policy) | 提供將訊息傳送至 Amazon SQS 佇列的許可。 |
| [SSMParameterReadPolicy](serverless-policy-template-list.md#ssm-parameter-read-policy) | 准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱沒有斜線字首時,請使用 。 |
| [SSMParameterWithSlashPrefixReadPolicy](serverless-policy-template-list.md#ssm-parameter-slash-read-policy) | 准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱具有斜線字首時,請使用 。 |
| [StepFunctionsExecutionPolicy](serverless-policy-template-list.md#stepfunctions-execution-policy) | 提供啟動 Step Functions 狀態機器執行的許可。 |
| [TextractDetectAnalyzePolicy](serverless-policy-template-list.md#textract-detect-analyze-policy) | 提供使用 Amazon Textract 偵測和分析文件的存取權。 |
| [TextractGetResultPolicy](serverless-policy-template-list.md#textract-get-result-policy) | 提供從 Amazon Textract 偵測和分析文件的存取權。 |
| [TextractPolicy](serverless-policy-template-list.md#textract-policy) | 提供 Amazon Textract 的完整存取權。 |
| [VPCAccessPolicy](serverless-policy-template-list.md#vpc-access-policy) | 提供建立、刪除、描述和分離彈性網路介面的存取權。 |
## 疑難排解
### SAM CLI 錯誤:「必須為政策範本「」指定有效的參數值
執行 `sam build` 時,您會看到下列錯誤:
```
"Must specify valid parameter values for policy template ''"
```
這表示您在宣告沒有任何預留位置值的政策範本時,未傳遞空物件。
若要修正此問題,請宣告 政策,如下列 範例所示[CloudWatchPutMetricPolicy](serverless-policy-template-list.md#cloudwatch-put-metric-policy)。
```
1. MyFunction:
2. Policies:
3. - CloudWatchPutMetricPolicy: {}
```
# AWS SAM 政策範本清單
以下是可用的政策範本,以及套用至每個範本的許可。 AWS Serverless Application Model (AWS SAM) 會自動將適當的資訊填入預留位置項目 (例如 AWS 區域和帳戶 ID)。
**Topics**
+ [AcmGetCertificatePolicy](#acm-get-certificate-policy)
+ [AMIDescribePolicy](#ami-describe-policy)
+ [AthenaQueryPolicy](#athena-query-policy)
+ [AWSSecretsManagerGetSecretValuePolicy](#secrets-manager-get-secret-value-policy)
+ [AWSSecretsManagerRotationPolicy](#secrets-manager-rotation-policy)
+ [CloudFormationDescribeStacksPolicy](#cloud-formation-describe-stacks-policy)
+ [CloudWatchDashboardPolicy](#cloudwatch-dashboard-policy)
+ [CloudWatchDescribeAlarmHistoryPolicy](#cloudwatch-describe-alarm-history-policy)
+ [CloudWatchPutMetricPolicy](#cloudwatch-put-metric-policy)
+ [CodePipelineLambdaExecutionPolicy](#code-pipeline-lambda-execution-policy)
+ [CodePipelineReadOnlyPolicy](#code-pipeline-readonly-policy)
+ [CodeCommitCrudPolicy](#codecommit-crud-policy)
+ [CodeCommitReadPolicy](#codecommit-read-policy)
+ [ComprehendBasicAccessPolicy](#comprehend-basic-access-policy)
+ [CostExplorerReadOnlyPolicy](#cost-explorer-readonly-policy)
+ [DynamoDBBackupFullAccessPolicy](#ddb-back-full-policy)
+ [DynamoDBCrudPolicy](#dynamo-db-crud-policy)
+ [DynamoDBReadPolicy](#dynamo-db-read-policy)
+ [DynamoDBReconfigurePolicy](#dynamo-db-reconfigure-policy)
+ [DynamoDBRestoreFromBackupPolicy](#ddb-restore-from-backup-policy)
+ [DynamoDBStreamReadPolicy](#dynamo-db-stream-read-policy)
+ [DynamoDBWritePolicy](#dynamo-db-write-policy)
+ [EC2CopyImagePolicy](#ec2-copy-image-policy)
+ [EC2DescribePolicy](#ec2-describe-policy)
+ [EcsRunTaskPolicy](#ecs-run-task-policy)
+ [EFSWriteAccessPolicy](#efs-write-access-policy)
+ [EKSDescribePolicy](#eks-describe-policy)
+ [ElasticMapReduceAddJobFlowStepsPolicy](#elastic-map-reduce-add-job-flows-policy)
+ [ElasticMapReduceCancelStepsPolicy](#elastic-map-reduce-cancel-steps-policy)
+ [ElasticMapReduceModifyInstanceFleetPolicy](#elastic-map-reduce-modify-instance-fleet-policy)
+ [ElasticMapReduceModifyInstanceGroupsPolicy](#elastic-map-reduce-modify-instance-groups-policy)
+ [ElasticMapReduceSetTerminationProtectionPolicy](#elastic-map-reduce-set-termination-protection-policy)
