本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

为 DevOps Guru 使用服务相关角色

Amazon DevOps Guru 使用 AWS Identity and Access Management (IAM) 与服务相关的角色。服务相关角色是一种与 DevOps Guru 直接关联的独特IAM角色。服务相关角色由 DevOps Guru 预定义，包括该服务代表您调用 AWS CloudTrail Amazon CloudWatch、 AWS CodeDeploy AWS X-Ray、和 Organizations AWS 所需的所有权限。

与服务相关的角色可以更轻松地设置 DevOps Guru，因为您不必手动添加必要的权限。 DevOpsGuru 定义了其服务相关角色的权限，除非另有定义，否则只有 DevOps Guru 可以担任其角色。定义的权限包括信任策略和权限策略，并且该权限策略不能附加到任何其他IAM实体。

只有在首先删除服务相关角色的相关资源后，才能删除该角色。这样可以保护您的 DevOps Guru 资源，因为您不会无意中移除对资源的访问权限。

Guru 的服务相关角色权限 DevOps

DevOpsGuru 使用名为的服务相关角色。AWSServiceRoleForDevOpsGuru这是一项 AWS 托管策略，具有 DevOps Guru 需要在您的账户中运行的限定权限。

AWSServiceRoleForDevOpsGuru 服务相关角色仅信任以下服务来担任该角色：

角色权限策略AmazonDevOpsGuruServiceRolePolicy允许 DevOps Guru 对指定资源完成以下操作。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"autoscaling:DescribeAutoScalingGroups",
				"cloudtrail:LookupEvents",
				"cloudwatch:GetMetricData",
				"cloudwatch:ListMetrics",
				"cloudwatch:DescribeAnomalyDetectors",
				"cloudwatch:DescribeAlarms",
				"cloudwatch:ListDashboards",
				"cloudwatch:GetDashboard",
				"cloudformation:GetTemplate",
				"cloudformation:ListStacks",
				"cloudformation:ListStackResources",
				"cloudformation:DescribeStacks",
				"cloudformation:ListImports",
				"codedeploy:BatchGetDeployments",
				"codedeploy:GetDeploymentGroup",
				"codedeploy:ListDeployments",
				"config:DescribeConfigurationRecorderStatus",
				"config:GetResourceConfigHistory",
				"events:ListRuleNamesByTarget",
				"xray:GetServiceGraph",
				"organizations:ListRoots",
				"organizations:ListChildren",
				"organizations:ListDelegatedAdministrators",
				"pi:GetResourceMetrics",
				"tag:GetResources",
				"lambda:GetFunction",
				"lambda:GetFunctionConcurrency",
				"lambda:GetAccountSettings",
				"lambda:ListProvisionedConcurrencyConfigs",
				"lambda:ListAliases",
				"lambda:ListEventSourceMappings",
				"lambda:GetPolicy",
				"ec2:DescribeSubnets",
				"application-autoscaling:DescribeScalableTargets",
				"application-autoscaling:DescribeScalingPolicies",
				"sqs:GetQueueAttributes",
				"kinesis:DescribeStream",
				"kinesis:DescribeLimits",
				"dynamodb:DescribeTable",
				"dynamodb:DescribeLimits",
				"dynamodb:DescribeContinuousBackups",
				"dynamodb:DescribeStream",
				"dynamodb:ListStreams",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"rds:DescribeDBInstances",
				"rds:DescribeDBClusters",
				"rds:DescribeOptionGroups",
				"rds:DescribeDBClusterParameters",
				"rds:DescribeDBInstanceAutomatedBackups",
				"rds:DescribeAccountAttributes",
				"logs:DescribeLogGroups",
				"logs:DescribeLogStreams",
				"s3:GetBucketNotification",
				"s3:GetBucketPolicy",
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketTagging",
				"s3:GetBucketWebsite",
				"s3:GetIntelligentTieringConfiguration",
