本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS 的托管策略 AWS Trusted Advisor
Trusted Advisor 具有以下 AWS 托管策略。
**Contents**
+ [AWS 托管策略:AWSTrustedAdvisorPriorityFullAccess](#security-iam-support-TA-priority-full-access-policy)
+ [AWS 托管策略:AWSTrustedAdvisorPriorityReadOnlyAccess](#security-iam-support-TA-priority-read-only-policy)
+ [AWS 托管策略:AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
+ [AWS 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorReportingServiceRolePolicy)
+ [Trusted Advisor AWS 托管策略的更新](#security-iam-awsmanpol-updates-trusted-advisor)
## AWS 托管策略:AWSTrustedAdvisorPriorityFullAccess
该[https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityFullAccess$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityFullAccess$jsonEditor)政策授予对 “ Trusted Advisor 优先级” 的完全访问权限。此策略还允许用户添加为可信服务, AWS Organizations 并允许用户 Trusted Advisor 为 P Trusted Advisor riority 指定委派管理员帐户。
**权限详细信息**
在第一条语句中,此策略包含 `trustedadvisor` 的以下权限:
+ 描述您的账户和组织。
+ 描述 Trusted Advisor 优先级中已识别的风险。这些权限允许您下载和更新风险状态。
+ 描述您的 Trusted Advisor 优先电子邮件通知配置。这些权限允许您配置电子邮件通知,并为委派管理员禁用这些通知。
+ 进行设置, Trusted Advisor 以便您的账户可以启用 AWS Organizations。
在第二条语句中,此策略包含 `organizations` 的以下权限:
+ 描述您的 Trusted Advisor 账户和组织。
+ 列出您允许使用 Organizations 的。 AWS 服务
在第三条语句中,此策略包含 `organizations` 的以下权限:
+ 列出 Trusted Advisor 优先级的委派管理员。
+ 启用和禁用 Organizations 的受信任访问。
在第四条语句中,此策略包含 `iam` 的以下权限:
+ 创建 `AWSServiceRoleForTrustedAdvisorReporting` 服务关联角色。
在第五条语句中,此策略包含 `organizations` 的以下权限:
+ 允许您注册和注销 Trusted Advisor Priority 的委派管理员。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSTrustedAdvisorPriorityFullAccess",
"Effect": "Allow",
"Action": [
"trustedadvisor:DescribeAccount*",
"trustedadvisor:DescribeOrganization",
"trustedadvisor:DescribeRisk*",
"trustedadvisor:DownloadRisk",
"trustedadvisor:UpdateRiskStatus",
"trustedadvisor:DescribeNotificationConfigurations",
"trustedadvisor:UpdateNotificationConfigurations",
"trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin",
"trustedadvisor:SetOrganizationAccess"
],
"Resource": "*"
},
{
"Sid": "AllowAccessForOrganization",
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
},
{
"Sid": "AllowListDelegatedAdministrators",
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators",
"organizations:EnableAWSServiceAccess",
"organizations:DisableAWSServiceAccess"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"reporting.trustedadvisor.amazonaws.com"
]
}
}
},
{
"Sid": "AllowCreateServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com"
}
}
},
{
"Sid": "AllowRegisterDelegatedAdministrators",
"Effect": "Allow",
"Action": [
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "arn:aws:organizations::*:*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"reporting.trustedadvisor.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS 托管策略:AWSTrustedAdvisorPriorityReadOnlyAccess
该[https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess$jsonEditor)策略向 P Trusted Advisor riority 授予只读权限,包括查看委派管理员账户的权限。
**权限详细信息**
在第一条语句中,此策略包含 `trustedadvisor` 的以下权限:
+ 描述您的 Trusted Advisor 账户和组织。
+ 描述从 P Trusted Advisor riority 中识别出的风险并允许您下载它们。
+ 描述 Trusted Advisor 优先电子邮件通知的配置。
在第二条和第三条语句中,此策略包含 `organizations` 的以下权限:
+ 使用 Organizations 描述您的组织。
+ 列出您允许使用 Organizations 的。 AWS 服务
+ 列出 Trusted Advisor 优先级的委派管理员
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess",
"Effect": "Allow",
"Action": [
"trustedadvisor:DescribeAccount*",
"trustedadvisor:DescribeOrganization",
"trustedadvisor:DescribeRisk*",
"trustedadvisor:DownloadRisk",
"trustedadvisor:DescribeNotificationConfigurations"
],
"Resource": "*"
},
{
"Sid": "AllowAccessForOrganization",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
},
{
"Sid": "AllowListDelegatedAdministrators",
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"reporting.trustedadvisor.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS 托管策略:AWSTrustedAdvisorServiceRolePolicy
