本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 自动计划执行报告权限
<a name="security_iam_region_switch_reports"></a>

 以下是您为区域切换计划配置自动生成报告时要附加的示例策略。此政策包括向 Amazon S3 撰写报告、访问 CloudWatch 警报数据以及检索家长计划的子计划信息的权限。

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarms",
        "cloudwatch:DescribeAlarmHistory"
      ],
      "Resource": [
        "arn:aws:cloudwatch:us-east-1:123456789012:alarm:app-health-primary"
        "arn:aws:cloudwatch:us-west-2:123456789012:alarm:app-health-secondary"
      ],
    },
    {
      "Effect": "Allow",
      "Action": [
        "arc-region-switch:GetPlanExecution",
        "arc-region-switch:ListPlanExecutionEvents"
      ],
      "Resource": [
        "arn:aws:arc-region-switch:us-east-1:123456789012:plan/child-plan-1/abcde1",
        "arn:aws:arc-region-switch:us-west-2:123456789012:plan/child-plan-2/fghij2"
      ],
    }
  ]
}
```

 注意：如果您为 Amazon S3 存储桶加密配置客户托管密 AWS KMS 钥，则还必须为该密钥添加`kms:GenerateDataKey`和`kms:Encrypt`权限。