本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
身分識別中心的身分識別原則範例 IAM
本主題提供您可以建立的IAM原則範例,以授與使用者和角色管理 IAM Identity Center 的權限。
重要
我們建議您先檢閱介紹性主題,其中說明可用於管理 IAM Identity Center 資源存取權的基本概念和選項。如需詳細資訊,請參閱 管理IAM身分識別中心資源存取權限的概觀。
本主題中的各節涵蓋下列內容:
自訂原則範例
本節提供需要自訂IAM原則的常見使用案例範例。這些範例原則是以識別為基礎的原則,不會指定「主參與者」元素。這是因為使用以身分識別為基礎的原則,您不會指定取得權限的主體。相反地,您會將原則附加至主參與者。當您將以身分識別為基礎的權限原則附加至IAM角色時,在角色的信任原則中識別的主體會取得權限。您可以在中建立以身分識別為基礎的策略,IAM並將其附加到使用者、群組和/或角色。您也可以在IAM身分識別中心中建立權限集時,將這些原則套用至 IAM Identity Center 使用者。
注意
當您為環境建立原則,並確定在生產環境中部署這些原則之前測試正面 (「授與存取」) 和負面 (「拒絕存取」) 測試案例時,請使用這些範例。如需有關測試政IAM策的詳細資訊,請參閱《IAM使用指南》中的使用IAM政策模擬器測IAM試政策。
主題
範例 1:允許使用者檢視IAM身分識別中心
下列權限原則會將唯讀權限授與使用者,以便他們可以檢視 IAM Identity Center 中設定的所有設定和目錄資訊。
注意
此政策僅供範例使用。在生產環境中,建議您使用IAM身分識別中心的ViewOnlyAccess AWS 受管理原則。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ds:DescribeDirectories", "ds:DescribeTrusts", "iam:ListPolicies", "organizations:DescribeOrganization", "organizations:DescribeAccount", "organizations:ListParents", "organizations:ListChildren", "organizations:ListAccounts", "organizations:ListRoots", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListPermissionSets", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", "sso-directory:DescribeDirectory", "sso-directory:SearchUsers", "sso-directory:SearchGroups" ], "Resource": "*" } ] }
範例 2:允許使用者管理IAM身分識別中心中的權限 AWS 帳戶
下列權限原則會授與權限,讓使用者建立、管理及部署您的權限集 AWS 帳戶。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AttachManagedPolicyToPermissionSet", "sso:CreateAccountAssignment", "sso:CreatePermissionSet", "sso:DeleteAccountAssignment", "sso:DeleteInlinePolicyFromPermissionSet", "sso:DeletePermissionSet", "sso:DetachManagedPolicyFromPermissionSet", "sso:ProvisionPermissionSet", "sso:PutInlinePolicyToPermissionSet", "sso:UpdatePermissionSet" ], "Resource": "*" }, { "Sid": "IAMListPermissions", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:ListPolicies" ], "Resource": "*" }, { "Sid": "AccessToSSOProvisionedRoles", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:PutRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" }, { "Effect": "Allow", "Action": [ "iam:GetSAMLProvider" ], "Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE" } ] }
注意
只有在允許使用者在 AWS Organizations 管理帳戶中建立指派時"Sid": "IAMListPermissions",才需要列在和"Sid": "AccessToSSOProvisionedRoles"區段下列出的其他權限。在某些情況下,您可能還需要新增iam:UpdateSAMLProvider至這些區段。
範例 3:允許使用者管理IAM身分識別中心中的應用程式
下列權限原則授與權限,以允許使用者檢視和設定 IAM Identity Center 中的應用程式,包括 I IAM dentity Center 目錄中預先整合的 SaaS 應用程式。
注意
若要管理應用程式的使用者和群組指派,需要在下列原則範例中使用的sso:AssociateProfile作業。它也可讓使用者使用現有的權限集,將使用者和群組指派給這些使用者和群組。 AWS 帳戶 如果使用者必須在 IAM Identity Center 內管理 AWS 帳戶 存取,並且需要管理權限集所需的權限,請參閱範例 2:允許使用者管理IAM身分識別中心中的權限 AWS 帳戶。
自 2020 年 10 月起,其中許多操作僅可通過 AWS 控制台進行。此範例原則包含「讀取」動作 (例如清單、取得和搜尋),這些動作與此案例的主控台無錯誤作業相關。