本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 在 中設定事件警示的許可 AWS IoT SiteWise
當您使用 AWS IoT Events 警示模型來監控 AWS IoT SiteWise 資產屬性時,您必須擁有下列 IAM 許可:
+ 允許 將資料 AWS IoT Events 傳送至其中 AWS IoT Events 的服務角色 AWS IoT SiteWise。如需詳細資訊,請參閱《 *AWS IoT Events 開發人員指南*》中的 [的 Identity and Access Management AWS IoT Events](https://docs.aws.amazon.com/iotevents/latest/developerguide/security-iam.html)。
+ 您必須具有下列 AWS IoT SiteWise 動作許可: `iotsitewise:DescribeAssetModel`和 `iotsitewise:UpdateAssetModelPropertyRouting`。這些許可允許 AWS IoT SiteWise 將資產屬性值傳送至 AWS IoT Events 警示模型。
如需詳細資訊,請參閱《*IAM 使用者指南*》中的[資源型政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based)。
## 必要的動作許可
管理員可以使用 AWS JSON 政策來指定誰可以存取內容。也就是說,哪個**主體**在什麼**條件**下可以對什麼**資源**執行哪些**動作**。JSON 政策的 `Action` 元素描述您可以用來允許或拒絕政策中存取的動作。
定義 AWS IoT Events 警示模型之前,您必須授予下列許可, AWS IoT SiteWise 允許 將資產屬性值傳送至警示模型。
+ `iotsitewise:DescribeAssetModel`、 `iotsitewise:ListAssetModels` – 允許 AWS IoT Events 檢查資產屬性是否存在。
+ `iotsitewise:UpdateAssetModelPropertyRouting` – 允許 AWS IoT SiteWise 自動建立訂閱,讓 AWS IoT SiteWise 將資料傳送到其中 AWS IoT Events。
如需 AWS IoT SiteWise 支援動作的詳細資訊,請參閱《*服務授權參考*》中的 [定義的動作 AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html#awsiotsitewise-actions-as-permissions)。
**Example 範例許可政策 1**
下列政策允許 AWS IoT SiteWise 將資產屬性值傳送至任何 AWS IoT Events 警示模型。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotevents:CreateAlarmModel",
"iotevents:UpdateAlarmModel"
],
"Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*"
},
{
"Effect": "Allow",
"Action": [
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels",
"iotsitewise:UpdateAssetModelPropertyRouting"
],
"Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*"
}
]
}
```
**Example 範例許可政策 2**
下列政策允許 AWS IoT SiteWise 將指定資產屬性的值傳送至指定的 AWS IoT Events 警示模型。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotevents:CreateAlarmModel",
"iotevents:UpdateAlarmModel"
],
"Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*"
},
{
"Effect": "Allow",
"Action": [
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels"
],
"Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*"
},
{
"Effect": "Allow",
"Action": [
"iotsitewise:UpdateAssetModelPropertyRouting"
],
"Resource": [
"arn:aws:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef"
],
"Condition": {
"StringLike": {
"iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890",
"aws:ResourceTag/AlarmModel": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel"
}
}
}
]
}
```
## (選用) ListInputRoutings 許可
當您更新或刪除資產模型時, AWS IoT SiteWise 可以檢查 中的 AWS IoT Events 警示模型是否正在監控與此資產模型相關聯的資產屬性。這可防止您刪除 AWS IoT Events 警示目前正在使用的資產屬性。若要在 中啟用此功能 AWS IoT SiteWise,您必須擁有 `iotevents:ListInputRoutings`許可。此許可允許 AWS IoT SiteWise 呼叫 支援的 [ListInputRoutings](https://docs.aws.amazon.com/iotevents/latest/apireference/API_ListInputRoutings.html) API 操作 AWS IoT Events。
**注意**
我們強烈建議您新增 `ListInputRoutings`許可。
**Example 許可政策範例**
下列政策可讓您更新和刪除資產模型,並在其中使用 `ListInputRoutings` API AWS IoT SiteWise。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:UpdateAssetModel",
"iotsitewise:DeleteAssetModel",
"iotevents:ListInputRoutings"
],
"Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*"
}
]
}
```
------
## SiteWise Monitor 的必要許可
如果您想要在 SiteWise Monitor 入口網站中使用警示功能,您必須使用下列政策更新 [SiteWise Monitor 服務角色](monitor-service-role.md):
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:DescribePortal",
"iotsitewise:CreateProject",
"iotsitewise:DescribeProject",
"iotsitewise:UpdateProject",
"iotsitewise:DeleteProject",
"iotsitewise:ListProjects",
"iotsitewise:BatchAssociateProjectAssets",
"iotsitewise:BatchDisassociateProjectAssets",
"iotsitewise:ListProjectAssets",
"iotsitewise:CreateDashboard",
"iotsitewise:DescribeDashboard",
"iotsitewise:UpdateDashboard",
"iotsitewise:DeleteDashboard",
"iotsitewise:ListDashboards",
"iotsitewise:CreateAccessPolicy",
"iotsitewise:DescribeAccessPolicy",
"iotsitewise:UpdateAccessPolicy",
"iotsitewise:DeleteAccessPolicy",
"iotsitewise:ListAccessPolicies",
"iotsitewise:DescribeAsset",
"iotsitewise:ListAssets",
"iotsitewise:ListAssociatedAssets",
"iotsitewise:DescribeAssetProperty",
"iotsitewise:GetAssetPropertyValue",
"iotsitewise:GetAssetPropertyValueHistory",
"iotsitewise:GetAssetPropertyAggregates",
"iotsitewise:BatchPutAssetPropertyValue",
"iotsitewise:ListAssetRelationships",
"iotsitewise:DescribeAssetModel",
"iotsitewise:ListAssetModels",
"iotsitewise:UpdateAssetModel",
"iotsitewise:UpdateAssetModelPropertyRouting",
"sso-directory:DescribeUsers",
"sso-directory:DescribeUser",
"iotevents:DescribeAlarmModel",
"iotevents:ListTagsForResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iotevents:BatchAcknowledgeAlarm",
"iotevents:BatchSnoozeAlarm",
"iotevents:BatchEnableAlarm",
"iotevents:BatchDisableAlarm"
],
"Resource": "*",
"Condition": {
"Null": {
"iotevents:keyValue": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iotevents:CreateAlarmModel",
"iotevents:TagResource"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/iotsitewisemonitor": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iotevents:UpdateAlarmModel",
"iotevents:DeleteAlarmModel"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/iotsitewisemonitor": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"iotevents.amazonaws.com"
]
}
}
}
]
}
```
------