Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
# Contoh kebijakan IAM untuk AWS Artifact di Wilayah komersial AWS
Anda dapat membuat kebijakan izin yang memberikan izin kepada pengguna IAM. Anda dapat memberi pengguna akses ke AWS Artifact laporan dan kemampuan untuk menerima dan mengunduh perjanjian atas nama satu akun atau organisasi.
Contoh kebijakan berikut menunjukkan izin yang dapat Anda tetapkan untuk pengguna IAM berdasarkan tingkat akses yang mereka butuhkan.
Kebijakan ini berlaku di AWS [Wilayah](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#region) komersial. Untuk kebijakan yang berlaku AWS GovCloud (US) Regions, lihat [Contoh kebijakan IAM untuk AWS ArtifactAWS GovCloud (US) Regions](https://docs.aws.amazon.com/artifact/latest/ug/example-govcloud-iam-policies.html)
+ [Contoh kebijakan untuk mengelola AWS laporan dengan izin berbutir halus](#example-policy-manage-aws-reports-with-finegrained-permissions)
+ [Contoh kebijakan untuk mengelola laporan pihak ketiga](#example-policy-manage-third-party-reports)
+ [Contoh kebijakan untuk mengelola perjanjian](#example-policy-manage-agreements)
+ [Contoh kebijakan untuk diintegrasikan dengan AWS Organizations](#example-policy-integrate-with-organizations)
+ [Contoh kebijakan untuk mengelola perjanjian untuk akun manajemen](#example-policy-agreements-master)
+ [Contoh kebijakan untuk mengelola perjanjian organisasi](#example-policy-organizational-agreements)
+ [Contoh kebijakan untuk mengelola notifikasi](#example-policy-notifications)
**Example Contoh kebijakan untuk mengelola AWS laporan melalui izin berbutir halus**
Anda harus mempertimbangkan untuk menggunakan [kebijakan AWSArtifact ReportsReadOnlyAccess terkelola](security-iam-awsmanpol.html) alih-alih mendefinisikan kebijakan Anda sendiri.
Kebijakan berikut memberikan izin untuk mengunduh semua AWS laporan melalui izin berbutir halus.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:ListReports",
"artifact:GetReportMetadata",
"artifact:GetReport",
"artifact:GetTermForReport",
"artifact:ListReportVersions"
],
"Resource": "*"
}
]
}
```
Kebijakan berikut memberikan izin untuk mengunduh hanya laporan AWS SOC, PCI, dan ISO melalui izin berbutir halus.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:ListReports"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"artifact:GetReportMetadata",
"artifact:GetReport",
"artifact:GetTermForReport",
"artifact:ListReportVersions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"artifact:ReportSeries": [
"SOC",
"PCI",
"ISO"
],
"artifact:ReportCategory": [
"Certifications and Attestations"
]
}
}
}
]
}
```
**Example Contoh kebijakan untuk mengelola laporan pihak ketiga**
Anda harus mempertimbangkan untuk menggunakan [kebijakan AWSArtifact ReportsReadOnlyAccess terkelola](security-iam-awsmanpol.html) alih-alih mendefinisikan kebijakan Anda sendiri.
Laporan pihak ketiga dilambangkan dengan sumber daya IAM. `report`
Kebijakan berikut memberikan izin untuk semua fungsi laporan pihak ketiga.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:ListReports",
"artifact:GetReportMetadata",
"artifact:GetReport",
"artifact:GetTermForReport"
],
"Resource": "*"
}
]
}
```
Kebijakan berikut memberikan izin untuk mengunduh laporan pihak ketiga.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:GetReport",
"artifact:GetTermForReport"
],
"Resource": "*"
}
]
}
```
Kebijakan berikut memberikan izin untuk membuat daftar laporan pihak ketiga.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:ListReports"
],
"Resource": "*"
}
]
}
```
Kebijakan berikut memberikan izin untuk melihat detail laporan pihak ketiga untuk semua versi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:GetReportMetadata"
],
"Resource": [
"arn:aws:artifact:us-east-1::report/report-jRVRFP8HxUN5zpPh:*"
]
}
]
}
```
Kebijakan berikut memberikan izin untuk melihat detail laporan pihak ketiga untuk versi tertentu.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:GetReportMetadata"
],
"Resource": [
"arn:aws:artifact:us-east-1::report/report-jRVRFP8HxUN5zpPh:1"
]
}
]
}
```
**Tip**
Anda harus mempertimbangkan untuk menggunakan [AWSArtifactAgreementsReadOnlyAccess atau kebijakan yang AWSArtifact AgreementsFullAccess dikelola](security-iam-awsmanpol.html) alih-alih mendefinisikan kebijakan Anda sendiri.
