托管和自定义策略

策略和权限

无论您是通过创建 IAM 用户还是通过跨账户 IAM 角色提供访问权限,您都需要提供 Site24x7 权限。这些权限将决定可以访问哪些特定 AWS 资源。

Site24x7 需要对您的 AWS 服务和资源具有只读权限,您可以分配默认只读策略、分配我们的自定义策略或创建您自己的策略。

默认只读访问策略(推荐)

为确保不存在性能盲点,并利用 Site24x7 的全部监控功能,我们强烈建议您将默认的 ReadOnly 策略文档分配给创建的 IAM 用户/角色。此策略提供对所有流行 AWS 服务的完全只读访问权限。

  • 目前,托管策略“ReadOnlyAccess”中不存在监控 Kinesis Video 流使用情况所需的只读权限。要进行监控,您可以将托管策略“AmazonKinesisVideoStreamsReadOnlyAccess”与“ReadOnlyAccess”策略一起应用,或者在可视化编辑器中从头构建一个新策略。
  • 托管策略“ReadOnlyAccess”中不存在监控 Route 53 Resolver 所需的只读权限。要进行监控,请在可视化编辑器中从头开始构建新策略或创建具有必要权限的角色。

这些预定义策略由 AWS 团队自己维护和更新,因此当我们为任何新的 AWS 服务引入监控支持时,您无需更新策略文档中的权限。

使用 Site24x7 的自定义策略 (JSON)

创建您自己的自定义 IAM 策略(可视化编辑器)

如果您的组织不允许您分配默认 ReadOnly 策略,或者您希望更精确地控制您提供的权限,您可以使用 IAM 控制台中的点击式可视化编辑器创建自己的策略。下面提到了支持的的 AWS 服务以及每项服务所需的单独操作。


AWS 服务 读取级别操作 部分写入级别操作
CloudWatch

"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"

 
DynamoDB

"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:DescribeLimits",
"lambda:ListEventSourceMappings"

 
EC2

"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:GetConsoleOutput",
"ec2:DescribeImages",
"ec2:DescribeVolumeStatus",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVolumes",
"ec2:DescribeAccountAttributes",
"ec2:DescribeElasticGpus",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeSubnets",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeAutoScalingGroups"

"ec2:RebootInstances",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:StopInstances",
"ec2:StartInstances"

Elastic Beanstalk (EBS)

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

"elasticbeanstalk:RestartAppServer"
ELB

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups"

 
Gateway Load Balancer

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags"
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"ec2Instance:describeVpcEndpoints",
"ec2Instance:describeVpcEndpointServiceConfigurations"

 
RDS

"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeAccountAttributes",
"rds:DescribeDBClusters",
"rds:DescribeEvents"

"rds:StartDBInstance",
"rds:RebootDBInstance",
"rds:StopDBInstance"

S3

"s3:GetObjectAcl",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:ListAllMyBuckets",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:GetBucketLogging"
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation"

 
SNS

"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:GetSMSAttributes"

sns:Publish
Lambda

"lambda:ListFunctions",
"lambda:ListTags",
"lambda:GetFunctionConfiguration",
"lambda:GetAccountSettings",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"lambda:GetPolicy"

"lambda:InvokeFunction"
Lambda logs logs:Describe*
logs:Get*
 
ElastiCache

"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:ListTagsForResource",
"elasticache:DescribeServiceUpdates",
"elasticache:DescribeReplicationGroups"

elasticache:RebootCacheCluster
Simple Queue Service (SQS)

"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:GetQueueAttributes"

sqs:SendMessage
Amazon CloudFront

"cloudfront:GetDistribution",
"cloudfront:ListPublicKeys",
"cloudfront:ListTagsForResource",
"cloudfront:ListInvalidations",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig"

 
Amazon Kinesis Data Streams

"kinesis:DescribeStreamSummary",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesis:DescribeStream"

kinesis:PutRecord"
Amazon Kinesis Video Streams

"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"kinesisvideo:DescribeStream"

 
Amazon Kinesis Firehose

"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"firehose:DescribeDeliveryStream"

 
Amazon Kinesis Data Analytics

"kinesisanalytics:ListApplications",
"kinesisanalytics:ListTagsForResource",
"kinesisanalytics:DescribeApplication

kinesisanalytics:StopApplication
kinesisanalytics:StartApplication
Route 53

Route 53 Health Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckStatus",
"route53:ListHealthChecks",
"route53:GetHealthCheck",
"route53:ListGeoLocations",
"route53:ListTagsForResource"

