本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS 的 受管政策 AWS IoT SiteWise
使用 AWS 受管政策來簡化使用者、群組和角色的新增許可,而不是自行撰寫政策。建立提供團隊精確許可的 [IAM 客戶受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)需要時間和專業知識。為了加快設定速度,請考慮將我們的 AWS 受管政策用於常見使用案例。尋找您 AWS 帳戶中的 AWS 受管政策。如需 AWS 受管政策的更多相關資訊,請參閱「IAM 使用者指南」**中的 [AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
AWS 服務負責更新和維護 AWS 受管政策,這表示您無法修改這些政策的許可。有時, AWS IoT SiteWise 可能會新增許可以容納新功能,影響附加政策的所有身分。這類更新在引進新服務或功能時很常見。不過,許可永遠不會移除,確保您的設定保持不變。
此外, AWS 支援跨多個 服務之任務函數的受管政策。例如,**ReadOnlyAccess** AWS 受管政策提供所有 AWS 服務和資源的唯讀存取權。當服務啟動新功能時, 會為新操作和資源 AWS 新增唯讀許可。如需任務函數政策說明的清單,請參閱《*IAM 使用者指南*》中的[AWS 任務函數的受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html)。
## AWS 受管政策:AWSIoTSiteWiseReadOnlyAccess
使用 `AWSIoTSiteWiseReadOnlyAccess` AWS 受管政策允許唯讀存取 AWS IoT SiteWise。
您可將 `AWSIoTSiteWiseReadOnlyAccess` 政策連接到 IAM 身分。
**服務層級許可**
此政策提供 的唯讀存取權 AWS IoT SiteWise,包括執行唯讀 SQL 查詢的許可。此政策中不包含任何其他服務許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotsitewise:BatchGetAssetPropertyAggregates",
"iotsitewise:BatchGetAssetPropertyValue",
"iotsitewise:BatchGetAssetPropertyValueHistory",
"iotsitewise:DescribeAccessPolicy",
"iotsitewise:DescribeAction",
"iotsitewise:DescribeAsset",
"iotsitewise:DescribeAssetCompositeModel",
"iotsitewise:DescribeAssetModel",
"iotsitewise:DescribeAssetModelCompositeModel",
"iotsitewise:DescribeAssetModelInterfaceRelationship",
"iotsitewise:DescribeAssetProperty",
"iotsitewise:DescribeBulkImportJob",
"iotsitewise:DescribeComputationModel",
"iotsitewise:DescribeComputationModelExecutionSummary",
"iotsitewise:DescribeDashboard",
"iotsitewise:DescribeDataset",
"iotsitewise:DescribeDefaultEncryptionConfiguration",
"iotsitewise:DescribeExecution",
"iotsitewise:DescribeGateway",
"iotsitewise:DescribeGatewayCapabilityConfiguration",
"iotsitewise:DescribeLoggingOptions",
"iotsitewise:DescribePortal",
"iotsitewise:DescribeProject",
"iotsitewise:DescribeStorageConfiguration",
"iotsitewise:DescribeTimeSeries",
"iotsitewise:GetAssetPropertyAggregates",
"iotsitewise:GetAssetPropertyValue",
"iotsitewise:GetAssetPropertyValueHistory",
"iotsitewise:GetInterpolatedAssetPropertyValues",
"iotsitewise:ListAccessPolicies",
"iotsitewise:ListActions",
"iotsitewise:ListAssetModelCompositeModels",
"iotsitewise:ListAssetModelProperties",
"iotsitewise:ListAssetModels",
"iotsitewise:ListAssetProperties",
"iotsitewise:ListAssetRelationships",
"iotsitewise:ListAssets",
"iotsitewise:ListAssociatedAssets",
"iotsitewise:ListBulkImportJobs",
"iotsitewise:ListCompositionRelationships",
"iotsitewise:ListComputationModelDataBindingUsages",
"iotsitewise:ListComputationModelResolveToResources",
"iotsitewise:ListComputationModels",
"iotsitewise:ListDashboards",
"iotsitewise:ListDatasets",
"iotsitewise:ListExecutions",
"iotsitewise:ListGateways",
"iotsitewise:ListInterfaceRelationships",
"iotsitewise:ListPortals",
"iotsitewise:ListProjectAssets",
"iotsitewise:ListProjects",
"iotsitewise:ListTagsForResource",
"iotsitewise:ListTimeSeries"
],
"Resource": "*"
}
]
}
```
------
## AWS 受管政策:AWSServiceRoleForIoTSiteWise
`AWSServiceRoleForIoTSiteWise` 角色使用具有下列許可`AWSServiceRoleForIoTSiteWise`的政策。此政策:
+ 允許 部署 SiteWise Edge 閘道 AWS IoT SiteWise (在 上執行`AWS IoT Greengrass`)。
+ 允許 AWS IoT SiteWise 執行記錄。
+ 允許 對 AWS IoT TwinMaker 資料庫 AWS IoT SiteWise 執行中繼資料搜尋查詢。
