設定的 Systems Manager Application Manager 的許可 - AWS Systems Manager

設定的 Systems Manager Application Manager 的許可

如果您的 AWS Identity and Access Management (IAM) 使用者、群組或角色可以存取本主題中列出的 API 操作,您可以使用 Application Manager (AWS Systems Manager 的功能) 的所有功能。API 操作分成兩個表格,可協助您了解它們執行的不同函數。

下表列出了您在 Application Manager 中選擇資源時 Systems Manager 會呼叫的 API 操作,因為您想要檢視資源詳細資訊。例如,如果 Application Manager 列出了 Amazon EC2 Auto Scaling 群組且您選擇該群組來檢視其詳細資訊,則 Systems Manager 會呼叫 autoscaling:DescribeAutoScalingGroups API 操作。如果您的帳戶中沒有任何 Auto Scaling 群組,則不會從 Application Manager 呼叫此 API 操作。

僅限資源詳細資訊
acm:DescribeCertificate acm:ListTagsForCertificate autoscaling:DescribeAutoScalingGroups cloudfront:GetDistribution cloudfront:ListTagsForResource cloudtrail:DescribeTrails cloudtrail:ListTags cloudtrail:LookupEvents codebuild:BatchGetProjects codepipeline:GetPipeline codepipeline:ListTagsForResource dynamodb:DescribeTable dynamodb:ListTagsOfResource ec2:DescribeAddresses ec2:DescribeCustomerGateways ec2:DescribeHosts ec2:DescribeInternetGateways ec2:DescribeNetworkAcls ec2:DescribeNetworkInterfaces ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeVpcs ec2:DescribeVpnConnections ec2:DescribeVpnGateways elasticbeanstalk:DescribeApplications elasticbeanstalk:ListTagsForResource elasticloadbalancing:DescribeInstanceHealth elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags iam:GetGroup iam:GetPolicy iam:GetRole iam:GetUser lambda:GetFunction rds:DescribeDBClusters rds:DescribeDBInstances rds:DescribeDBSecurityGroups rds:DescribeDBSnapshots rds:DescribeDBSubnetGroups rds:DescribeEventSubscriptions rds:ListTagsForResource redshift:DescribeClusterParameters redshift:DescribeClusterSecurityGroups redshift:DescribeClusterSnapshots redshift:DescribeClusterSubnetGroups redshift:DescribeClusters s3:GetBucketTagging

下表列出了 API 操作,其中 Systems Manager 會使用這些操作變更 Application Manager 中列出的應用程式和資源或檢視所選應用程式或資源的操作資訊。

應用程式動作與詳細資訊
cloudformation:DescribeStacks cloudwatch:DescribeAlarms cloudwatch:DescribeInsightRules cloudwatch:ListMetrics cloudwatch:ListTagsForResource config:DescribeComplianceByResource config:DescribeRemediationConfigurations config:GetComplianceDetailsByResource config:GetResourceConfigHistory config:StartConfigRulesEvaluation ec2:DescribeInstances eks:DescribeCluster eks:ListClusters eks:ListFargateProfiles eks:ListNodegroups eks:TagResource ecs:ListClusters ecs:DescribeClusters ecs:ListContainerInstances ecs:DescribeContainerInstances ecs:DescribeCapacityProviders ecs:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:GetGroup resource-groups:GetGroupQuery resource-groups:GetTags resource-groups:ListGroupResources resource-groups:ListGroups resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:GetOpsSummary ssm:GetOpsMetadata ssm:UpdateServiceSetting ssm:GetServiceSetting ssm:ListOpsMetadata ssm:UpdateOpsItem tag:GetTagKeys tag:GetTagValues

設定許可

若要設定 IAM 使用者、群組或角色的 Application Manager 許可,請使用下列範例建立 IAM 政策。此政策範例包含 Application Manager 使用的所有 API 操作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListTagsForCertificate", "autoscaling:DescribeAutoScalingGroups", "cloudfront:GetDistribution", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "codebuild:BatchGetProjects", "codepipeline:GetPipeline", "codepipeline:ListTagsForResource", "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "ec2:DescribeAddresses", "ec2:DescribeCustomerGateways", "ec2:DescribeHosts", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ecs:ListClusters", "ecs:DescribeClusters", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "ecs:DescribeCapacityProviders", "ecs:TagResource", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:ListTagsForResource", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "iam:GetGroup", "iam:GetPolicy", "iam:GetRole", "iam:GetUser", "lambda:GetFunction", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:ListTagsForResource", "redshift:DescribeClusterParameters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeClusters", "s3:GetBucketTagging", "cloudformation:DescribeStacks", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeInsightRules", "cloudwatch:ListMetrics", "cloudwatch:ListTagsForResource", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:GetComplianceDetailsByResource", "config:GetResourceConfigHistory", "config:StartConfigRulesEvaluation", "ec2:DescribeInstances", "eks:DescribeCluster", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListNodegroups", "eks:TagResource", "resource-groups:CreateGroup", "resource-groups:DeleteGroup", "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:Tag", "resource-groups:Untag", "ssm:CreateOpsMetadata", "ssm:DeleteOpsMetadata", "ssm:GetOpsSummary", "ssm:GetOpsMetadata", "ssm:UpdateServiceSetting", "ssm:GetServiceSetting", "ssm:ListOpsMetadata", "ssm:UpdateOpsItem", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" } ] }
注意

您可以從連接到使用者、群組或角色的 IAM 許可政策中刪除以下 API 操作,進而限制使用者在 Application Manager 變更應用程序和資源的能力。移除這些動作會在 Application Manager 中建立唯讀體驗。

eks:TagResource resource-groups:CreateGroup resource-groups:DeleteGroup resource-groups:Tag resource-groups:Untag ssm:CreateOpsMetadata ssm:DeleteOpsMetadata ssm:UpdateOpsItem

如需有關建立和編輯 IAM 政策的資訊,請參閱《IAM 使用者指南》中的建立 IAM 政策。如需如何將此政策指派給 IAM 使用者、群組或角色的資訊,請參閱新增和移除 IAM 身分許可