+ [ElasticMapReduceTerminateJobFlowsPolicy](#elastic-map-reduce-terminate-job-flows-policy)
+ [ElasticsearchHttpPostPolicy](#elastic-search-http-post-policy)
+ [EventBridgePutEventsPolicy](#eventbridge-put-events-policy)
+ [FilterLogEventsPolicy](#filter-log-events-policy)
+ [FirehoseCrudPolicy](#firehose-crud-policy)
+ [FirehoseWritePolicy](#firehose-write-policy)
+ [KinesisCrudPolicy](#kinesis-crud-policy)
+ [KinesisStreamReadPolicy](#kinesis-stream-read-policy)
+ [KMSDecryptPolicy](#kms-decrypt-policy)
+ [KMSEncryptPolicy](#kms-encrypt-policy)
+ [LambdaInvokePolicy](#lambda-invoke-policy)
+ [MobileAnalyticsWriteOnlyAccessPolicy](#mobile-analytics-write-only-access-policy)
+ [OrganizationsListAccountsPolicy](#organizations-list-accounts-policy)
+ [PinpointEndpointAccessPolicy](#pinpoint-endpoint-access-policy)
+ [PollyFullAccessPolicy](#polly-full-access-policy)
+ [RekognitionDetectOnlyPolicy](#rekognition-detect-only-policy)
+ [RekognitionFacesManagementPolicy](#rekognition-face-management-policy)
+ [RekognitionFacesPolicy](#rekognition-faces-policy)
+ [RekognitionLabelsPolicy](#rekognition-labels-policy)
+ [RekognitionNoDataAccessPolicy](#rekognition-no-data-access-policy)
+ [RekognitionReadPolicy](#rekognition-read-policy)
+ [RekognitionWriteOnlyAccessPolicy](#rekognition-write-only-access-policy)
+ [Route53ChangeResourceRecordSetsPolicy](#route53-change-resource-record-sets-policy)
+ [S3CrudPolicy](#s3-crud-policy)
+ [S3FullAccessPolicy](#s3-full-access-policy)
+ [S3ReadPolicy](#s3-read-policy)
+ [S3WritePolicy](#s3-write-policy)
+ [SageMakerCreateEndpointConfigPolicy](#sagemaker-create-endpoint-config-policy)
+ [SageMakerCreateEndpointPolicy](#sagemaker-create-endpoint-policy)
+ [ServerlessRepoReadWriteAccessPolicy](#serverlessrepo-read-write-access-policy)
+ [SESBulkTemplatedCrudPolicy](#ses-bulk-templated-crud-policy)
+ [SESBulkTemplatedCrudPolicy\$1v2](#ses-bulk-templated-crud-policy-v2)
+ [SESCrudPolicy](#ses-crud-policy)
+ [SESEmailTemplateCrudPolicy](#ses-email-template-crud-policy)
+ [SESSendBouncePolicy](#ses-send-bounce-policy)
+ [SNSCrudPolicy](#sns-crud-policy)
+ [SNSPublishMessagePolicy](#sqs-publish-message-policy)
+ [SQSPollerPolicy](#sqs-poller-policy)
+ [SQSSendMessagePolicy](#sqs-send-message-policy)
+ [SSMParameterReadPolicy](#ssm-parameter-read-policy)
+ [SSMParameterWithSlashPrefixReadPolicy](#ssm-parameter-slash-read-policy)
+ [StepFunctionsExecutionPolicy](#stepfunctions-execution-policy)
+ [TextractDetectAnalyzePolicy](#textract-detect-analyze-policy)
+ [TextractGetResultPolicy](#textract-get-result-policy)
+ [TextractPolicy](#textract-policy)
+ [VPCAccessPolicy](#vpc-access-policy)
## AcmGetCertificatePolicy
授予從中讀取憑證的許可 AWS Certificate Manager。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"acm:GetCertificate"
],
"Resource": {
"Fn::Sub": [
"${certificateArn}",
{
"certificateArn": {
"Ref": "CertificateArn"
}
}
]
}
}
]
```
## AMIDescribePolicy
提供描述 Amazon Machine Image (AMIs許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages"
],
"Resource": "*"
}
]
```
## AthenaQueryPolicy
提供執行 Athena 查詢的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListWorkGroups",
"athena:GetExecutionEngine",
"athena:GetExecutionEngines",
"athena:GetNamespace",
"athena:GetCatalogs",
"athena:GetNamespaces",
"athena:GetTables",
"athena:GetTable"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:DeleteNamedQuery",
"athena:GetNamedQuery",
"athena:ListQueryExecutions",
"athena:StopQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListNamedQueries",
"athena:CreateNamedQuery",