如果您使用 AWS IoT SiteWise 搭配單一使用者帳戶,`AWSServiceRoleForIoTSiteWise`角色會在您的 IAM 帳戶中建立`AWSServiceRoleForIoTSiteWise`政策,並將其連接至 `AWSServiceRoleForIoTSiteWise`的服務連結角色。 [AWS IoT SiteWise](using-service-linked-roles.md)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSiteWiseReadGreenGrass",
"Effect": "Allow",
"Action": [
"greengrass:GetAssociatedRole",
"greengrass:GetCoreDefinition",
"greengrass:GetCoreDefinitionVersion",
"greengrass:GetGroup",
"greengrass:GetGroupVersion"
],
"Resource": "*"
},
{
"Sid": "AllowSiteWiseAccessLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*"
},
{
"Sid": "AllowSiteWiseAccessLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
},
{
"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
"Effect": "Allow",
"Action": [
"iottwinmaker:GetWorkspace",
"iottwinmaker:ExecuteQuery"
],
"Resource": "arn:aws:iottwinmaker:*:*:workspace/*",
"Condition": {
"ForAnyValue:StringEquals": {
"iottwinmaker:linkedServices": [
"IOTSITEWISE"
]
}
}
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSiteWiseReadGreenGrass",
"Effect": "Allow",
"Action": [
"greengrass:GetAssociatedRole",
"greengrass:GetCoreDefinition",
"greengrass:GetCoreDefinitionVersion",
"greengrass:GetGroup",
"greengrass:GetGroupVersion"
],
"Resource": "*"
},
{
"Sid": "AllowSiteWiseAccessLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "arn:aws-us-gov:logs:*:*:log-group:/aws/iotsitewise*"
},
{
"Sid": "AllowSiteWiseAccessLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws-us-gov:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
},
{
"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
"Effect": "Allow",
"Action": [
"iottwinmaker:GetWorkspace",
"iottwinmaker:ExecuteQuery"
],
"Resource": "arn:aws-us-gov:iottwinmaker:*:*:workspace/*",
"Condition": {
"ForAnyValue:StringEquals": {
"iottwinmaker:linkedServices": [
"IOTSITEWISE"
]
}
}
}
]
}
```
------
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSiteWiseReadGreenGrass",
"Effect": "Allow",
"Action": [
"greengrass:GetAssociatedRole",
"greengrass:GetCoreDefinition",
"greengrass:GetCoreDefinitionVersion",
"greengrass:GetGroup",
"greengrass:GetGroupVersion"
],
"Resource": "*"
},
{
"Sid": "AllowSiteWiseAccessLogGroup",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*"
},
{
"Sid": "AllowSiteWiseAccessLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws-cn:logs:*:*:log-group:/aws/iotsitewise*:log-stream:*"
},
{
"Sid": "AllowSiteWiseAccessSiteWiseManagedWorkspaceInTwinMaker",
"Effect": "Allow",
"Action": [
"iottwinmaker:GetWorkspace",
"iottwinmaker:ExecuteQuery"
],
"Resource": "arn:aws-cn:iottwinmaker:*:*:workspace/*",
"Condition": {
"ForAnyValue:StringEquals": {
"iottwinmaker:linkedServices": [
"IOTSITEWISE"
]
}
}
}
]
}
```
------
## AWS IoT SiteWise AWS 受管政策的更新
您可以檢視 AWS 受管政策更新的詳細資訊 AWS IoT SiteWise,從此服務開始追蹤變更開始。如需此頁面變更的自動提醒,請訂閱 AWS IoT SiteWise 文件歷史記錄頁面上的 RSS 摘要。
| 變更 | 描述 | Date |
| --- | --- | --- |
| [AWSServiceRoleForIoTSiteWise](#security-iam-awsmanpol-AWSServiceRoleForIoTSiteWise) – 更新至現有政策 | AWS IoT SiteWise 現在可對 AWS IoT TwinMaker 資料庫執行中繼資料搜尋查詢。 | 2023 年 11 月 6 日 |
| [AWSIoTSiteWiseReadOnlyAccess](#security-iam-awsmanpol-AWSIoTSiteWiseReadOnlyAccess) – 更新現有政策 | AWS IoT SiteWise 新增了新的政策字首 `BatchGet*`,可讓您執行批次讀取操作。 | 2022 年 9 月 16 日 |
| [AWSIoTSiteWiseReadOnlyAccess](#security-iam-awsmanpol-AWSIoTSiteWiseReadOnlyAccess) – 新政策 | AWS IoT SiteWise 新增了新的政策,以授予 的唯讀存取權 AWS IoT SiteWise。 | 2021 年 11 月 24 日 |
| AWS IoT SiteWise 開始追蹤變更 | AWS IoT SiteWise 已開始追蹤其 AWS 受管政策的變更。 | 2021 年 11 月 24 日 |