Route 53 Hosted Zone & Record Set Check:
"route53:ListTagsForResources",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListGeoLocations",
"route53:GetTrafficPolicyInstance",
"route53:GetTrafficPolicy",
"route53:ListTagsForResource",
"route53:ListQueryLoggingConfigs",
"route53domains:ListDomains",
"route53domains:GetDomainDetail",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

Route 53 Resolver:
"route53resolver:ListResolverEndpointIpAddresses",
"route53resolver:ListResolverRules",
"route53resolver:GetResolverRule",
"route53resolver:ListResolverRuleAssociations",
"route53resolver:ListResolverEndpoints"

 
Elastic Beanstalk

"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:ListTagsForResource",
"cloudformation:ListStackResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeLaunchConfigurations",
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"

"elasticbeanstalk:RestartAppServer"
Direct Connect

"directconnect:DescribeConnections",
"directconnect:DescribeTags",
"directconnect:DescribeVirtualGateways",
"directconnect:DescribeVirtualInterfaces"

 
VPC-Virtual Private Network (VPN) connection

"ec2:DescribeVpnConnections",
"ec2:DescribeAddresses"

 
API Gateway "apigateway:GET" apigateway:POST 
Amazon Elastic Container Service (ECS)

"ecs:ListServices",
"ecs:ListAccountSettings",
"ecs:ListTagsForResource",
"ecs:DescribeServices",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ecs:ListTasks",
"ecs:DescribeTasks"

 
Amazon Redshift

"redshift:DescribeClusters",
"redshift:DescribeClusterParameters",
"redshift:DescribeLoggingStatus",
"redshift:DescribeEvents",
"redshift:DescribeStorage"

redshift:RebootCluster
Elastic File System (EFS)

"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups"

 
Simple Email Service (SES)

"ses:DescribeConfigurationSet",
"ses:DescribeReceiptRuleSet",
"ses:GetSendQuota",
"ses:GetIdentityPolicies",
"ses:GetIdentityNotificationAttributes",
"ses:GetIdentityMailFromDomainAttributes",
"ses:GetTemplate",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityVerificationAttributes",
"ses:GetAccountSendingEnabled",
"ses:ListIdentityPolicies",
"ses:ListIdentities",
"ses:ListConfigurationSets",
"ses:ListReceiptRuleSets",
"ses:ListReceiptFilters",
"ses:ListTemplates"

ses:SendEmail
ses:SendTemplatedEmail

Step Functions

"states:ListStateMachines",
"states:DescribeStateMachine",
"states:ListActivities",
"states:DescribeExecution",
"states:ListExecutions",
"states:GetExecutionHistory",
"states:ListTagsForResource"

"states:StartExecution"
Web Application Firewall (WAF)

"waf-regional:ListWebACLs",
"waf-regional:ListRules",
"waf-regional:GetWebACL",
"waf-regional:ListTagsForResource",
"waf-regional:GetGeoMatchSet",
"waf-regional:GetIPSet",
"waf-regional:GetXssMatchSet",
"waf-regional:GetByteMatchSet",
"waf-regional:GetRegexMatchSet",
"waf-regional:GetSqlInjectionMatchSet",
"waf-regional:GetSizeConstraintSet",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf:ListRules",
"waf:GetWebACL",
"waf:ListTagsForResource",
"waf:ListWebACLs",
"waf:GetByteMatchSet",
"waf:GetIPSet",
"waf:GetXssMatchSet",
"waf:GetRegexMatchSet",
"waf:GetSizeConstraintSet",
"waf:ListActivatedRulesInRuleGroup",
"wafv2:ListLoggingConfigurations",
"wafv2:GetWebACL",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"wafv2:GetIPSet",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup",
"waf-regional:ListResourcesForWebACL"

 
Key Management Service (KMS)

"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListResourceTags",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:ListGrants",
"kms:ListKeyPolicies"

 
CloudSearch

"cloudsearch:DescribeDomains",
"cloudsearch:DescribeIndexFields",
"cloudsearch:DescribeAvailabilityOptions",
"cloudsearch:DescribeScalingParameters",
"cloudsearch:DescribeAnalysisSchemes",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudsearch:DescribeExpressions",
"cloudsearch:DescribeSuggesters"

 
Elasticsearch

"es:DescribeElasticsearchDomain",
"es:ListDomainNames",
"es:ListTags",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"es:DescribePackages"

 
Elastic MapReduce

"elasticmapreduce:ListSecurityConfigurations",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListInstanceFleets",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListInstances"

elasticmapreduce:addJobFlowSteps 
WorkSpaces

"workspaces:DescribeTags",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeIpGroups",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspaceImages"

workspaces:StartWorkspaces
workspaces:RebootWorkspaces
workspaces:RebuildWorkspaces
workspaces:StopWorkspaces
Certificate Manager (ACM)