此策略附加到 `AWSServiceRoleForTrustedAdvisor` 服务关联角色。此角色允许服务关联角色为您执行操作。您不能将 [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy$jsonEditor) 附加到您的 AWS Identity and Access Management (IAM)实体。有关更多信息,请参阅 [将服务相关角色用于 Trusted Advisor](using-service-linked-roles-ta.md)。
此策略授予管理权限,允许服务关联角色访问 AWS 服务。这些权限允许通过检查 Trusted Advisor 来评估您的账户。
**权限详细信息**
该策略包含以下权限。
+ `accessanalyzer`— 描述 AWS Identity and Access Management Access Analyzer 资源
+ `Auto Scaling` – 描述 Amazon EC2 Auto Scaling 账户配额和资源
+ `cloudformation`— 描述 AWS CloudFormation (CloudFormation) 账户配额和堆栈
+ `cloudfront`— 描述亚马逊的 CloudFront 分布
+ `cloudtrail`— 描述 AWS CloudTrail (CloudTrail) 路径
+ `dynamodb` – 描述 Amazon DynamoDB 账户配额和资源
+ `dynamodbaccelerator` – 描述 DynamoDB Accelerator 资源
+ `ec2` – 描述 Amazon Elastic Compute Cloud (Amazon EC2) 账户配额和资源
+ `elasticloadbalancing` - 描述弹性负载均衡(ELB)账户配额和资源
+ `iam` – 获取 IAM 资源,如证书、密码策略和证书
+ `networkfirewall`— 描述 AWS Network Firewall 资源
+ `kinesis` – 描述 Amazon Kinesis (Kinesis) 账户配额
+ `rds` – 描述 Amazon Relational Database Service (Amazon RDS) 资源
+ `redshift` – 描述 Amazon Redshift 资源
+ `route53` – 描述 Amazon Route 53 账户配额和资源
+ `s3` – 描述 Amazon Simple Storage Service (Amazon S3) 资源
+ `ses` – 获取 Amazon Simple Email Service (Amazon SES) 发送配额
+ `sqs` – 列出 Amazon Simple Queue Service (Amazon SQS) 队列
+ `cloudwatch`— 获取 Amazon CloudWatch 事件(CloudWatch 事件)指标统计数据
+ `ce` – 获取 Cost Explorer 服务 (Cost Explorer) 建议
+ `route53resolver`— 获取 Amazon Route 53 Resolver 解析器端点和资源
+ `kafka` – 获取 Amazon Managed Streaming for Apache Kafka 资源
+ `ecs` – 获取 Amazon ECS 资源
+ `outposts`— 获取 AWS Outposts 资源
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TrustedAdvisorServiceRolePermissions",
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"ce:GetReservationPurchaseRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation",
"cloudformation:DescribeAccountLimits",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:GetTrail",
"cloudtrail:ListTrails",
"cloudtrail:GetEventSelectors",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dax:DescribeClusters",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeAddresses",
"ec2:DescribeReservedInstances",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"ec2:DescribeInternetGateways",
"ec2:DescribeImages",
"ec2:DescribeNatGateways",
"ec2:DescribeVolumes",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSnapshots",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:GetManagedPrefixListEntries",
"ecs:DescribeTaskDefinition",
"ecs:ListTaskDefinitions",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:GenerateCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"iam:ListSAMLProviders",
"kinesis:DescribeLimits",
"kafka:DescribeClusterV2",
"kafka:ListClustersV2",
"kafka:ListNodes",
"network-firewall:ListFirewalls",
"network-firewall:DescribeFirewall",
"outposts:GetOutpost",
"outposts:ListAssets",
"outposts:ListOutposts",
"rds:DescribeAccountAttributes",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEngineDefaultParameters",
"rds:DescribeEvents",
"rds:DescribeOptionGroupOptions",
"rds:DescribeOptionGroups",
"rds:DescribeOrderableDBInstanceOptions",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"redshift:DescribeReservedNodeOfferings",
"redshift:DescribeReservedNodes",
"route53:GetAccountLimit",
"route53:GetHealthCheck",
"route53:GetHostedZone",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53resolver:ListResolverEndpoints",
"route53resolver:ListResolverEndpointIpAddresses",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketVersioning",
"s3:GetBucketPublicAccessBlock",
"s3:GetLifecycleConfiguration",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"ses:GetSendQuota",
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
"Resource": "*"
}
]
}
```
------
