Skip To Content

IAM roles for ArcGIS Enterprise on Amazon Web Services

Amazon Identity and Access Management (IAM) roles control access to Amazon Web Services (AWS) resources. The following sample JSON snippets show the permissions required to access specific resources used by ArcGIS Enterprise.

Run CloudFormation templates from Esri

To run the CloudFormation templates provided by Esri or run Esri tools that use these templates, create an IAM role with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id1>",
            "Effect": "Allow",
            "Action": [
                "rds:*",
                "events:PutRule",
                "logs:*",
                "dynamodb:*",
                "autoscaling:*",
                "acm:RequestCertificate",
                "acm:GetCertificate",
                "acm:ListCertificates",
                "acm:ImportCertificate",
                "events:PutEvents",
                "s3:*",
                "acm:AddTagsToCertificate",
                "cloudformation:*",
                "elasticloadbalancing:*",
                "acm:ListTagsForCertificate",
                "events:TestEventPattern",
                "events:PutPermission",
                "events:DescribeEventBus",
                "iam:*",
                "events:PutTargets",
                "acm:DescribeCertificate",
                "acm:RemoveTagsFromCertificate",
                "cloudwatch:*",
                "ssm:*",
                "lambda:*",
                "route53:*",
                "ec2:*",
                "events:RemovePermission"
            ],
            "Resource": "*"
        },
        {
            "Sid": "<statement-id2>",
            "Effect": "Allow",
            "Action": "events:*",
            "Resource": "arn:aws:events:*:*:rule/*"
        }
    ]
}

Replace the <statement-id> values with the IDs you want for your deployment.

Store the Portal for ArcGIS content directory in an S3 bucket

To store the Portal for ArcGIS content directory in an Amazon Simple Storage Service (S3) bucket, you need an IAM role with the following permissions, at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<cache-bucket-name>/*",
                "arn:aws:s3:::<cache-bucket-name>"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Store the ArcGIS Server configuration store directory in S3 and DynamoDB

To store your ArcGIS Server configuration store directory using AWS storage services, you need an IAM role with the following permissions for S3 and DynamoDB:

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Sid":"<statement-id1>",
         "Action":[  
            "s3:*"
         ],
         "Effect":"Allow",
         "Resource":[  
            "arn:aws:s3:::arcgis-config-store-*",
            "arn:aws:s3:::arcgis-config-store-*/*"
         ]
      },
      {  
         "Sid":"<statement-id2>",
         "Action":[  
            "dynamodb:*"
         ],
         "Effect":"Allow",
         "Resource":[  
            "arn:aws:dynamodb:*:*:table/ArcGISConfigStores",
            "arn:aws:dynamodb:*:*:table/ArcGISConfigStore.*"
         ]
      }
   ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Store caches in an S3 bucket

To register an S3 bucket as a cloud store for storing and accessing map and image caches, the IAM role requires the following permissions, at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<cache-bucket-name>/*",
                "arn:aws:s3:::<cache-bucket-name>"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Use an S3 bucket as a big data file share

To register an S3 bucket as a big data file share, the IAM role requires the following permissions, at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::<bdfs-bucket-name>/*",
                "arn:aws:s3:::<bdfs-bucket-name>"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Use an S3 bucket as a raster store

To register an S3 bucket as a raster store, the IAM role requires the following permissions, at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<cache-bucket-name>/*",
                "arn:aws:s3:::<cache-bucket-name>"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.