本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 亚马逊托管 Grafana 数据源的权限和政策 AWS
Amazon Managed Grafana 提供三种权限模式:
+ Service-managed 当前账户的权限
+ Service-managed 组织的权限
+ Customer-managed 权限
创建工作区时,您可以选择要使用的权限模式。如果需要,您也可以稍后更改。
在任一服务托管权限模式下,Amazon Managed Grafana 都会创建访问和 AWS 发现您的账户或组织中的数据源所需的角色和策略。然后,您可以选择在 IAM 控制台中编辑这些策略。
## Service-managed 单个账户的权限
**在此模式下,Amazon Managed Grafana 会创建一个名为-的角色。AmazonGrafanaServiceRole {{random-id}}**然后,Amazon Managed Grafana 会为你选择从亚马逊托管 Grafana 工作空间访问的 AWS 每项服务附加一个策略。
**CloudWatch**
Amazon Managed Grafana 附加 AWS 了托管策略。**AmazonGrafanaCloudWatchAccess**
**对于在创建**AmazonGrafanaCloudWatchAccess**托管策略 CloudWatch 之前使用的工作空间,Amazon Managed Grafana 创建了一个名为-的客户托管策略。AmazonGrafanaCloudWatchPolicy {{random-id}}**
**亚马逊 OpenSearch 服务**
**Amazon Managed Grafana 创建了一个名为-的客户托管政策。AmazonGrafanaOpenSearchPolicy {{random-id}}**访问数据源需要这些 Get/Post 权限。Amazon Managed Grafana 使用这些 List/Describe 权限来发现数据源,但这些权限并不是数据源插件运行所必需的。策略的内容如下所示:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": [
"arn:aws:es:*:*:domain/*/_msearch*",
"arn:aws:es:*:*:domain/*/_opendistro/_ppl"
]
}
]
}
```
**AWS IoT SiteWise**
Amazon Managed Grafana 附加 AWS 了托管策略。**AWSIoTSiteWiseReadOnlyAccess**
**Amazon Redshift**
Amazon Managed Grafana 附加 AWS 了托管策略。**AmazonGrafanaRedshiftAccess**
**Amazon Athena**
Amazon Managed Grafana 附加 AWS 了托管策略。**AmazonGrafanaAthenaAccess**
**Amazon Managed Service for Prometheus**
**Amazon Managed Grafana 创建了一个名为-的客户托管政策。AmazonGrafanaPrometheusPolicy {{random-id}}**Amazon Managed Grafana 使用这些 List/Describe 权限来发现数据源,插件无需这些权限即可运行。策略的内容如下所示:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aps:ListWorkspaces",
"aps:DescribeWorkspace",
"aps:QueryMetrics",
"aps:GetLabels",
"aps:GetSeries",
"aps:GetMetricMetadata"
],
"Resource": "*"
}
]
}
```
**Amazon SNS**
**Amazon Managed Grafana 创建了一个名为-的客户托管政策。AmazonGrafanaSNSPolicy {{random-id}}**该策略限制您只能使用账户中以字符串 `grafana` 开头的 SNS 主题。如果您创建了自己的策略,则无需受此限制。策略的内容如下所示:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:*:{{111122223333}}:grafana*"
]
}
]
}
```
**Timestream**
Amazon Managed Grafana 附加 AWS 了托管策略。**AmazonTimestreamReadOnlyAccess**
**X-Ray**
Amazon Managed Grafana 附加 AWS 了托管策略。**AWSXrayReadOnlyAccess**
## Service-managed 组织的权限
该模式仅支持在组织的管理账户或委托管理员账户中创建的工作区。委托管理员账户可以为组织创建和管理堆栈集。有关委托管理员账户的更多信息,请参阅[注册委托管理员](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html)。
**注意**
在组织的管理账户中创建诸如 Amazon Managed Grafana 工作空间之类的资源违反了安全最佳实践。 AWS
在此模式下,Amazon Managed Grafana 会创建 AWS 访问组织中其他账户中的资源所需的所有 IAM 角色。 AWS **在您选择的组织单位中的每个账户中,Amazon Managed Grafana 都会创建一个名为-的角色。AmazonGrafanaOrgMemberRole {{random-id}}**此角色创建是通过与的集成来执行 AWS CloudFormation StackSets的。
对于您选择在工作空间中使用的每个 AWS 数据源,该角色都有一个附加的策略。有关这些数据策略的内容,请参阅 [Service-managed 单个账户的权限](#AMG-service-managed-account)。
Amazon Managed Grafana 还在组织的管理账户中创建了一个**AmazonGrafanaOrgAdminRole名为 {{random-id}}**-的角色。此角色允许 Amazon Managed Grafana 工作空间访问组织中的其他账户。 AWS 服务通知渠道策略也将附加到此角色。使用工作区中的 **AWS 数据来源**菜单,可为工作区可以访问的每个账户快速预置数据来源。