"acm:ListCertificates",
"acm:ListTagsForCertificate",
"acm:DescribeCertificate",
"acm:GetCertificate"

 
Lightsail Instance

"lightsail:GetInstances",
"lightsail:GetInstance",
"lightsail:GetActiveNames",
"lightsail:GetOperationsForResource",
"lightsail:GetInstanceMetricData"

lightsail:StartInstance
lightsail:StopInstance
lightsail:RebootInstance
Lightsail Database

"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseLogEvents",
"lightsail:GetRelationalDatabaseLogStreams",
"lightsail:GetOperationsForResource",
"lightsail:GetRelationalDatabaseMetricData"

lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Lightsail Load Balancer

"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetOperationsForResource",
"lightsail:GetLoadBalancerMetricData"

lightsail:StartRelationalDatabase
lightsail:StopRelationalDatabase
lightsail:RebootRelationalDatabase
Elastic Kubernetes Service (EKS)

"eks:DescribeCluster",
"eks:ListClusters",
"cloudwatch:ListMetrics"

 
Storage Gateway

"storagegateway:DescribeGatewayInformation",
"storagegateway:ListGateways",
"storagegateway:ListTagsForResource",
"storagegateway:ListTapes",
"storagegateway:ListFileShares",
"storagegateway:ListVolumes",
"storagegateway:DescribeAvailabilityMonitorTest",
"storagegateway:DescribeBandwidthRateLimit",
"storagegateway:DescribeCache",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:DescribeStorediSCSIVolumes",
"storagegateway:DescribeTapeArchives",
"storagegateway:DescribeTapes",
"storagegateway:DescribeUploadBuffer",
"storagegateway:ListLocalDisks",
"storagegateway:DescribeVTLDevices",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 
Amazon MQ

"mq:DescribeBroker",
"mq:DescribeConfiguration",
"mq:DescribeConfigurationRevision",
"mq:DescribeUser",
"mq:ListTags",
"mq:ListBrokers",
"mq:DescribeBrokerEngineTypes",
"cloudwatch:ListMetrics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

mq:RebootBroker
Transit Gateway

"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeAddresses"

ec2:SearchTransitGatewayRoutes
ec2:SearchTransitGatewayMulticastGroups
Data Migration Service (DMS)

"dms:DescribeAccountAttributes",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationTasks",
"dms:DescribeTableStatistics",
"dms:DescribeCertificates",
"dms:DescribeConnections",
"dms:DescribeEndpoints",
"dms:ListTagsForResource",
"dms:DescribeEvents",
"logs:DescribeLogStreams",
"logs:GetLogEvents"

dms:StartReplicationTask
dms:StopReplicationTask
Amazon FSx

"fsx:ListTagsForResource",
"fsx:DescribeBackups",
"fsx:DescribeDataRepositoryTasks",
"fsx:DescribeFileSystems"

fsx:CreateDataRepositoryTask
fsx:CreateBackup
GuardDuty

"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetFindings"

 
Lambda@Edge

"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:ListTags",
"cloudfront:ListPublicKeys",
"cloudfront:ListDistributions"

lambda:InvokeFunction
DocumentDB

"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"rds:DescribeCertificates",
"rds:DescribeEvents",
"rds:DescribeGlobalClusters",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:GetLogEvents",

 
Amazon Secure File Transfer Protocol (SFTP)

"transfer:DescribeUser",
"transfer:DescribeServer",
"transfer:ListUsers",
"transfer:ListServers",
"transfer:ListTagsForResource"
"logs:DescribeLogGroups"
"logs:DescribeLogStreams",
"logs:GetLogEvents"

 
AWS Systems Manager

"ssm:ListCommands",
"ssm:DescribeInstanceInformation",
"ssm:ListCommandInvocations"

 
Service Quotas

"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListServiceQuotas"

"servicequotas:RequestServiceQuotaIncrease"

按照下面提到的步骤使用可视化编辑器创建新策略

  • 登录 AWS IAM 控制台,选择 Policies 并单击 Create new policy
  • 选择可视化编辑器选项卡
  • 在选择服务字段中,在搜索框中键入 CloudWatch,然后从列表中选择 CloudWatch。
  • 在访问级别组部分中,选择阅读并通过展开部分选择以下提到的操作
  • 现在对其他支持的的服务继续相同的过程。完成后点击查看策略。

“was

只读操作的自定义策略

您还可以使用我们的自定义策略文档来提供对您的 AWS 资源的访问权限。在 JSON 编辑器中粘贴下面提到的策略 JSON,查看它,提供适当的名称和描述,然后单击创建策略。

