AWS 的 受管政策AWS Systems Manager - AWS Systems Manager

AWS 的 受管政策AWS Systems Manager

若要新增許可給使用者、群組和角色,使用 AWS 受管政策比自己撰寫政策更容易。建立 IAM 客戶受管政策需要時間和專業知識,而受管政策可為您的團隊提供其所需的許可。若要快速開始使用,您可以使用 AWS 受管政策。這些政策涵蓋常見的使用案例,並可在您的 AWS 帳戶 中使用。如需 AWS 受管政策的詳細資訊,請參閱《IAM 使用者指南》中的 AWS 受管政策

AWS 服務會維護和更新 AWS 受管政策。您無法更改 AWS 受管政策中的許可。服務偶爾會在 AWS 受管政策中新增其他許可以支援新功能。此類型的更新會影響已連接政策的所有身分識別 (使用者、群組和角色)。當新功能啟動或新操作可用時,服務很可能會更新 AWS 受管政策。服務不會從 AWS 受管政策中移除許可,因此政策更新不會破壞您現有的許可。

此外,AWS 支援跨越多項服務之任務職能的受管政策。例如,ViewOnlyAccess 這項 AWS 受管政策提供針對許多 AWS 服務和資源的唯讀存取權限。當服務啟動新功能時,AWS 會為新的操作和資源新增唯讀許可。如需任務職能政策的清單和說明,請參閱《IAM 使用者指南》有關任務職能的 AWS 受管政策

AWS 受管政策:AmazonSSMServiceRolePolicy

您不能將 AmazonSSMServiceRolePolicy 連接到 AWS Identity and Access Management (IAM) 實體。此政策會連接到服務連結角色,而此角色可讓 AWS Systems Manager 代表您執行動作。如需更多詳細資訊,請參閱 使用角色來收集庫存、執行維護期間任務,以及檢視 OpsData:AWSServiceRoleForAmazonSSM

三個 Systems Manager 功能使用服務連結角色:

  • 庫存功能需要服務連結角色。角色允許系統從標籤和資源群組收集庫存中繼資料。

  • Maintenance Windows 功能可以選擇使用服務連結角色。此角色允許 Maintenance Windows 服務在目標執行個體上執行維護任務。請注意,Systems Manager 的服務連結角色不一定會提供所有案例需要的許可。如需更多詳細資訊,請參閱 我應該使用服務連結角色還是自訂服務角色來執行維護時段任務?

  • Explorer 功能使用服務連結角色,以便從多個帳戶中檢視 OpsData 和 OpsItems。當您從 Explorer 或 OpsCenter 中開啟 Security Hub 作為資料來源時,此服務連結角色也允許 Explorer 建立受管規則。

許可詳細資訊

AWSServiceRoleForAmazonSSM 服務連結角色許可政策允許 Systems Manager 對所有相關資源 ("Resource": "*") 完成下列動作,除非另有說明:

  • ssm:CancelCommand

  • ssm:GetCommandInvocation

  • ssm:ListCommandInvocations

  • ssm:ListCommands

  • ssm:SendCommand

  • ssm:GetAutomationExecution

  • ssm:GetParameters

  • ssm:StartAutomationExecution

  • ssm:ListTagsForResource

  • ssm:GetCalendarState

  • ssm:UpdateServiceSetting [1]

  • ssm:GetServiceSetting [1]

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeInstanceStatus

  • ec2:DescribeInstances

  • lambda:InvokeFunction [2]

  • states:DescribeExecution [3]

  • states:StartExecution [3]

  • resource-groups:ListGroups

  • resource-groups:ListGroupResources

  • resource-groups:GetGroupQuery

  • tag:GetResources

  • config:SelectResourceConfig

  • config:DescribeComplianceByConfigRule

  • config:DescribeComplianceByResource

  • config:DescribeRemediationConfigurations

  • config:DescribeConfigurationRecorders

  • compute-optimizer:GetEC2InstanceRecommendations

  • compute-optimizer:GetEnrollmentStatus

  • support:DescribeTrustedAdvisorChecks

  • support:DescribeTrustedAdvisorCheckSummaries

  • support:DescribeTrustedAdvisorCheckResult

  • support:DescribeCases

  • iam:PassRole [4]

  • cloudformation:DescribeStacks

  • cloudformation:ListStackResources

  • cloudformation:ListStackInstances [5]