"athena:GetQueryExecution",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:GetWorkGroup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
{
"workgroupName": {
"Ref": "WorkGroupName"
}
}
]
}
}
]
```
## AWSSecretsManagerGetSecretValuePolicy
准許取得指定秘密的 AWS Secrets Manager 秘密值。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": {
"Fn::Sub": [
"${secretArn}",
{
"secretArn": {
"Ref": "SecretArn"
}
}
]
}
}
]
```
## AWSSecretsManagerRotationPolicy
授予在其中輪換秘密的許可 AWS Secrets Manager。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*"
},
"Condition": {
"StringEquals": {
"secretsmanager:resource/AllowRotationLambdaArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
}
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword"
],
"Resource": "*"
}
]
```
## CloudFormationDescribeStacksPolicy
提供描述 CloudFormation 堆疊的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
}
}
]
```
## CloudWatchDashboardPolicy
授予在 CloudWatch 儀表板上操作指標的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:PutDashboard",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
```
## CloudWatchDescribeAlarmHistoryPolicy
提供描述 Amazon CloudWatch 警示歷史記錄的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmHistory"
],
"Resource": "*"
}
]
```
## CloudWatchPutMetricPolicy
提供將指標傳送至 CloudWatch 的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
```
## CodePipelineLambdaExecutionPolicy
提供 叫用 Lambda 函數 AWS CodePipeline 以報告任務狀態的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:PutJobSuccessResult",
"codepipeline:PutJobFailureResult"
],
"Resource": "*"
}
]
```
## CodePipelineReadOnlyPolicy
提供讀取許可,以取得 CodePipeline 管道的詳細資訊。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:ListPipelineExecutions"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}",
{
"pipelinename": {
"Ref": "PipelineName"
}
}
]
}
}
]
```
## CodeCommitCrudPolicy
授予在特定 CodeCommit 儲存庫中建立、讀取、更新和刪除物件的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush",
"codecommit:CreateBranch",
"codecommit:DeleteBranch",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:UpdateDefaultBranch",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:CreateUnreferencedMergeCommit",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:CreatePullRequest",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay",
"codecommit:PostCommentForPullRequest",
"codecommit:UpdatePullRequestDescription",
"codecommit:UpdatePullRequestStatus",
"codecommit:UpdatePullRequestTitle",
"codecommit:DeleteFile",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:PutFile",
"codecommit:DeleteCommentContent",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:PostCommentForComparedCommit",
"codecommit:PostCommentReply",
"codecommit:UpdateComment",
"codecommit:BatchGetCommits",
"codecommit:CreateCommit",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:UpdateRepositoryDescription",
"codecommit:ListTagsForResource",
"codecommit:TagResource",
"codecommit:UntagResource",
"codecommit:GetRepositoryTriggers",
"codecommit:PutRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:UploadArchive",
"codecommit:GetUploadArchiveStatus",
"codecommit:CancelUploadArchive"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## CodeCommitReadPolicy
准許讀取特定 CodeCommit 儲存庫中的物件。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GetBranch",
"codecommit:ListBranches",
"codecommit:BatchDescribeMergeConflicts",
"codecommit:DescribeMergeConflicts",
"codecommit:GetMergeCommit",
"codecommit:GetMergeOptions",
"codecommit:BatchGetPullRequests",
"codecommit:DescribePullRequestEvents",