要使用此模式,您必须在组织中启用 CloudFormation Stacksets 作为可信服务。 AWS 有关更多信息,请参阅使用[启用可信访问 AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html)。
以下是 **AmazonGrafanaStackSet-{{random-id}}** 堆栈集的内容:
```
Parameters:
IncludePrometheusPolicy:
Description: Whether to include Amazon Prometheus access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeAESPolicy:
Description: Whether to include Amazon Elasticsearch access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeCloudWatchPolicy:
Description: Whether to include CloudWatch access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeTimestreamPolicy:
Description: Whether to include Amazon Timestream access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeXrayPolicy:
Description: Whether to include AWS X-Ray access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeSitewisePolicy:
Description: Whether to include AWS IoT SiteWise access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeRedshiftPolicy:
Description: Whether to include Amazon Redshift access in the role
Type: String
AllowedValues:
- true
- false
Default: false
IncludeAthenaPolicy:
Description: Whether to include Amazon Athena access in the role
Type: String
AllowedValues:
- true
- false
Default: false
RoleName:
Description: Name of the role to create
Type: String
AdminAccountId:
Description: Account ID of the Amazon Grafana org admin
Type: String
Conditions:
addPrometheus: !Equals [!Ref IncludePrometheusPolicy, true]
addAES: !Equals [!Ref IncludeAESPolicy, true]
addCloudWatch: !Equals [!Ref IncludeCloudWatchPolicy, true]
addTimestream: !Equals [!Ref IncludeTimestreamPolicy, true]
addXray: !Equals [!Ref IncludeXrayPolicy, true]
addSitewise: !Equals [!Ref IncludeSitewisePolicy, true]
addRedshift: !Equals [!Ref IncludeRedshiftPolicy, true]
addAthena: !Equals [!Ref IncludeAthenaPolicy, true]
Resources:
PrometheusPolicy:
Type: AWS::IAM::Policy
Condition: addPrometheus
Properties:
Roles:
- !Ref GrafanaMemberServiceRole
PolicyName: AmazonGrafanaPrometheusPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- aps:QueryMetrics
- aps:GetLabels
- aps:GetSeries
- aps:GetMetricMetadata
- aps:ListWorkspaces
- aps:DescribeWorkspace
Resource: '*'
AESPolicy:
Type: AWS::IAM::Policy
Condition: addAES
Properties:
Roles:
- !Ref GrafanaMemberServiceRole
PolicyName: AmazonGrafanaElasticsearchPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowReadingESDomains
Effect: Allow
Action:
- es:ESHttpGet
- es:ESHttpPost
- es:ListDomainNames
- es:DescribeElasticsearchDomains
Resource: '*'
CloudWatchPolicy:
Type: AWS::IAM::Policy
Condition: addCloudWatch
Properties:
Roles:
- !Ref GrafanaMemberServiceRole
PolicyName: AmazonGrafanaCloudWatchPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowReadingMetricsFromCloudWatch
