本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS 的 受管政策 AWS Trusted Advisor
Trusted Advisor 具有下列 AWS 受管政策。
**Contents**
+ [AWS 受管政策: AWSTrustedAdvisorPriorityFullAccess](#security-iam-support-TA-priority-full-access-policy)
+ [AWS 受管政策: AWSTrustedAdvisorPriorityReadOnlyAccess](#security-iam-support-TA-priority-read-only-policy)
+ [AWS 受管政策: AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
+ [AWS 受管政策: AWSTrustedAdvisorReportingServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorReportingServiceRolePolicy)
+ [Trusted Advisor AWS 受管政策的更新](#security-iam-awsmanpol-updates-trusted-advisor)
## AWS 受管政策: AWSTrustedAdvisorPriorityFullAccess
[https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityFullAccess$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityFullAccess$jsonEditor) 政策會授予 Trusted Advisor Priority 的完整存取權。此政策也允許使用者使用 新增 Trusted Advisor 做為信任的服務, AWS Organizations 並指定 Trusted Advisor Priority 的委派管理員帳戶。
**許可詳細資訊**
在第一個陳述式中,政策包含 `trustedadvisor` 的以下許可:
+ 說明您的帳戶和組織。
+ 描述來自 Trusted Advisor Priority 的已識別風險。許可允許您下載和更新風險狀態。
+ 描述優先順序 Trusted Advisor 電子郵件通知的組態。許可允許您設定電子郵件通知,並針對委派的管理員停用這些通知。
+ 設定 Trusted Advisor 讓您的帳戶可以啟用 AWS Organizations。
在第二個陳述式中,政策包含 `organizations` 的以下許可:
+ 描述 Trusted Advisor 您的帳戶和組織。
+ 列出 AWS 服務 您啟用使用 Organizations 的 。
在第三個陳述式中,政策包含 `organizations` 的以下許可:
+ 列出 Trusted Advisor Priority 的委派管理員。
+ 啟用和停用 Organizations 的受信任存取權。
在第四個陳述式中,政策包含 `iam` 的以下許可:
+ 建立 `AWSServiceRoleForTrustedAdvisorReporting` 服務連結角色。
在第五個陳述式中,政策包含 `organizations` 的以下許可:
+ 允許您註冊和取消註冊 Trusted Advisor Priority 的委派管理員。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSTrustedAdvisorPriorityFullAccess",
"Effect": "Allow",
"Action": [
"trustedadvisor:DescribeAccount*",
"trustedadvisor:DescribeOrganization",
"trustedadvisor:DescribeRisk*",
"trustedadvisor:DownloadRisk",
"trustedadvisor:UpdateRiskStatus",
"trustedadvisor:DescribeNotificationConfigurations",
"trustedadvisor:UpdateNotificationConfigurations",
"trustedadvisor:DeleteNotificationConfigurationForDelegatedAdmin",
"trustedadvisor:SetOrganizationAccess"
],
"Resource": "*"
},
{
"Sid": "AllowAccessForOrganization",
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
},
{
"Sid": "AllowListDelegatedAdministrators",
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators",
"organizations:EnableAWSServiceAccess",
"organizations:DisableAWSServiceAccess"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"reporting.trustedadvisor.amazonaws.com"
]
}
}
},
{
"Sid": "AllowCreateServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/reporting.trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisorReporting",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "reporting.trustedadvisor.amazonaws.com"
}
}
},
{
"Sid": "AllowRegisterDelegatedAdministrators",
"Effect": "Allow",
"Action": [
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "arn:aws:organizations::*:*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"reporting.trustedadvisor.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS 受管政策: AWSTrustedAdvisorPriorityReadOnlyAccess
