• AWS Systems Manager CloudWatch 控制面板在 2026 年 4 月 30 日之后将不再可用。客户可以像现在一样继续使用 Amazon CloudWatch 控制台来查看、创建和管理其 Amazon CloudWatch 控制面板。有关更多信息,请参阅 [Amazon CloudWatch 控制面板文档](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html)。
# 设置基于身份的策略示例
以下部分提供了 AWS Systems Manager Automation 服务的基于 IAM 身份的策略示例。要详细了解如何使用这些示例 JSON 策略文档创建基于 IAM 身份的策略,请参阅《IAM 用户指南》**中的[创建 IAM 策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor)。
**注意**
所有示例都包含虚构的账户 ID。不应在 AWS 自有公共文档的 Amazon 资源名称(ARN)中指定账户 ID。
**示例**
+ [示例 1:允许用户运行自动化文档并查看自动化执行情况](#automation-setup-identity-based-policies-example-1)
+ [示例 2:允许用户运行自动化文档的特定版本](#automation-setup-identity-based-policies-example-2)
+ [示例 3:允许用户执行具有特定标签的自动化文档](#automation-setup-identity-based-policies-example-3)
+ [示例 4:当为自动化执行提供了特定的标签参数时,允许用户运行自动化文档](#automation-setup-identity-based-policies-example-4)
## 示例 1:允许用户运行自动化文档并查看自动化执行情况
以下示例 IAM 策略允许用户执行以下操作:
+ 运行策略中指定的自动化文档。文档名称由以下条目确定。
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
+ 停止并向自动化执行发送信号。
+ 在自动化执行启动后查看其详细信息。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}",
"arn:aws:ssm:*:111122223333:automation-execution/*"
]
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
```
------
## 示例 2:允许用户运行自动化文档的特定版本
以下示例 IAM 策略允许用户运行自动化文档的特定版本:
+ 自动化文档名称由以下条目确定。
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
+ 自动化文档版本由以下条目确定。
```
"ssm:DocumentVersion": "5"
```
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}"
],
"Condition": {
"ForAnyValue:StringEquals": {
"ssm:DocumentVersion": ["5"]
}
}
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
```
------
## 示例 3:允许用户执行具有特定标签的自动化文档
以下示例 IAM 策略允许用户执行具有特定标签的任何自动化文档:
+ 自动化文档名称由以下条目确定。
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
+ 自动化文档标签由以下条目确定。
```
"ssm:DocumentVersion": "5"
```
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/stage": "production"
}
}
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
```
------
## 示例 4:当为自动化执行提供了特定的标签参数时,允许用户运行自动化文档
当为自动化执行提供了特定的标签参数时,以下示例 IAM 策略向用户授予运行自动化文档的权限:
+ 运行策略中指定的自动化文档。文档名称由以下条目确定。
```
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
```
+ 必须为自动化执行提供特定的标签参数。自动化执行资源的标签参数由以下条目确定。
```
"aws:ResourceTag/stage": "production"
```
+ 停止并向具有指定标签的自动化执行发送信号。
+ 查看有关具有指定标签的自动化执行的详细信息。
+ 为 SSM 资源添加指定标签
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}"
]
},
{
"Action": [
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "beta"
}
}
},
{
"Action": "ssm:AddTagsToResource",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
]
}
]
}
```
------