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommitsFromMergeBase",
"codecommit:GetMergeConflicts",
"codecommit:GetPullRequest",
"codecommit:ListPullRequests",
"codecommit:GetBlob",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:GetComment",
"codecommit:GetCommentsForComparedCommit",
"codecommit:BatchGetCommits",
"codecommit:GetCommit",
"codecommit:GetCommitHistory",
"codecommit:GetDifferences",
"codecommit:GetObjectIdentifier",
"codecommit:GetReferences",
"codecommit:GetTree",
"codecommit:GetRepository",
"codecommit:ListTagsForResource",
"codecommit:GetRepositoryTriggers",
"codecommit:TestRepositoryTriggers",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetUploadArchiveStatus"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}",
{
"repositoryName": {
"Ref": "RepositoryName"
}
}
]
}
}
]
```
## ComprehendBasicAccessPolicy
提供偵測實體、金鑰片語、語言和情緒的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"comprehend:BatchDetectKeyPhrases",
"comprehend:DetectDominantLanguage",
"comprehend:DetectEntities",
"comprehend:BatchDetectEntities",
"comprehend:DetectKeyPhrases",
"comprehend:DetectSentiment",
"comprehend:BatchDetectDominantLanguage",
"comprehend:BatchDetectSentiment"
],
"Resource": "*"
}
]
```
## CostExplorerReadOnlyPolicy
為帳單歷史記錄的唯讀 AWS Cost Explorer (Cost Explorer) APIs提供唯讀許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetTags"
],
"Resource": "*"
}
]
```
## DynamoDBBackupFullAccessPolicy
為資料表的 DynamoDB 隨需備份提供讀取和寫入許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateBackup",
"dynamodb:DescribeContinuousBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteBackup",
"dynamodb:DescribeBackup",
"dynamodb:ListBackups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBCrudPolicy
為 Amazon DynamoDB 資料表提供建立、讀取、更新和刪除許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ConditionCheckItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReadPolicy
為 DynamoDB 資料表提供唯讀許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## DynamoDBReconfigurePolicy
提供重新設定 DynamoDB 資料表的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateTable"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBRestoreFromBackupPolicy
提供從備份還原 DynamoDB 資料表的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:RestoreTableFromBackup"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBStreamReadPolicy
提供描述和讀取 DynamoDB 串流和記錄的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}",
{
"tableName": {
"Ref": "TableName"
},
"streamName": {
"Ref": "StreamName"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:ListStreams"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
}
]
```
## DynamoDBWritePolicy
為 DynamoDB 資料表提供唯寫許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
{
"tableName": {
"Ref": "TableName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
{
"tableName": {
"Ref": "TableName"
}
}
]
}
]
}
]
```
## EC2CopyImagePolicy
提供複製 Amazon EC2 映像的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CopyImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}",
{
"imageId": {
"Ref": "ImageId"
}
}
]
}
}
]
```
## EC2DescribePolicy
提供描述 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
```
## EcsRunTaskPolicy
提供為任務定義啟動新任務的許可。
```
"Statement": [
{
"Action": [
"ecs:RunTask"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}",
{
"taskDefinition": {
"Ref": "TaskDefinition"
}
}
]
},
"Effect": "Allow"
}
]
```
## EFSWriteAccessPolicy
准許掛載具有寫入存取權的 Amazon EFS 檔案系統。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}",
{
"FileSystem": {
"Ref": "FileSystem"
}
}
]
},
"Condition": {
"StringEquals": {
