• 2026 年 4 月 30 日之後將不再提供 AWS Systems Manager CloudWatch Dashboard。客戶可以繼續使用 Amazon CloudWatch 主控台來檢視、建立和管理其 Amazon CloudWatch 儀表板,就像現在一樣。如需詳細資訊,請參閱 [Amazon CloudWatch Dashboard 文件](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html)。
本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Systems Manager 整合式主控台的 S3 儲存貯體政策
本主題包含您將組織或單一帳戶加入 Systems Manager 整合式主控台時 Systems Manager 建立的 Amazon S3 儲存貯體政策。
**警告**
修改預設儲存貯體政策,可能會允許組織中的成員帳戶彼此探索,或讀取其他帳戶中執行個體的診斷輸出。如果選擇修改此政策,建議要謹慎。
## 適用於組織的 Amazon S3 儲存貯體政策
將組織加入 Systems Manager 時,系統會使用下列預設儲存貯體政策建立診斷儲存貯體。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
},
{
"Sid": "AllowAccessLog",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}/access-logs/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{000000000000}}"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::{{amzn-s3-demo-bucket}}"
}
}
},
{
"Sid": "AllowCrossAccountRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "{{organization-id}}"
}
}
},
{
"Sid": "AllowCrossAccountWrite",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWS-SSM-DiagnosisExecutionRole-{{operational-123456789012-home-region}}",
"arn:aws:iam::*:role/AWS-SSM-DiagnosisAdminRole-{{operational-123456789012-home-region}}",
"arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole-{{operational-123456789012-home-region}}",
"arn:aws:iam::*:role/AWS-SSM-RemediationAdminRole-{{operational-123456789012-home-region}}"
]
}
}
},
{
"Sid": "AllowCrossAccountListUnderAccountOwnPrefix",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "{{organization-id}}"
},
"StringLike": {
"s3:prefix": "*/${aws:PrincipalAccount}/*"
}
}
},
{
"Sid": "AllowCrossAccountGetConfigWithinOrganization",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetEncryptionConfiguration",
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "{{organization-id}}"
}
}
}
]
}
```
------
## 適用於單一帳戶的 Amazon S3 儲存貯體政策
將單一帳戶加入 Systems Manager 時,系統會使用下列預設儲存貯體政策建立診斷儲存貯體。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
}
]
}
```
------