[https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess$jsonEditor) 政策會將唯讀許可授予 Trusted Advisor Priority,包括檢視委派管理員帳戶的許可。
**許可詳細資訊**
在第一個陳述式中,政策包含 `trustedadvisor` 的以下許可:
+ 描述 Trusted Advisor 您的帳戶和組織。
+ 描述來自 Trusted Advisor Priority 的已識別風險,並允許您下載它們。
+ 描述 Trusted Advisor 優先順序電子郵件通知的組態。
在第二個和第三個陳述式中,政策包含 `organizations` 的以下許可:
+ 使用 Organizations 說明您的組織。
+ 列出 AWS 服務 您啟用使用 Organizations 的 。
+ 列出 Trusted Advisor Priority 的委派管理員
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSTrustedAdvisorPriorityReadOnlyAccess",
"Effect": "Allow",
"Action": [
"trustedadvisor:DescribeAccount*",
"trustedadvisor:DescribeOrganization",
"trustedadvisor:DescribeRisk*",
"trustedadvisor:DownloadRisk",
"trustedadvisor:DescribeNotificationConfigurations"
],
"Resource": "*"
},
{
"Sid": "AllowAccessForOrganization",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
},
{
"Sid": "AllowListDelegatedAdministrators",
"Effect": "Allow",
"Action": [
"organizations:ListDelegatedAdministrators"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": [
"reporting.trustedadvisor.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS 受管政策: AWSTrustedAdvisorServiceRolePolicy
此政策連接至 `AWSServiceRoleForTrustedAdvisor` 服務連結角色。它允許服務連結角色為您執行動作。您無法將 [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy$jsonEditor) 連接至 AWS Identity and Access Management (IAM) 實體。如需詳細資訊,請參閱[使用 的服務連結角色 Trusted Advisor](using-service-linked-roles-ta.md)。
此政策會授予管理許可,允許服務連結角色存取 AWS 服務。這些許可允許 的檢查 Trusted Advisor 評估您的帳戶。
**許可詳細資訊**
此政策包含以下許可。
+ `accessanalyzer` – 描述 AWS Identity and Access Management Access Analyzer 資源
+ `Auto Scaling` - 描述 Amazon EC2 Auto Scaling 帳戶配額和資源
+ `cloudformation` – Describes AWS CloudFormation (CloudFormation) 帳戶配額和堆疊
+ `cloudfront` – 描述 Amazon CloudFront 分佈
+ `cloudtrail` – Describes AWS CloudTrail (CloudTrail) 線索
+ `dynamodb` - 描述 Amazon DynamoDB 帳戶配額和資源
+ `dynamodbaccelerator` – 說明 DynamoDB Accelerator 資源
+ `ec2` - 描述 Amazon Elastic Compute Cloud (Amazon EC2) 帳戶配額和資源
+ `elasticloadbalancing` - 說明 Elastic Load Balancing (ELB) 帳戶配額和資源
+ `iam` - 取得 IAM 資源,例如憑證、密碼政策和憑證
+ `networkfirewall` – 描述 AWS Network Firewall 資源
+ `kinesis` - 描述 Amazon Kinesis (Kinesis) 帳戶配額
+ `rds` - 描述 Amazon Relational Database Service (Amazon RDS) 資源
+ `redshift` - 描述 Amazon Redshift 資源
+ `route53` - 描述 Amazon Route 53 帳戶配額和資源
+ `s3` - 描述 Amazon Simple Storage Service (Amazon S3) 資源
+ `ses` - 取得 Amazon Simple Email Service (Amazon SES) 傳送份額
+ `sqs` - 列出 Amazon Simple Queue Service (Amazon SQS) 佇列
+ `cloudwatch` - 取得 Amazon CloudWatch Events (CloudWatch Events) 指標統計數字
+ `ce` - 取得 Cost Explorer Service (Cost Explorer) 建議
+ `route53resolver` – 取得 Amazon Route 53 Resolver 解析程式端點和資源
+ `kafka` – 取得 Amazon Managed Streaming for Apache Kafka 資源
+ `ecs` – 取得 Amazon ECS 資源
+ `outposts` – 取得 AWS Outposts 資源
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TrustedAdvisorServiceRolePermissions",
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"ce:GetReservationPurchaseRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation",
"cloudformation:DescribeAccountLimits",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:GetTrail",