Effect: Allow
Action:
- cloudwatch:DescribeAlarmsForMetric
- cloudwatch:DescribeAlarmHistory
- cloudwatch:DescribeAlarms
- cloudwatch:ListMetrics
- cloudwatch:GetMetricStatistics
- cloudwatch:GetMetricData
- cloudwatch:GetInsightRuleReport
Resource: "*"
- Sid: AllowReadingLogsFromCloudWatch
Effect: Allow
Action:
- logs:DescribeLogGroups
- logs:GetLogGroupFields
- logs:StartQuery
- logs:StopQuery
- logs:GetQueryResults
- logs:GetLogEvents
Resource: "*"
- Sid: AllowReadingTagsInstancesRegionsFromEC2
Effect: Allow
Action:
- ec2:DescribeTags
- ec2:DescribeInstances
- ec2:DescribeRegions
Resource: "*"
- Sid: AllowReadingResourcesForTags
Effect: Allow
Action:
- tag:GetResources
Resource: "*"
GrafanaMemberServiceRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AdminAccountId}:root
Action:
- 'sts:AssumeRole'
Path: /service-role/
ManagedPolicyArns:
- !If [addTimestream, arn:aws:iam::aws:policy/AmazonTimestreamReadOnlyAccess, !Ref AWS::NoValue]
- !If [addXray, arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess, !Ref AWS::NoValue]
- !If [addSitewise, arn:aws:iam::aws:policy/AWSIoTSiteWiseReadOnlyAccess, !Ref AWS::NoValue]
- !If [addRedshift, arn:aws:iam::aws:policy/service-role/AmazonGrafanaRedshiftAccess, !Ref AWS::NoValue]
- !If [addAthena, arn:aws:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess, !Ref AWS::NoValue]
```
以下是 **AmazonGrafanaOrgAdminPolicy-** 的内容{{random-id}}。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"organizations:ListAccountsForParent",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-{{organizationId}}"
}
}
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/service-role/AmazonGrafanaOrgMemberRole-{{random-Id}}"
}]
}
```
------
## Customer-managed 权限
如果您选择使用客户管理的权限,在创建 Amazon Managed Grafana 工作区时,应指定账户中现有的 IAM 角色。该角色必须具有信任 `grafana.amazonaws.com` 的信任策略。
以下是此类策略的一个示例:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "grafana.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
该角色要访问该账户中的 AWS 数据源或通知渠道,必须具有本节前面列出的策略中的权限。例如,要使用 CloudWatch 数据源,它必须具有中列出的 CloudWatch 策略中的权限[Service-managed 单个账户的权限](#AMG-service-managed-account)。
只有为了使`List`数据源发现和配置正常 OpenSearch 运行,才需要中显示的亚马逊服务和亚马逊 Prometheus 托管服务策略[Service-managed 单个账户的权限](#AMG-service-managed-account)中的和`Describe`权限。如果您只想手动设置这些数据来源,则不需要这些权限。
**Cross-account access**
在账户 11111111111111 中创建工作区时,必须提供账户 111111111111111 中的角色。在此示例中,请调用此角色*WorkspaceRole*。要访问账户 999999999999 中的数据,必须在账户 999999999999 中创建一个角色。这样称呼*DataSourceRole*。然后,您必须在*WorkspaceRole*和之间建立信任关系*DataSourceRole*。有关在两个角色之间建立信任的更多信息,请参阅 [IAM 教程:使用 IAM 角色委派跨 AWS 账户的访问权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html)。
*DataSourceRole*对于要使用的每个数据源,都需要包含本节前面列出的策略声明。建立信任关系后,您可以在工作区中任何数据源的数据源配置页面的**假设角色 ARN 字段中指定 *DataSourceRole*(arn: aws: iam:: 9999999999: role:DataSourceRole) 的 ARN**。 AWS 然后,数据源使用中定义的权限访问账户 999999999999。*DataSourceRole*