**Example Contoh kebijakan untuk mengelola perjanjian**
Kebijakan berikut memberikan izin untuk mengunduh semua perjanjian.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": [
"*"
]
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
}
]
}
```
Kebijakan berikut memberikan izin untuk menerima semua perjanjian.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:ListAgreements"
],
"Resource": [
"*"
]
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
}
]
}
```
Kebijakan berikut memberikan izin untuk mengakhiri semua perjanjian.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
}
]
}
```
Kebijakan berikut memberikan izin untuk melihat dan melaksanakan perjanjian tingkat akun.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
}
]
}
```
**Example Contoh kebijakan untuk diintegrasikan dengan AWS Organizations**
Kebijakan berikut memberikan izin untuk membuat peran IAM yang AWS Artifact digunakan untuk berintegrasi dengan. AWS Organizations Akun manajemen organisasi Anda harus memiliki izin ini untuk memulai perjanjian organisasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateServiceLinkedRoleForOrganizationsIntegration",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"artifact.amazonaws.com"
]
}
}
}
]
}
```
Kebijakan berikut memberikan izin untuk memberikan izin AWS Artifact untuk digunakan. AWS Organizations Akun manajemen organisasi Anda harus memiliki izin ini untuk memulai perjanjian organisasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
},
{
"Sid": "EnableServiceTrustForArtifact",
"Effect": "Allow",
"Action": [
"organizations:EnableAWSServiceAccess"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"aws-artifact-account-sync.amazonaws.com"
]
}
}
}
]
}
```
**Example Contoh kebijakan untuk mengelola perjanjian bagi akun manajemen**
Kebijakan berikut memberikan izin untuk mengelola perjanjian bagi akun manajemen.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
},
{
"Sid": "CreateServiceLinkedRoleForOrganizationsIntegration",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:GetRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"artifact.amazonaws.com"
]
}
}
},
{
"Sid": "EnableServiceTrust",
"Effect": "Allow",
"Action": [
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeOrganization"
],
"Resource": "*"
},
{
"Sid": "EnableServiceTrustForArtifact",
"Effect": "Allow",
"Action": [
"organizations:EnableAWSServiceAccess"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"aws-artifact-account-sync.amazonaws.com"
]
}
}
}
]
}
```
**Example Contoh kebijakan untuk mengelola perjanjian organisasi**
Kebijakan berikut memberikan izin untuk mengelola perjanjian organisasi. Pengguna lain dengan izin yang diperlukan harus menyiapkan perjanjian organisasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement",
"artifact:AcceptAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement",
"artifact:TerminateAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization"
],
"Resource": "*"
}
]
}
```
Kebijakan berikut memberikan izin untuk melihat perjanjian organisasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:ListAgreements",
"artifact:ListCustomerAgreements"
],
"Resource": "*"
},
{
"Sid": "AWSAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetAgreement",
"artifact:AcceptNdaForAgreement",
"artifact:GetNdaForAgreement"
],
"Resource": "arn:aws:artifact:::agreement/*"
},
{
"Sid": "CustomerAgreementActions",
"Effect": "Allow",
"Action": [
"artifact:GetCustomerAgreement"
],
"Resource": "arn:aws:artifact::*:customer-agreement/*"
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization"
],
"Resource": "*"
}
]
}
```
**Example Contoh kebijakan untuk mengelola notifikasi**
Kebijakan berikut memberikan izin lengkap untuk menggunakan AWS Artifact notifikasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:GetAccountSettings",
"artifact:PutAccountSettings",
"notifications:AssociateChannel",
"notifications:CreateEventRule",
"notifications:CreateNotificationConfiguration",
"notifications:DeleteEventRule",
"notifications:DeleteNotificationConfiguration",
"notifications:DisassociateChannel",
"notifications:GetEventRule",
"notifications:GetNotificationConfiguration",
"notifications:ListChannels",
"notifications:ListEventRules",
"notifications:ListNotificationConfigurations",
"notifications:ListNotificationHubs",
"notifications:ListTagsForResource",
"notifications:TagResource",
"notifications:UntagResource",
"notifications:UpdateEventRule",
"notifications:UpdateNotificationConfiguration",
"notifications-contacts:CreateEmailContact",
"notifications-contacts:DeleteEmailContact",
"notifications-contacts:GetEmailContact",
"notifications-contacts:ListEmailContacts",
"notifications-contacts:SendActivationCode"
],
"Resource": [
"*"
]
}
]
}
```
Kebijakan berikut memberikan izin untuk mencantumkan semua konfigurasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:GetAccountSettings",
"notifications:ListChannels",
"notifications:ListEventRules",
"notifications:ListNotificationConfigurations",
"notifications:ListNotificationHubs",
"notifications-contacts:GetEmailContact"
],
"Resource": [
"*"
]
}
]
}
```
Kebijakan berikut memberikan izin untuk membuat konfigurasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:GetAccountSettings",
"artifact:PutAccountSettings",
"notifications-contacts:CreateEmailContact",
"notifications-contacts:SendActivationCode",
"notifications:AssociateChannel",
"notifications:CreateEventRule",
"notifications:CreateNotificationConfiguration",
"notifications:ListEventRules",
"notifications:ListNotificationHubs",
"notifications:TagResource",
"notifications-contacts:ListEmailContacts"
],
"Resource": [
"*"
]
}
]
}
```
Kebijakan berikut memberikan izin untuk mengedit konfigurasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"artifact:GetAccountSettings",
"artifact:PutAccountSettings",
"notifications:AssociateChannel",
"notifications:DisassociateChannel",
"notifications:GetNotificationConfiguration",
"notifications:ListChannels",
"notifications:ListEventRules",
"notifications:ListTagsForResource",
"notifications:TagResource",
"notifications:UntagResource",
"notifications:UpdateEventRule",
"notifications:UpdateNotificationConfiguration",
"notifications-contacts:GetEmailContact",
"notifications-contacts:ListEmailContacts"
],
"Resource": [
"*"
]
}
]
}
```
Kebijakan berikut memberikan izin untuk menghapus konfigurasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"notifications:DeleteNotificationConfiguration",
"notifications:ListEventRules"
],
"Resource": [
"*"
]
}
]
}
```
Kebijakan berikut memberikan izin untuk melihat detail konfigurasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"notifications:GetNotificationConfiguration",
"notifications:ListChannels",
"notifications:ListEventRules",
"notifications:ListTagsForResource",
"notifications-contacts:GetEmailContact"
],
"Resource": [
"*"
]
}
]
}
```
Kebijakan berikut memberikan izin untuk mendaftarkan atau membatalkan pendaftaran hub notifikasi.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"notifications:DeregisterNotificationHub",
"notifications:RegisterNotificationHub"
],
"Resource": [
"*"
]
}
]
}
```