## AWS 托管策略:AWSTrustedAdvisorReportingServiceRolePolicy
此策略附加到`AWSServiceRoleForTrustedAdvisorReporting`服务相关角色,该角色 Trusted Advisor 允许对组织视图功能执行操作。您不能将 [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorReportingServiceRolePolicy$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorReportingServiceRolePolicy$jsonEditor) 附加到您的 IAM 实体。有关更多信息,请参阅 [将服务相关角色用于 Trusted Advisor](using-service-linked-roles-ta.md)。
此策略授予管理权限,允许服务相关角色执行 AWS Organizations 操作。
**权限详细信息**
该策略包含以下权限。
+ `organizations` – 描述您的组织并列出服务访问权限、账户、父级、子级和组织单位
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListDelegatedAdministrators",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListChildren",
"organizations:ListParents",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## Trusted Advisor AWS 托管策略的更新
查看有关这些服务开始跟踪这些更改之前 AWS 支持 和之 Trusted Advisor 后的 AWS 托管策略更新的详细信息。要获得有关此页面更改的自动提示,请订阅 [文档历史记录](History.md) 页面上的 RSS 源。
下表描述了自 2021 年 8 月 10 日以来 Trusted Advisor 托管策略的重要更新。
**Trusted Advisor**
| 更改 | 描述 | 日期 |
| --- | --- | --- |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新为现有策略。 | Trusted Advisor 添加了新的操作来授予`ecs:ListClusters``ecs:ListTasks`、`ecs:DescribeTasks`、和`ecs:ListTaskDefinitionFamilies`权限。 | 2026 年 5 月 14 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新为现有策略。 | Trusted Advisor 添加了新的操作来授予`elasticloadbalancing:DescribeListeners,`和`elasticloadbalancing:DescribeRules`权限。 | 2024 年 10 月 30 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新为现有策略。 | Trusted Advisor 添加了新的操作来授予`access-analyzer:ListAnalyzers``cloudwatch:ListMetrics`、`dax:DescribeClusters`、`ec2:DescribeNatGateways`、`ec2:DescribeRouteTables`、`ec2:DescribeVpcEndpoints`、`ec2:GetManagedPrefixListEntries`、`elasticloadbalancing:DescribeTargetHealth`、`iam:ListSAMLProviders`、`kafka:DescribeClusterV2``network-firewall:ListFirewalls``network-firewall:DescribeFirewall`和`sqs:GetQueueAttributes`权限。 | 2024 年 6 月 11 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新为现有策略。 | Trusted Advisor 添加了新的操作来授予`cloudtrail:GetTrail``cloudtrail:ListTrails``cloudtrail:GetEventSelectors``outposts:GetOutpost`、`outposts:ListAssets`和`outposts:ListOutposts`权限。 | 2024 年 1 月 18 日 |
| [AWSTrustedAdvisorPriorityFullAccess](#security-iam-support-TA-priority-full-access-policy)
更新为现有策略。 | Trusted Advisor 更新了`AWSTrustedAdvisorPriorityFullAccess` AWS 托管策略以包含语句 ID。 | 2023 年 12 月 6 日 |
| [AWSTrustedAdvisorPriorityReadOnlyAccess](#security-iam-support-TA-priority-read-only-policy)
更新为现有策略。 | Trusted Advisor 更新了`AWSTrustedAdvisorPriorityReadOnlyAccess` AWS 托管策略以包含语句 ID。 | 2023 年 12 月 6 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy):对现有策略的更新 | Trusted Advisor 添加了新的操作来授予`ec2:DescribeRegions``s3:GetLifecycleConfiguration``ecs:DescribeTaskDefinition`和`ecs:ListTaskDefinitions`权限。 | 2023 年 11 月 9 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy):对现有策略的更新 | Trusted Advisor 在加入新的弹性检查中添加了新的 IAM 操作`route53resolver:ListResolverEndpoints``route53resolver:ListResolverEndpointIpAddresses``ec2:DescribeSubnets`、、`kafka:ListClustersV2`和`kafka:ListNodes`。 | 2023 年 9 月 14 日 |
| [AWSTrustedAdvisorReportingServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorReportingServiceRolePolicy)
附加到 Trusted Advisor `AWSServiceRoleForTrustedAdvisorReporting`服务相关角色的托管策略的 V2 | 将 Trusted Advisor `AWSServiceRoleForTrustedAdvisorReporting`服务相关角色的 AWS 托管策略升级到 V2。V2 将再添加一个 IAM 操作 `organizations:ListDelegatedAdministrators` | 2023 年 2 月 28 日 |
| [AWSTrustedAdvisorPriorityFullAccess](#security-iam-support-TA-priority-full-access-policy) 和 [AWSTrustedAdvisorPriorityReadOnlyAccess](#security-iam-support-TA-priority-read-only-policy)
的新 AWS 托管策略 Trusted Advisor | Trusted Advisor 添加了两个新的托管策略,您可以使用它们来控制对 Priority 的 Trusted Advisor 访问权限。 | 2022 年 8 月 17 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy):对现有策略的更新 | Trusted Advisor 添加了新的操作来授予`DescribeTargetGroups`和`GetAccountPublicAccessBlock`权限。
**Auto Scaling 组运行状况检查**需要 `DescribeTargetGroup` 权限,以检索附加到 Auto Scaling 组的非经典负载均衡器。
**Amazon S3 存储桶权限**检查需要 `GetAccountPublicAccessBlock` 权限以检索 AWS 账户的阻止公有访问设置。 | 2021 年 8 月 10 日 |
| 已发布的更改日志 | Trusted Advisor 开始跟踪其 AWS 托管策略的更改。 | 2021 年 8 月 10 日 |