"elasticfilesystem:AccessPointArn": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}",
{
"AccessPoint": {
"Ref": "AccessPoint"
}
}
]
}
}
}
}
]
```
## EKSDescribePolicy
提供描述或列出 Amazon Elastic Kubernetes Service (Amazon EKS) 叢集的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
```
## ElasticMapReduceAddJobFlowStepsPolicy
准許將新步驟新增至執行中的叢集。
```
"Statement": [
{
"Action": "elasticmapreduce:AddJobFlowSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceCancelStepsPolicy
准許取消執行中叢集中的待處理步驟。
```
"Statement": [
{
"Action": "elasticmapreduce:CancelSteps",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceFleetPolicy
准許列出叢集內執行個體機群的詳細資訊和修改容量。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceFleet",
"elasticmapreduce:ListInstanceFleets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceModifyInstanceGroupsPolicy
授予許可,以列出叢集內執行個體群組的詳細資訊和修改設定。
```
"Statement": [
{
"Action": [
"elasticmapreduce:ModifyInstanceGroups",
"elasticmapreduce:ListInstanceGroups"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceSetTerminationProtectionPolicy
提供為叢集設定終止保護的許可。
```
"Statement": [
{
"Action": "elasticmapreduce:SetTerminationProtection",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticMapReduceTerminateJobFlowsPolicy
提供關閉叢集的許可。
```
"Statement": [
{
"Action": "elasticmapreduce:TerminateJobFlows",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}",
{
"clusterId": {
"Ref": "ClusterId"
}
}
]
},
"Effect": "Allow"
}
]
```
## ElasticsearchHttpPostPolicy
提供 POST 和 PUT 許可給 Amazon OpenSearch Service。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*",
{
"domainName": {
"Ref": "DomainName"
}
}
]
}
}
]
```
## EventBridgePutEventsPolicy
提供將事件傳送至 Amazon EventBridge 的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": "events:PutEvents",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}",
{
"eventBusName": {
"Ref": "EventBusName"
}
}
]
}
}
]
```
## FilterLogEventsPolicy
提供從指定日誌群組篩選 CloudWatch Logs 事件的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*",
{
"logGroupName": {
"Ref": "LogGroupName"
}
}
]
}
}
]
```
## FirehoseCrudPolicy
提供建立、寫入、更新和刪除 Firehose 交付串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:CreateDeliveryStream",
"firehose:DeleteDeliveryStream",
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
"firehose:UpdateDestination"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## FirehoseWritePolicy
提供寫入 Firehose 交付串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}",
{
"deliveryStreamName": {
"Ref": "DeliveryStreamName"
}
}
]
}
}
]
```
## KinesisCrudPolicy
提供建立、發佈和刪除 Amazon Kinesis 串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:AddTagsToStream",
"kinesis:CreateStream",
"kinesis:DecreaseStreamRetentionPeriod",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetShardIterator",
"kinesis:IncreaseStreamRetentionPeriod",
"kinesis:ListTagsForStream",
"kinesis:MergeShards",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:SplitShard",
"kinesis:RemoveTagsFromStream"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KinesisStreamReadPolicy
提供列出和讀取 Amazon Kinesis 串流的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:ListStreams",
"kinesis:DescribeLimits"
],
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*"
}
},
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}",
{
"streamName": {
"Ref": "StreamName"
}
}
]
}
}
]
```
## KMSDecryptPolicy
提供使用 AWS Key Management Service (AWS KMS) 金鑰解密的許可。請注意, `keyId` 必須是 AWS KMS 金鑰 ID,而不是金鑰別名。
```
"Statement": [
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## KMSEncryptPolicy
