本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
設定的 Systems Manager Application Manager 的許可
如果 AWS Identity and Access Management (IAM) 實體 (例如使用者、群組或角色) 可以存取本主題中列出的 API 操作,您可以使用 Application Manager (AWS Systems Manager 的功能) 的所有功能。API 操作分成兩個表格,可協助您了解它們執行的不同函數。
下表列出了您在 Application Manager 中選擇資源時 Systems Manager 會呼叫的 API 操作,因為您想要檢視資源詳細資訊。例如,如果 Application Manager 列出了 Amazon EC2 Auto Scaling 群組且您選擇該群組來檢視其詳細資訊,則 Systems Manager 會呼叫 autoscaling:DescribeAutoScalingGroups API 操作。如果您的帳戶中沒有任何 Auto Scaling 群組,則不會從 Application Manager 呼叫此 API 操作。
| 僅限資源詳細資訊 |
|---|
|
下表列出了 API 操作,其中 Systems Manager 會使用這些操作變更 Application Manager 中列出的應用程式和資源或檢視所選應用程式或資源的操作資訊。
| 應用程式動作與詳細資訊 |
|---|
|
設定許可
若要設定 IAM 實體 (例如使用者、群組或角色) 的 Application Manager 許可,請使用下列範例建立 IAM 政策。此政策範例包含 Application Manager 使用的所有 API 操作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListTagsForCertificate", "applicationinsights:CreateApplication", "applicationinsights:DescribeApplication", "applicationinsights:ListProblems", "autoscaling:DescribeAutoScalingGroups", "ce:GetCostAndUsage", "ce:GetTags", "ce:ListCostAllocationTags", "ce:UpdateCostAllocationTagsStatus", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:DetectStackDrift", "cloudformation:GetTemplate", "cloudformation:GetTemplateSummary", "cloudformation:ListStacks", "cloudformation:ListStackResources", "cloudformation:UpdateStack", "cloudfront:GetDistribution", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:DisableAlarmActions", "cloudwatch:EnableAlarmActions", "cloudwatch:GetMetricData", "cloudwatch:ListTagsForResource", "cloudwatch:PutMetricAlarm", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource", "config:DescribeComplianceByConfigRule", "config:DescribeComplianceByResource", "config:DescribeConfigRules", "config:DescribeRemediationConfigurations", "config:GetComplianceDetailsByConfigRule", "config:GetComplianceDetailsByResource", "config:GetResourceConfigHistory", "config:ListDiscoveredResources", "config:PutRemediationConfigurations", "config:SelectResourceConfig", "config:StartConfigRulesEvaluation", "config:StartRemediationExecution", "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeHosts", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:DescribeCapacityProviders", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:TagResource", "eks:DescribeCluster", "eks:DescribeFargateProfile", "eks:DescribeNodegroup", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListNodegroups", "eks:TagResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:ListTagsForResource", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "iam:CreateServiceLinkedRole", "iam:GetGroup", "iam:GetPolicy", "iam:GetRole", "iam:GetUser", "iam:ListRoles", "lambda:GetFunction", "logs:DescribeLogGroups", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameters", "redshift:DescribeClusters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "resource-groups:CreateGroup", "resource-groups:DeleteGroup", "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:Tag", "resource-groups:Untag", "resource-groups:UpdateGroup", "s3:GetBucketTagging", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions", "servicecatalog:GetApplication", "servicecatalog:ListApplications", "sns:CreateTopic", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:Subscribe", "ssm:AddTagsToResource", "ssm:CreateDocument", "ssm:CreateOpsMetadata", "ssm:DeleteDocument", "ssm:DeleteOpsMetadata", "ssm:DescribeAssociation", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:DescribeDocumentPermission", "ssm:GetDocument", "ssm:GetInventory", "ssm:GetOpsMetadata", "ssm:GetOpsSummary", "ssm:GetServiceSetting", "ssm:ListAssociations", "ssm:ListComplianceItems", "ssm:ListDocuments", "ssm:ListDocumentVersions", "ssm:ListOpsMetadata", "ssm:ListResourceComplianceSummaries", "ssm:ListTagsForResource", "ssm:ModifyDocumentPermission", "ssm:RemoveTagsFromResource", "ssm:StartAssociationsOnce", "ssm:StartAutomationExecution", "ssm:UpdateDocument", "ssm:UpdateDocumentDefaultVersion", "ssm:UpdateOpsMetadata", "ssm:UpdateOpsItem", "ssm:UpdateServiceSetting", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "tag:TagResources", "tag:UntagResources" ], "Resource": "*" } ] }
注意
您可以從連接到使用者、群組或角色的 IAM 許可政策中刪除以下 API 操作,進而限制使用者在 Application Manager 變更應用程序和資源的能力。移除這些動作會在 Application Manager 中建立唯讀體驗。以下是允許使用者變更應用程式或任何其他相關資源的所有 API。
applicationinsights:CreateApplication ce:UpdateCostAllocationTagsStatus cloudformation:CreateStack cloudformation:DeleteStack cloudformation:UpdateStack cloudwatch:DisableAlarmActions cloudwatch:EnableAlarmActions cloudwatch:PutMetricAlarm config:PutRemediationConfigurations config:StartConfigRulesEvaluation config:StartRemediationExecution ecs:TagResource eks:TagResource iam:CreateServiceLinkedRole resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:Tag resource-groups:Untag resource-groups:UpdateGroup sns:CreateTopic sns:Subscribe ssm:AddTagsToResource ssm:CreateDocument ssm:CreateOpsMetadata ssm:DeleteDocument ssm:DeleteOpsMetadata ssm:ModifyDocumentPermission ssm:RemoveTagsFromResource ssm:StartAssociationsOnce ssm:StartAutomationExecution ssm:UpdateDocument ssm:UpdateDocumentDefaultVersion ssm:UpdateOpsMetadata ssm:UpdateOpsItem ssm:UpdateServiceSetting tag:TagResources tag:UntagResources
如需有關建立和編輯 IAM 政策的資訊,請參閱《IAM 使用者指南》中的建立 IAM 政策。如需有關如何將此政策指派給 IAM 實體 (例如使用者、群組或角色) 的資訊,請參閱新增和移除 IAM 身分許可。
