• El panel de AWS Systems Manager CloudWatch dejará de estar disponible después del 30 de abril de 2026. Los clientes pueden seguir utilizando la consola de Amazon CloudWatch para ver, crear y administrar sus paneles de Amazon CloudWatch, tal y como lo hacen actualmente. Para obtener más información, consulte la [documentación del panel de Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Políticas de bucket de S3 para la consola unificada de Systems Manager
En este tema se incluyen las políticas de bucket de Amazon S3 que crea Systems Manager al incorporar una organización o una cuenta única a la consola unificada de Systems Manager.
**aviso**
La modificación de la política de buckets predeterminada puede permitir que las cuentas de los miembros de una organización se detecten entre sí o lean los resultados de los diagnósticos en busca de instancias de otra cuenta. Le recomendamos que actúe con extrema precaución si decide modificar esta política.
## Política de buckets de Amazon S3 para una organización
El bucket de diagnóstico se crea con la siguiente política de buckets predeterminada al incorporar una organización a Systems Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
},
{
"Sid": "AllowAccessLog",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}/access-logs/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{000000000000}}"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::{{amzn-s3-demo-bucket}}"
}
}
},
{
"Sid": "AllowCrossAccountRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "{{organization-id}}"
}
}
},
{
"Sid": "AllowCrossAccountWrite",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWS-SSM-DiagnosisExecutionRole-{{operational-123456789012-home-region}}",
"arn:aws:iam::*:role/AWS-SSM-DiagnosisAdminRole-{{operational-123456789012-home-region}}",
"arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole-{{operational-123456789012-home-region}}",
"arn:aws:iam::*:role/AWS-SSM-RemediationAdminRole-{{operational-123456789012-home-region}}"
]
}
}
},
{
"Sid": "AllowCrossAccountListUnderAccountOwnPrefix",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "{{organization-id}}"
},
"StringLike": {
"s3:prefix": "*/${aws:PrincipalAccount}/*"
}
}
},
{
"Sid": "AllowCrossAccountGetConfigWithinOrganization",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetEncryptionConfiguration",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "{{organization-id}}"
}
}
}
]
}
```
------
## Política de buckets de Amazon S3 para una sola cuenta
El bucket de diagnóstico se crea con la siguiente política de buckets predeterminada al incorporar una sola cuenta a Systems Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
}
]
}
```
------