Amazon Identity and Access Management (IAM) controls access to Amazon Web Services (AWS) resources. The following sample JSON snippets show the IAM policies required to access specific resources used by ArcGIS Enterprise.
Run ArcGIS Enterprise Cloud Builder for AWS
If you run the ArcGIS Enterprise Cloud Builder for AWS app or ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services to create a deployment, create an IAM policy as described below and assign it to an IAM user. You will use this user's credentials, such as Access Key ID and Secret Access Key, to sign in to Cloud Builder.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id1>",
"Effect": "Allow",
"Action": [
"rds:*",
"events:PutRule",
"logs:*",
"dynamodb:*",
"autoscaling:*",
"acm:RequestCertificate",
"acm:GetCertificate",
"acm:ListCertificates",
"acm:ImportCertificate",
"events:PutEvents",
"s3:*",
"acm:AddTagsToCertificate",
"cloudformation:*",
"elasticloadbalancing:*",
"acm:ListTagsForCertificate",
"events:TestEventPattern",
"events:PutPermission",
"events:DescribeEventBus",
"iam:*",
"events:PutTargets",
"acm:DescribeCertificate",
"acm:RemoveTagsFromCertificate",
"cloudwatch:*",
"ssm:*",
"lambda:*",
"route53:*",
"ec2:*",
"events:RemovePermission"
],
"Resource": "*"
},
{
"Sid": "<statement-id2>",
"Effect": "Allow",
"Action": "events:*",
"Resource": "arn:aws:events:*:*:rule/*"
}
]
}Replace the <statement-id> values with the IDs you want for your deployment.
Run CloudFormation templates from Esri
To run the AWS CloudFormation templates provided by Esri, create an IAM policy as described below and assign it to an IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id1>",
"Effect": "Allow",
"Action": [
"rds:*",
"events:PutRule",
"logs:*",
"dynamodb:*",
"autoscaling:*",
"acm:RequestCertificate",
"acm:GetCertificate",
"acm:ListCertificates",
"acm:ImportCertificate",
"events:PutEvents",
"s3:*",
"acm:AddTagsToCertificate",
"cloudformation:*",
"elasticloadbalancing:*",
"acm:ListTagsForCertificate",
"events:TestEventPattern",
"events:PutPermission",
"events:DescribeEventBus",
"iam:*",
"events:PutTargets",
"acm:DescribeCertificate",
"acm:RemoveTagsFromCertificate",
"cloudwatch:*",
"ssm:*",
"lambda:*",
"ec2:*",
"events:RemovePermission"
],
"Resource": "*"
},
{
"Sid": "<statement-id2>",
"Effect": "Allow",
"Action": "events:*",
"Resource": "arn:aws:events:*:*:rule/*"
}
]
}Replace the <statement-id> values with the IDs you want for your deployment.
Store the Portal for ArcGIS content directory in an S3 bucket
To store the Portal for ArcGIS content directory in an Amazon Simple Storage Service (S3) bucket, you need an IAM user or role with the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:PutObject",
"s3:ListBucket",
"s3:CreateBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<cache-bucket-name>/*",
"arn:aws:s3:::<cache-bucket-name>"
]
}
]
}Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Store the ArcGIS Server configuration store directory in S3 and DynamoDB
To store your ArcGIS Server configuration store directory using AWS storage services, you need an IAM user or role with the following IAM policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"<statement-id1>",
"Action":[
"s3:*"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::arcgis-config-store-*",
"arn:aws:s3:::arcgis-config-store-*/*"
]
},
{
"Sid":"<statement-id2>",
"Action":[
"dynamodb:*"
],
"Effect":"Allow",
"Resource":[
"arn:aws:dynamodb:*:*:table/ArcGISConfigStores",
"arn:aws:dynamodb:*:*:table/ArcGISConfigStore.*"
]
}
]
}Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Store caches in an S3 bucket
To register an S3 bucket as a cloud store for storing and accessing map and image caches, your IAM user or role requires the following IAM policy, at minimum:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<cache-bucket-name>/*",
"arn:aws:s3:::<cache-bucket-name>"
]
}
]
}Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Use an S3 bucket as a big data file share
To register an S3 bucket as a big data file share, your IAM user or role requires the following IAM policy, at minimum:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::<bdfs-bucket-name>/*",
"arn:aws:s3:::<bdfs-bucket-name>"
]
}
]
}Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Use an S3 bucket as a raster store
To register an S3 bucket as a raster store, your IAM user or role requires the following IAM policy, at minimum:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<cache-bucket-name>/*",
"arn:aws:s3:::<cache-bucket-name>"
]
}
]
}Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.