完成后,将策略附加到 Site24x7 IAM 用户或角色。

 
 
{
   {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "sqs:Get*",
                "sqs:List*",
                "autoscaling:Describe*",
                "elasticloadbalancing:Describe*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "s3:Get*",
                "s3:List*",
                "rds:Describe*",
                "rds:List*",
                "kinesisanalytics:Describe*",
                "kinesisanalytics:Get*",
                "kinesisanalytics:List*",
                "kinesis:Describe*",
                "kinesis:Get*",
                "kinesis:List*",
                "kinesisvideo:Get*",
                "kinesisvideo:List*",
                "kinesisvideo:Describe*",
                "firehose:Describe*",
                "firehose:List*",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "directconnect:Describe*",
                "apigateway:GET",
                "ecs:DescribeServices",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeClusters",
                "redshift:Describe*",
                "elasticfilesystem:Describe*",
                "ses:Get*",
                "ses:List*",
                "ses:Describe*",
                "lambda:List*",
                "lambda:Get*",
                "logs:Describe*",
                "logs:Get*",
                "route53domains:Get*",
                "route53domains:List*",
                "route53:Get*",
                "route53:List*",
                "route53resolver:Get*",
                "route53resolver:List*",
                "states:List*",
                "states:Describe*",
                "states:GetExecutionHistory",
                "sns:Get*",
                "sns:List*",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "waf:Get*",
                "waf:List*",
                "waf-regional:List*",
                "waf-regional:Get*",
                "cloudsearch:Describe*",
                "cloudsearch:List*",
                "es:Describe*",
                "es:List*",
                "es:Get*",
                "workspaces:Describe*",
                "ds:Describe*",
                "elasticmapreduce:List*",
                "elasticmapreduce:Describe*",
                "acm:GetCertificate",
                "acm:Describe*",
                "acm:List*",
                "lightsail:Get*",
                "eks:Describe*",
                "eks:List*",
                "mq:Describe*",
                "mq:List*",
                "ec2:Get*",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:SearchTransitGatewayMulticastGroups",
                "storagegateway:List*",
                "storagegateway:Describe*",
                "guardduty:GetFindings",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "dms:Describe*",
                "dms:List*",
                "dms:TestConnection",
                "fsx:Describe*",
                "fsx:ListTagsForResource",
                "inspector:List*",
                "inspector:Describe*",
                "transfer:Describe*",
                "transfer:List*",
                "ssm:ListCommands",
                "ssm:DescribeInstanceInformation",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

本策略最后更新于 2022 年 1 月 19 日。

该策略由 Site24x7 团队创建和维护,并提供对监控支持下的所有 AWS 服务的只读访问权限。此外,当添加新的 AWS 集成时,该策略可能会发生变化,因此请确保您使用最新版本。

自动化的自定义策略

使用下面提到的 JSON 创建一个新的自定义 IAM 策略,以帮助 Site24x7 执行操作以响应告警事件。

 
 
{
"Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "ec2:RebootInstances",
            "sns:Publish",
            "ec2:StartInstances",
            "kinesisanalytics:StopApplication",
            "kinesisanalytics:StartApplication",
            "kinesis:PutRecord",
            "rds:RebootDBInstance",
            "elasticache:RebootCacheCluster",
            "lambda:InvokeFunction",
            "redshift:RebootCluster",
            "ses:SendEmail",
            "apigateway:POST",
            "elasticbeanstalk:RestartAppServer",
            "sqs:SendMessage",
            "rds:StopDBInstance",
            "ec2:StopInstances",
            "rds:StartDBInstance",
            "states:StartExecution",
            "elasticmapreduce:addJobFlowSteps",
            "workspaces:StartWorkspaces",
            "workspaces:RebootWorkspaces",
            "workspaces:RebuildWorkspaces",
            "workspaces:StopWorkspaces",
            "lightsail:StartRelationalDatabase",
            "lightsail:StopRelationalDatabase",
            "lightsail:RebootRelationalDatabase",
            "lightsail:StartInstance",
            "lightsail:StopInstance",
            "lightsail:RebootInstance",
            "mq:RebootBroker",
            "dms:StartReplicationTask",
            "dms:StopReplicationTask",
            "fsx:CreateDataRepositoryTask",
            "fsx:CreateBackup"
         ],
         "Resource":"*"
      }
   ]
}

上述策略 JSON 包含停止/启动/重启EC2RDS 实例重启 ElastiCache 集群调用 Lambda 函数 启动/停止分析应用程序以及将消息发布到SNS 主题SQS 队列所需的部分写入级别权限。如果您不希望 Site24x7 执行某些操作,您可以手动编辑或从 JSON 中删除权限。