"cloudtrail:ListTrails",
"cloudtrail:GetEventSelectors",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"dax:DescribeClusters",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeAddresses",
"ec2:DescribeReservedInstances",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"ec2:DescribeInternetGateways",
"ec2:DescribeImages",
"ec2:DescribeNatGateways",
"ec2:DescribeVolumes",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSnapshots",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:GetManagedPrefixListEntries",
"ecs:DescribeTaskDefinition",
"ecs:ListTaskDefinitions",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:GenerateCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetServerCertificate",
"iam:ListServerCertificates",
"iam:ListSAMLProviders",
"kinesis:DescribeLimits",
"kafka:DescribeClusterV2",
"kafka:ListClustersV2",
"kafka:ListNodes",
"network-firewall:ListFirewalls",
"network-firewall:DescribeFirewall",
"outposts:GetOutpost",
"outposts:ListAssets",
"outposts:ListOutposts",
"rds:DescribeAccountAttributes",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEngineDefaultParameters",
"rds:DescribeEvents",
"rds:DescribeOptionGroupOptions",
"rds:DescribeOptionGroups",
"rds:DescribeOrderableDBInstanceOptions",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"redshift:DescribeReservedNodeOfferings",
"redshift:DescribeReservedNodes",
"route53:GetAccountLimit",
"route53:GetHealthCheck",
"route53:GetHostedZone",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53resolver:ListResolverEndpoints",
"route53resolver:ListResolverEndpointIpAddresses",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketVersioning",
"s3:GetBucketPublicAccessBlock",
"s3:GetLifecycleConfiguration",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"ses:GetSendQuota",
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
"Resource": "*"
}
]
}
```
------
## AWS 受管政策: AWSTrustedAdvisorReportingServiceRolePolicy
此政策會連接到`AWSServiceRoleForTrustedAdvisorReporting`服務連結角色, Trusted Advisor 允許 為組織檢視功能執行動作。您無法將 [https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorReportingServiceRolePolicy$jsonEditor](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorReportingServiceRolePolicy$jsonEditor) 連接至 IAM 實體。如需詳細資訊,請參閱[使用 的服務連結角色 Trusted Advisor](using-service-linked-roles-ta.md)。
此政策會授予允許服務連結角色執行 AWS Organizations 動作的管理許可。
**許可詳細資訊**
此政策包含以下許可。
+ `organizations` - 描述您的組織,並列出服務存取權、帳戶、父系、子系和組織單位
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListDelegatedAdministrators",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListChildren",
"organizations:ListParents",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## Trusted Advisor AWS 受管政策的更新
檢視自這些服務開始追蹤這些變更 Trusted Advisor 以來, AWS 支援 和 AWS 受管政策更新的詳細資訊。如需有關此頁面變更的自動提醒,請訂閱 [文件歷史紀錄](History.md) 頁面的 RSS 摘要。
下表說明自 2021 年 8 月 10 日起 Trusted Advisor 受管政策的重要更新。
**Trusted Advisor**
| 變更 | 描述 | Date |