提供使用 AWS KMS 金鑰加密的許可。請注意,keyId 必須是 AWS KMS 金鑰 ID,而不是金鑰別名。
```
"Statement": [
{
"Action": "kms:Encrypt",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}",
{
"keyId": {
"Ref": "KeyId"
}
}
]
}
}
]
```
## LambdaInvokePolicy
提供叫用 AWS Lambda 函數、別名或版本的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*",
{
"functionName": {
"Ref": "FunctionName"
}
}
]
}
}
]
```
## MobileAnalyticsWriteOnlyAccessPolicy
提供僅寫入許可,以放置所有應用程式資源的事件資料。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents"
],
"Resource": "*"
}
]
```
## OrganizationsListAccountsPolicy
提供唯讀許可,以列出子帳戶名稱和 IDs。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
]
```
## PinpointEndpointAccessPolicy
准許取得和更新 Amazon Pinpoint 應用程式的端點。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:GetEndpoint",
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:UpdateEndpointsBatch"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*",
{
"pinpointApplicationId": {
"Ref": "PinpointApplicationId"
}
}
]
}
}
]
```
## PollyFullAccessPolicy
提供 Amazon Polly 語彙資源的完整存取許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"polly:GetLexicon",
"polly:DeleteLexicon"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}",
{
"lexiconName": {
"Ref": "LexiconName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"polly:DescribeVoices",
"polly:ListLexicons",
"polly:PutLexicon",
"polly:SynthesizeSpeech"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*"
}
]
}
]
```
## RekognitionDetectOnlyPolicy
提供偵測臉部、標籤和文字的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels",
"rekognition:DetectText"
],
"Resource": "*"
}
]
```
## RekognitionFacesManagementPolicy
提供在 Amazon Rekognition 集合中新增、刪除和搜尋臉部的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:IndexFaces",
"rekognition:DeleteFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage",
"rekognition:ListFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionFacesPolicy
提供許可來比較和偵測臉部和標籤。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces"
],
"Resource": "*"
}
]
```
## RekognitionLabelsPolicy
提供偵測物件和管制標籤的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": "*"
}
]
```
## RekognitionNoDataAccessPolicy
提供許可來比較和偵測臉部和標籤。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CompareFaces",
"rekognition:DetectFaces",
"rekognition:DetectLabels",
"rekognition:DetectModerationLabels"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionReadPolicy
提供列出和搜尋臉部的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:ListCollections",
"rekognition:ListFaces",
"rekognition:SearchFaces",
"rekognition:SearchFacesByImage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## RekognitionWriteOnlyAccessPolicy
提供建立集合和索引臉部的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:CreateCollection",
"rekognition:IndexFaces"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}",
{
"collectionId": {
"Ref": "CollectionId"
}
}
]
}
}
]
```
## Route53ChangeResourceRecordSetsPolicy
提供在 Route 53 中變更資源紀錄集的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}",
{
"HostedZoneId": {
"Ref": "HostedZoneId"
}
}
]
}
}
]
```
## S3CrudPolicy
提供建立、讀取、更新和刪除許可,以對 Amazon S3 儲存貯體中的物件採取行動。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:DeleteObject"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3FullAccessPolicy
提供對 Amazon S3 儲存貯體中物件採取動作的完整存取許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3ReadPolicy
提供唯讀許可,以讀取 Amazon Simple Storage Service (Amazon S3) 儲存貯體中的物件。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:GetLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## S3WritePolicy