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:AssociateProfile", "sso:CreateApplicationInstance", "sso:ImportApplicationInstanceServiceProviderMetadata", "sso:DeleteApplicationInstance", "sso:DeleteProfile", "sso:DisassociateProfile", "sso:GetApplicationTemplate", "sso:UpdateApplicationInstanceServiceProviderConfiguration", "sso:UpdateApplicationInstanceDisplayData", "sso:DeleteManagedApplicationInstance", "sso:UpdateApplicationInstanceStatus", "sso:GetManagedApplicationInstance", "sso:UpdateManagedApplicationInstanceStatus", "sso:CreateManagedApplicationInstance", "sso:UpdateApplicationInstanceSecurityConfiguration", "sso:UpdateApplicationInstanceResponseConfiguration", "sso:GetApplicationInstance", "sso:CreateApplicationInstanceCertificate", "sso:UpdateApplicationInstanceResponseSchemaConfiguration", "sso:UpdateApplicationInstanceActiveCertificate", "sso:DeleteApplicationInstanceCertificate", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationTemplates", "sso:ListApplications", "sso:ListApplicationInstances", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:ListProfileAssociations", "sso:ListInstances", "sso:GetProfile", "sso:GetSSOStatus", "sso:GetSsoConfiguration", "sso-directory:DescribeDirectory", "sso-directory:DescribeUsers", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }
範例 4:允許使用者管理身分識別中心目錄中的使用者和群組
下列權限原則授與允許使用者在 IAM Identity Center 中建立、檢視、修改和刪除使用者和群組的權限。
在某些情況下,對 IAM Identity Center 中的使用者和群組進行直接修改會受到限制。例如,選取 Active Directory 或啟用「自動佈建」的外部身分識別提供者作為身分識別來源時。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:ListGroupsForUser", "sso-directory:DisableUser", "sso-directory:EnableUser", "sso-directory:SearchGroups", "sso-directory:DeleteGroup", "sso-directory:AddMemberToGroup", "sso-directory:DescribeDirectory", "sso-directory:UpdateUser", "sso-directory:ListMembersInGroup", "sso-directory:CreateUser", "sso-directory:DescribeGroups", "sso-directory:SearchUsers", "sso:ListDirectoryAssociations", "sso-directory:RemoveMemberFromGroup", "sso-directory:DeleteUser", "sso-directory:DescribeUsers", "sso-directory:UpdateGroup", "sso-directory:CreateGroup" ], "Resource": "*" } ] }
使用IAM身分識別中心主控台所需的權限
若要讓使用者在沒有錯誤的情況下使用 IAM Identity Center 主控台,則需要其他權限。如果建立的IAM策略比所需的最低權限更嚴格,則控制台將無法按照具有該策略的使用者預期運作。下列範例列出確保 IAM Identity Center 主控台內無錯誤作業所需的一組權限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:DescribeAccountAssignmentCreationStatus", "sso:DescribeAccountAssignmentDeletionStatus", "sso:DescribePermissionSet", "sso:DescribePermissionSetProvisioningStatus", "sso:DescribePermissionsPolicies", "sso:DescribeRegisteredRegions", "sso:GetApplicationInstance", "sso:GetApplicationTemplate", "sso:GetInlinePolicyForPermissionSet", "sso:GetManagedApplicationInstance", "sso:GetMfaDeviceManagementForDirectory", "sso:GetPermissionSet", "sso:GetPermissionsPolicy", "sso:GetProfile", "sso:GetSharedSsoConfiguration", "sso:GetSsoConfiguration", "sso:GetSSOStatus", "sso:GetTrust", "sso:ListAccountAssignmentCreationStatus", "sso:ListAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationInstances", "sso:ListApplications", "sso:ListApplicationTemplates", "sso:ListDirectoryAssociations", "sso:ListInstances", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSetProvisioningStatus", "sso:ListPermissionSets", "sso:ListPermissionSetsProvisionedToAccount", "sso:ListProfileAssociations", "sso:ListProfiles", "sso:ListTagsForResource", "sso-directory:DescribeDirectory", "sso-directory:DescribeGroups", "sso-directory:DescribeUsers", "sso-directory:ListGroupsForUser", "sso-directory:ListMembersInGroup", "sso-directory:SearchGroups", "sso-directory:SearchUsers" ], "Resource": "*" } ] }