  • cloudformation:DescribeStackSetOperation [5]

  • cloudformation:DeleteStackSet [5]

  • cloudformation:DeleteStackInstances [6]

  • events:PutRule [7]

  • events:PutTargets [7]

  • events:RemoveTargets [8]

  • events:DeleteRule [8]

  • events:DescribeRule

  • securityhub:DescribeHub

[1] 僅允許對以下資源進行 ssm:UpdateServiceSettingssm:GetServiceSetting 動作的許可。

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[2] 僅允許對以下資源進行 lambda:InvokeFunction 動作的許可。

arn:aws:lambda:*:*:function:SSM* arn:aws:lambda:*:*:function:*:SSM*

[3] 僅允許對以下資源進行 states: 動作的許可。

arn:aws:states:*:*:stateMachine:SSM* arn:aws:states:*:*:execution:SSM*

[4] 透過以下條件,僅允許對 Systems Manager 服務進行 iam:PassRole 動作的許可。

"Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } }

[5] 僅允許對以下資源進行 cloudformation:ListStackInstancescloudformation:DescribeStackSetOperationcloudformation:DeleteStackSet 動作的許可。

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*

[6] 僅允許對以下資源進行 cloudformation:DeleteStackInstances 動作的許可。

arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:* arn:aws:cloudformation:*:*:type/resource/*

[7] 透過以下條件,僅允許對 Systems Manager 服務進行 events:PutRuleevents:PutTargets 動作的許可。

"Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com" } }

[8] 僅允許對以下資源進行 events:RemoveTargetsevents:DeleteRule 動作的許可。

arn:aws:events:*:*:rule/SSMExplorerManagedRule

完整的 AmazonSSMServiceRolePolicy 政策

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:CancelCommand", "ssm:GetCommandInvocation", "ssm:ListCommandInvocations", "ssm:ListCommands", "ssm:SendCommand", "ssm:GetAutomationExecution", "ssm:GetParameters", "ssm:StartAutomationExecution", "ssm:ListTagsForResource", "ssm:GetCalendarState" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*", "arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:*:function:SSM*", "arn:aws:lambda:*:*:function:*:SSM*" ] }, { "Effect": "Allow", "Action": [ "states:DescribeExecution", "states:StartExecution" ], "Resource": [ "arn:aws:states:*:*:stateMachine:SSM*", "arn:aws:states:*:*:execution:SSM*" ] }, { "Effect": "Allow", "Action": [ "resource-groups:ListGroups", "resource-groups:ListGroupResources", "resource-groups:GetGroupQuery" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "config:SelectResourceConfig" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetEnrollmentStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "support:DescribeTrustedAdvisorChecks", "support:DescribeTrustedAdvisorCheckSummaries", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeCases" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "config:DescribeComplianceByConfigRule", "config:DescribeComplianceByResource", "config:DescribeRemediationConfigurations", "config:DescribeConfigurationRecorders" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "organizations:DescribeOrganization", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudformation:ListStackSets", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:ListStackInstances", "cloudformation:DescribeStackSetOperation", "cloudformation:DeleteStackSet" ], "Resource": "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*" }, { "Effect": "Allow", "Action": "cloudformation:DeleteStackInstances", "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-SSM*:*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-SSM*:*", "arn:aws:cloudformation:*:*:type/resource/*" ] }, { "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "ssm.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:RemoveTargets", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/SSMExplorerManagedRule" ] }, { "Effect": "Allow", "Action": "events:DescribeRule", "Resource": "*" }, { "Effect": "Allow", "Action": "securityhub:DescribeHub", "Resource": "*" } ] }

AWS 受管政策:AWSSystemsManagerOpsDataSyncServiceRolePolicy

您無法連接 AWSSystemsManagerOpsDataSyncServiceRolePolicy 至您的 IAM 實體。此政策會連接到服務連結角色,而此角色可讓 Systems Manager 代表您執行動作。如需更多詳細資訊,請參閱 使用角色來建立 Systems Manager Explorer 的 OpsData 和 OpsItems:AWSServiceRoleForSystemsManagerOpsDataSync

AWSSystemsManagerOpsDataSyncServiceRolePolicy 允許 AWSServiceRoleForSystemsManagerOpsDataSync 服務連結角色建立和更新 OpsItems 和 AWS Security Hub 問題清單之 OpsData。