				"s3:GetLifecycleConfiguration",
				"s3:GetReplicationConfiguration",
				"s3:ListAllMyBuckets",
				"s3:ListStorageLensConfigurations",
				"servicequotas:GetServiceQuota",
				"servicequotas:ListRequestedServiceQuotaChangeHistory",
				"servicequotas:ListServiceQuotas"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowPutTargetsOnASpecificRule",
			"Effect": "Allow",
			"Action": [
				"events:PutTargets",
				"events:PutRule"
			],
			"Resource": "arn:aws:events:*:*:rule/DevOps-Guru-managed-*"
		},
		{
			"Sid": "AllowCreateOpsItem",
			"Effect": "Allow",
			"Action": [
				"ssm:CreateOpsItem"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowAddTagsToOpsItem",
			"Effect": "Allow",
			"Action": [
				"ssm:AddTagsToResource"
			],
			"Resource": "arn:aws:ssm:*:*:opsitem/*"
		},
		{
			"Sid": "AllowAccessOpsItem",
			"Effect": "Allow",
			"Action": [
				"ssm:GetOpsItem",
				"ssm:UpdateOpsItem"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/DevOps-GuruInsightSsmOpsItemRelated": "true"
				}
			}
		},
		{
			"Sid": "AllowCreateManagedRule",
			"Effect": "Allow",
			"Action": "events:PutRule",
			"Resource": "arn:aws:events:*:*:rule/DevOpsGuruManagedRule*"
		},
		{
			"Sid": "AllowAccessManagedRule",
			"Effect": "Allow",
			"Action": [
				"events:DescribeRule",
				"events:ListTargetsByRule"
			],
			"Resource": "arn:aws:events:*:*:rule/DevOpsGuruManagedRule*"
		},
		{
			"Sid": "AllowOtherOperationsOnManagedRule",
			"Effect": "Allow",
			"Action": [
				"events:DeleteRule",
				"events:EnableRule",
				"events:DisableRule",
				"events:PutTargets",
				"events:RemoveTargets"
			],
			"Resource": "arn:aws:events:*:*:rule/DevOpsGuruManagedRule*",
			"Condition": {
				"StringEquals": {
					"events:ManagedBy": "devops-guru.amazonaws.com"
				}
			}
		},
		{
			"Sid": "AllowTagBasedFilterLogEvents",
			"Effect": "Allow",
			"Action": [
				"logs:FilterLogEvents"
			],
			"Resource": "arn:aws:logs:*:*:log-group:*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/DevOps-Guru-Analysis": "true"
				}
			}
		},
		{
			"Sid": "AllowAPIGatewayGetIntegrations",
			"Effect": "Allow",
			"Action": "apigateway:GET",
			"Resource": [
				"arn:aws:apigateway:*::/restapis/??????????",
				"arn:aws:apigateway:*::/restapis/*/resources",
				"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integration"
			]
		}
	]
}

为 Guru 创建服务相关角色 DevOps

您无需手动创建服务相关角色。当你在 AWS Management Console、或 the 中创建见解时 AWS API， DevOpsGuru 会为你创建服务相关角色。 AWS CLI

编辑 Guru 的服务相关角色 DevOps

DevOpsGuru 不允许您编辑AWSServiceRoleForDevOpsGuru服务相关角色。创建服务相关角色后，将无法更改角色名称，因为可能有多个实体引用该角色。但是，您可以使用编辑角色的描述IAM。有关更多信息，请参阅IAM用户指南中的编辑服务相关角色。

删除 Guru 的服务相关角色 DevOps

如果不再需要使用某个需要服务相关角色的功能或服务，我们建议您删除该角色。这样就没有未被主动监控或维护的未使用实体。但是，您必须先取消与所有存储库的关联，然后才能手动删除。

使用手动删除服务相关角色 IAM

使用IAM控制台 AWS CLI、或删除AWSServiceRoleForDevOpsGuru服务相关角色。 AWS API有关更多信息，请参阅IAM用户指南中的删除服务相关角色。