提供將物件寫入 Amazon S3 儲存貯體的寫入許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutLifecycleConfiguration"
],
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:s3:::${bucketName}/*",
{
"bucketName": {
"Ref": "BucketName"
}
}
]
}
]
}
]
```
## SageMakerCreateEndpointConfigPolicy
提供在 SageMaker AI 中建立端點組態的許可。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpointConfig"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}",
{
"endpointConfigName": {
"Ref": "EndpointConfigName"
}
}
]
},
"Effect": "Allow"
}
]
```
## SageMakerCreateEndpointPolicy
提供在 SageMaker AI 中建立端點的許可。
```
"Statement": [
{
"Action": [
"sagemaker:CreateEndpoint"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}",
{
"endpointName": {
"Ref": "EndpointName"
}
}
]
},
"Effect": "Allow"
}
]
```
## ServerlessRepoReadWriteAccessPolicy
提供在 AWS Serverless Application Repository (AWS SAM) 服務中建立和列出應用程式的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"serverlessrepo:CreateApplication",
"serverlessrepo:CreateApplicationVersion",
"serverlessrepo:GetApplication",
"serverlessrepo:ListApplications",
"serverlessrepo:ListApplicationVersions"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*"
}
]
}
]
```
## SESBulkTemplatedCrudPolicy
准許傳送 Amazon SES 電子郵件、範本電子郵件和範本大量電子郵件,以及驗證身分。
**注意**
`ses:SendTemplatedEmail` 動作需要範本 ARN。請改用 `SESBulkTemplatedCrudPolicy_v2`。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESBulkTemplatedCrudPolicy\$1v2
准許傳送 Amazon SES 電子郵件、範本電子郵件和範本大量電子郵件,以及驗證身分。
```
"Statement": [
{
"Action": [
"ses:SendEmail",
"ses:SendRawEmail",
"ses:SendTemplatedEmail",
"ses:SendBulkTemplatedEmail"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
},
{
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:template/${templateName}",
{
"templateName": {
"Ref": "TemplateName"
}
}
]
}
]
},
{
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:VerifyEmailIdentity"
],
"Effect": "Allow",
"Resource": "*"
}
]
```
## SESCrudPolicy
提供傳送電子郵件和驗證身分的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:GetIdentityVerificationAttributes",
"ses:SendEmail",
"ses:SendRawEmail",
"ses:VerifyEmailIdentity"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SESEmailTemplateCrudPolicy
提供建立、取得、列出、更新和刪除 Amazon SES 電子郵件範本的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:CreateTemplate",
"ses:GetTemplate",
"ses:ListTemplates",
"ses:UpdateTemplate",
"ses:DeleteTemplate",
"ses:TestRenderTemplate"
],
"Resource": "*"
}
]
```
## SESSendBouncePolicy
將 SendBounce 許可授予 Amazon Simple Email Service (Amazon SES身分。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendBounce"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}",
{
"identityName": {
"Ref": "IdentityName"
}
}
]
}
}
]
```
## SNSCrudPolicy
提供建立、發佈和訂閱 Amazon SNS 主題的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:ListSubscriptionsByTopic",
"sns:CreateTopic",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SNSPublishMessagePolicy
准許將訊息發佈至 Amazon Simple Notification Service (Amazon SNS) 主題。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}",
{
"topicName": {
"Ref": "TopicName"
}
}
]
}
}
]
```
## SQSPollerPolicy
提供輪詢 Amazon Simple Queue Service (Amazon SQS) 佇列的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SQSSendMessagePolicy
提供將訊息傳送至 Amazon SQS 佇列的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:SendMessage*"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
```
## SSMParameterReadPolicy
准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱沒有斜線字首時,請使用 。
**注意**
如果您不是使用預設金鑰,則還需要 `KMSDecryptPolicy`政策。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## SSMParameterWithSlashPrefixReadPolicy