| --- | --- | --- |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新至現有政策。 | Trusted Advisor 新增動作以授予 `ecs:ListClusters`、`ecs:DescribeTasks`、 `ecs:ListTasks`和 `ecs:ListTaskDefinitionFamilies`許可。 | 2026 年 5 月 14 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新至現有政策。 | Trusted Advisor 新增動作以授予 `elasticloadbalancing:DescribeListeners,`和 `elasticloadbalancing:DescribeRules`許可。 | 2024 年 10 月 30 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新至現有政策。 | Trusted Advisor 新增動作以授予 `access-analyzer:ListAnalyzers`、`cloudwatch:ListMetrics`、`dax:DescribeClusters`、`ec2:DescribeNatGateways`、`ec2:DescribeRouteTables`、`ec2:DescribeVpcEndpoints`、`ec2:GetManagedPrefixListEntries`、`elasticloadbalancing:DescribeTargetHealth`、 `iam:ListSAMLProviders``kafka:DescribeClusterV2``network-firewall:ListFirewalls``network-firewall:DescribeFirewall`和 `sqs:GetQueueAttributes`許可。 | 2024 年 6 月 11 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy)
更新至現有政策。 | Trusted Advisor 新增動作以授予 `cloudtrail:GetTrail` `cloudtrail:ListTrails` `cloudtrail:GetEventSelectors` `outposts:GetOutpost`、 `outposts:ListAssets`和 `outposts:ListOutposts`許可。 | 2024 年 1 月 18 日 |
| [AWSTrustedAdvisorPriorityFullAccess](#security-iam-support-TA-priority-full-access-policy)
更新至現有政策。 | Trusted Advisor 已更新 `AWSTrustedAdvisorPriorityFullAccess` AWS 受管政策,以包含陳述式 IDs。 | 2023 年 12 月 6 日 |
| [AWSTrustedAdvisorPriorityReadOnlyAccess](#security-iam-support-TA-priority-read-only-policy)
更新至現有政策。 | Trusted Advisor 已更新 `AWSTrustedAdvisorPriorityReadOnlyAccess` AWS 受管政策,以包含陳述式 IDs。 | 2023 年 12 月 6 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy) – 更新現有政策 | Trusted Advisor 新增動作以授予 `ec2:DescribeRegions``s3:GetLifecycleConfiguration``ecs:DescribeTaskDefinition`和 `ecs:ListTaskDefinitions`許可。 | 2023 年 11 月 9 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy) – 更新現有政策 | Trusted Advisor 新增了新的 IAM 動作 `route53resolver:ListResolverEndpoints`、`ec2:DescribeSubnets`、 `route53resolver:ListResolverEndpointIpAddresses``kafka:ListClustersV2`和 `kafka:ListNodes`,以加入新的彈性檢查。 | 2023 年 9 月 14 日 |
| [AWSTrustedAdvisorReportingServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorReportingServiceRolePolicy)
連接到 Trusted Advisor `AWSServiceRoleForTrustedAdvisorReporting`服務連結角色的受管政策 V2 | 將 Trusted Advisor `AWSServiceRoleForTrustedAdvisorReporting`服務連結角色的 AWS 受管政策升級至 V2。V2 會額外新增一個 IAM 動作 `organizations:ListDelegatedAdministrators` | 2023 年 2 月 28 日 |
| [AWSTrustedAdvisorPriorityFullAccess](#security-iam-support-TA-priority-full-access-policy) 和 [AWSTrustedAdvisorPriorityReadOnlyAccess](#security-iam-support-TA-priority-read-only-policy)
適用於 的新 AWS 受管政策 Trusted Advisor | Trusted Advisor 新增了兩個新的 受管政策,可用來控制對 Trusted Advisor Priority 的存取。 | 2022 年 8 月 17 日 |
| [AWSTrustedAdvisorServiceRolePolicy](#security-iam-awsmanpol-AWSTrustedAdvisorServiceRolePolicy) – 更新現有政策 | Trusted Advisor 新增動作以授予 `DescribeTargetGroups`和 `GetAccountPublicAccessBlock`許可。
進行 **Auto Scaling 群組運作狀態檢查**需要 `DescribeTargetGroup` 許可,才能擷取 Classic Load Balancer 以外連接至 Auto Scaling 群組的負載平衡器。
進行 **Simple Storage Service (Amazon S3) 儲存貯體許可**檢查需要 `GetAccountPublicAccessBlock` 許可,才能擷取 AWS 帳戶的區塊公有存取設定。 | 2021 年 8 月 10 日 |
| 變更發佈的日誌 | Trusted Advisor 已開始追蹤其 AWS 受管政策的變更。 | 2021 年 8 月 10 日 |