許可詳細資訊

AWSServiceRoleForAmazonSSM 服務連結角色許可政策允許 Systems Manager 對所有相關資源 ("Resource": "*") 完成下列動作,除非另有說明:

  • ssm:GetOpsItem [1]

  • ssm:UpdateOpsItem [1]

  • ssm:CreateOpsItem

  • ssm:AddTagsToResource [2]

  • ssm:UpdateServiceSetting [3]

  • ssm:GetServiceSetting [3]

  • securityhub:GetFindings

  • securityhub:GetFindings

  • securityhub:BatchUpdateFindings [4]

[1] 透過以下條件,僅允許對 Systems Manager 服務進行 ssm:GetOpsItemssm:UpdateOpsItem 動作的許可。

"Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } }

[2] 僅允許對以下資源進行 ssm:AddTagsToResource 動作的許可。

arn:aws:ssm:*:*:opsitem/*

[3] 僅允許對以下資源進行 ssm:UpdateServiceSettingssm:GetServiceSetting 動作的許可。

arn:aws:ssm:*:*:servicesetting/ssm/opsitem/* arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*

[4] 透過以下條件,僅拒絕對 Systems Manager 服務進行 securityhub:BatchUpdateFindings 的許可。

"Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" }, "Null": { "securityhub:ASFFSyntaxPath/Confidence": false, "securityhub:ASFFSyntaxPath/Criticality": false, "securityhub:ASFFSyntaxPath/Note": false, "securityhub:ASFFSyntaxPath/RelatedFindings": false, "securityhub:ASFFSyntaxPath/Types": false, "securityhub:ASFFSyntaxPath/UserDefinedFields": false, "securityhub:ASFFSyntaxPath/VerificationState": false } }

完整 AWSSystemsManagerOpsDataSyncServiceRolePolicy 政策

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetOpsItem", "ssm:UpdateOpsItem" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/ExplorerSecurityHubOpsItem": "true" } } }, { "Effect": "Allow", "Action": [ "ssm:CreateOpsItem" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:AddTagsToResource" ], "Resource": "arn:aws:ssm:*:*:opsitem/*" }, { "Effect": "Allow", "Action": [ "ssm:UpdateServiceSetting", "ssm:GetServiceSetting" ], "Resource": [ "arn:aws:ssm:*:*:servicesetting/ssm/opsitem/*", "arn:aws:ssm:*:*:servicesetting/ssm/opsdata/*" ] }, { "Effect": "Allow", "Action": [ "securityhub:GetFindings", "securityhub:BatchUpdateFindings" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" }, "Null": { "securityhub:ASFFSyntaxPath/Confidence": false, "securityhub:ASFFSyntaxPath/Criticality": false, "securityhub:ASFFSyntaxPath/Note": false, "securityhub:ASFFSyntaxPath/RelatedFindings": false, "securityhub:ASFFSyntaxPath/Types": false, "securityhub:ASFFSyntaxPath/UserDefinedFields": false, "securityhub:ASFFSyntaxPath/VerificationState": false } } } ] }

AWS 受管政策的 Systems Manager 更新項目

檢視自 Systems Manager 開始追蹤 AWS 受管政策變更以來的更新詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 Systems Manager 文件歷史記錄 頁面的 RSS 摘要。

變更 描述 日期

AmazonSSMServiceRolePolicy – 更新現有政策。

Systems Manager 新增了新的許可,以允許 Explorer 在從 Explorer 或 OpsCenter 開啟 Security Hub 時建立受管規則。新增新的許可來檢查該組態,並在允許 OpsData 前,檢查 compute-optimizer 是否滿足必要要求。

2021 年 4 月 27 日

AWSSystemsManagerOpsDataSyncServiceRolePolicy – 新政策。

Systems Manager 新增了新政策,以建立並更新 OpsItems 和來自 Explorer 和 OpsCenter Security Hub 問題清單的 OpsData。

2021 年 4 月 27 日

AmazonSSMServiceRolePolicy – 更新現有政策。

Systems Manager 新增了新的許可,以允許檢視彙總 OpsData 和 Explorer 中多個帳戶和 AWS 區域 的 OpsItems 詳細資訊。

2021 年 3 月 24 日

Systems Manager 已開始追蹤變更

Systems Manager 已開始追蹤其 AWS 受管政策的變更。

2021 年 3 月 12 日