准許從 Amazon EC2 Systems Manager (SSM) 參數存放區存取參數,以載入此帳戶中的秘密。當參數名稱具有斜線字首時,請使用 。
**注意**
如果您不是使用預設金鑰,則還需要 `KMSDecryptPolicy`政策。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${parameterName}",
{
"parameterName": {
"Ref": "ParameterName"
}
}
]
}
}
]
```
## StepFunctionsExecutionPolicy
提供啟動 Step Functions 狀態機器執行的許可。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
{
"stateMachineName": {
"Ref": "StateMachineName"
}
}
]
}
}
]
```
## TextractDetectAnalyzePolicy
提供使用 Amazon Textract 偵測和分析文件的存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:DetectDocumentText",
"textract:StartDocumentTextDetection",
"textract:StartDocumentAnalysis",
"textract:AnalyzeDocument"
],
"Resource": "*"
}
]
```
## TextractGetResultPolicy
提供從 Amazon Textract 偵測和分析文件的存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:GetDocumentTextDetection",
"textract:GetDocumentAnalysis"
],
"Resource": "*"
}
]
```
## TextractPolicy
提供 Amazon Textract 的完整存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"textract:*"
],
"Resource": "*"
}
]
```
## VPCAccessPolicy
提供建立、刪除、描述和分離彈性網路介面的存取權。
```
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface"
],
"Resource": "*"
}
]
```
# 使用 CloudFormation 機制管理 AWS SAM 許可
若要控制對 AWS 資源的存取, AWS Serverless Application Model (AWS SAM) 可以使用與 相同的機制 CloudFormation。如需詳細資訊,請參閱《*AWS CloudFormation 使用者指南*》中的[使用 AWS Identity and Access Management控制存取權限](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html)。
授予使用者管理無伺服器應用程式的許可有三個主要選項。每個選項都會為使用者提供不同層級的存取控制。
+ 授予管理員許可。
+ 連接必要的 AWS 受管政策。
+ 授予特定 AWS Identity and Access Management (IAM) 許可。
根據您選擇的選項,使用者只能管理包含他們有權存取之 AWS 資源的無伺服器應用程式。
以下各節會更詳細地描述每個選項。
## 授予管理員許可
如果您將管理員許可授予使用者,他們可以管理包含任意 AWS 資源組合的無伺服器應用程式。這是最簡單的選項,但也會授予使用者最廣泛的許可集,因此可讓使用者執行具有最高影響的動作。
如需將管理員許可授予使用者的詳細資訊,請參閱《[IAM 使用者指南》中的建立您的第一個 IAM 管理員使用者和群組](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html)。 **
## 連接必要的 AWS 受管政策
您可以使用 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)授予使用者一部分的許可,而不是授予完整的管理員許可。如果您使用此選項,請確定一組 AWS 受管政策涵蓋使用者管理的無伺服器應用程式所需的所有動作和資源。
例如,下列 AWS 受管政策足以[部署範例 Hello World 應用程式](serverless-getting-started-hello-world.md):
+ AWSCloudFormationFullAccess
+ IAMFullAccess
+ AWSLambda\$1FullAccess
+ AmazonAPIGatewayAdministrator
+ AmazonS3FullAccess
+ AmazonEC2ContainerRegistryFullAccess
如需將政策連接至 IAM 使用者的資訊,請參閱《[IAM 使用者指南》中的變更 IAM 使用者的許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html)。 **
## 授予特定 IAM 許可
對於最精細的存取控制層級,您可以使用[政策陳述](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html)式將特定 IAM 許可授予使用者。如果您使用此選項,請確定政策陳述式包含使用者管理的無伺服器應用程式所需的所有動作和資源。
使用此選項的最佳實務是拒絕使用者建立角色的許可,包括 Lambda 執行角色,以便他們無法授予自己提升的許可。因此,身為管理員的您必須先建立 [Lambda 執行角色](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html),該角色將在使用者將管理的無伺服器應用程式中指定。如需建立 Lambda 執行角色的資訊,請參閱 [IAM 主控台中的建立執行角色](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-console)。
對於[範例 Hello World 應用程式](serverless-getting-started-hello-world.md),**AWSLambdaBasicExecutionRole** 足以執行應用程式。建立 Lambda 執行角色之後,請修改範例 Hello World 應用程式的 AWS SAM 範本檔案,將下列屬性新增至`AWS::Serverless::Function`資源:
```
Role: lambda-execution-role-arn
```
使用修改過的 Hello World 應用程式時,下列政策陳述式會授予足夠許可,讓使用者部署、更新和刪除應用程式:
**注意**
本節中的範例政策陳述式會授予足夠的許可,讓您部署、更新和刪除[範例 Hello World 應用程式](serverless-getting-started-hello-world.md)。如果您將其他資源類型新增至應用程式,則需要更新政策陳述式以包含下列項目:
您的應用程式呼叫服務動作的許可。
服務主體,如果服務動作需要的話。
例如,如果您新增 Step Functions 工作流程,您可能需要新增[此處](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html#awsstepfunctions-actions-as-permissions)所列動作的許可和服務`states.amazonaws.com`主體。
如需 IAM 政策的詳細資訊,請參閱《[IAM 使用者指南》中的管理 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html)。 **