Amazon Identity and Access Management (IAM) controls access to Amazon Web Services (AWS) resources. The following sample JSON snippets show the IAM policies required to access specific resources used by ArcGIS Enterprise.
Run ArcGIS Enterprise Cloud Builder for AWS
If you run the ArcGIS Enterprise Cloud Builder for AWS app or ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services to create a deployment, create an IAM policy as described below and assign it to an IAM user. You will use this user's credentials, such as Access Key ID and Secret Access Key, to sign in to Cloud Builder.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:*", "events:*", "logs:*", "dynamodb:*", "autoscaling:*", "acm:*", "s3:*", "cloudformation:*", "elasticloadbalancing:*", "iam:*", "cloudwatch:*", "ssm:*", "ssmmessages:*", "lambda:*", "route53:*", "ec2:*", "ec2messages:*", "secretsmanager:*" ], "Effect": "Allow", "Resource": "*" } ] }
CloudFormation templates from Esri
When you run the AWS CloudFormation templates provided by Esri, they create an IAM role and policy for you. The policy is described below.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribeLifecycleHookTypes", "autoscaling:DescribeLoadBalancers", "autoscaling:DescribeTags", "autoscaling:AttachInstances", "autoscaling:AttachLoadBalancers", "autoscaling:AttachLoadBalancerTargetGroups", "autoscaling:CompleteLifecycleAction", "autoscaling:DeleteLifecycleHook", "autoscaling:DetachInstances", "autoscaling:DetachLoadBalancers", "autoscaling:DetachLoadBalancerTargetGroups", "autoscaling:PutLifecycleHook", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "dynamodb:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeAddresses", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyInstanceMetadataOptions", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:SendReply" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateRule", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteLoadBalancerPolicy", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyRule", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "elasticloadbalancing:SetRulePriorities" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "events:DescribeRule", "events:PutRule", "events:DeleteRule", "events:DisableRule", "events:EnableRule", "events:PutEvents", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "iam:PassRole", "Resource": "arn:aws:iam::0123456789:role/XXXXXXXX", "Effect": "Allow" }, { "Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListMultipartUploadParts", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetObject", "s3:GetLifecycleConfiguration", "s3:DeleteObjectTagging", "s3:PutBucketTagging", "s3:PutObjectTagging", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:PutObject", "s3:PutLifecycleConfiguration" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Effect": "Allow" }, { "Action": [ "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ListMessageMoveTasks", "sqs:ListQueues", "sqs:ListQueueTags", "sqs:ReceiveMessage", "sqs:CancelMessageMoveTask", "sqs:ChangelMessageVisibility", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:PurgeQueue", "sqs:SendMessage", "sqs:SetQueueAttributes", "sqs:StartMessageMoveTask", "sqs:TagQueue", "sqs:UntagQueue" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssm:ListAssociations", "ssm:DescribeAssociation", "ssm:DescribeDocument", "ssm:DescribeInstanceInformation", "ssm:GetDeployablePatchSnapshotForInstance", "ssm:GetDocument", "ssm:GetManifest", "ssm:GetParameter", "ssm:GetParameters", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:ListInstanceAssociations", "ssm:PutConfigurePackageResult", "ssm:DeleteAssociation", "ssm:PutComplianceItems", "ssm:PutInventory", "ssm:SendCommand", "ssm:StartAutomationExecution", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceAssociationStatus", "ssm:UpdateInstanceInformation" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*", "Effect": "Allow" } ] }
Store the Portal for ArcGIS content directory in an S3 bucket
To store the Portal for ArcGIS content directory in an Amazon Simple Storage Service (S3) bucket, you need an IAM user or role with the following IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:Get*", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<portal-content-bucket-name>/*", "arn:aws:s3:::<portal-content-bucket-name>" ] } ] }
Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Store the ArcGIS Server configuration store directory in S3 and DynamoDB
To store your ArcGIS Server configuration store directory using AWS storage services, you need an IAM user or role with the following IAM policy:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"<statement-id1>", "Action":[ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetObject", "s3:DeleteObjectTagging", "s3:PutBucketTagging", "s3:PutObjectTagging", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:PutObject" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::arcgis-config-store-*", "arn:aws:s3:::arcgis-config-store-*/*" ] }, { "Sid":"<statement-id2>", "Action":[ "dynamodb:UntagResource", "dynamodb:PutItem", "dynamodb:ListTables", "dynamodb:DeleteItem", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:DeleteTable", "dynamodb:CreateTable", "dynamodb:TagResource", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:UpdateTable", "dynamodb:GetRecords" ], "Effect":"Allow", "Resource":[ "arn:aws:dynamodb:*:*:table/ArcGISConfigStores", "arn:aws:dynamodb:*:*:table/ArcGISConfigStore.*" ] } ] }
Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Use an S3 bucket as the object store
To register an S3 bucket as an ArcGIS Enterprise deployment's system object store, your IAM user or role requires the following IAM policy, at minimum:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetObject", "S3:GetLifecycleConfiguration", "s3:DeleteObjectTagging", "s3:PutBucketTagging", "s3:PutObjectTagging", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:PutObject", "S3:PutLifecycleConfiguration" ], "Resource": [ "arn:aws:s3:::<object-bucket-name>/*", "arn:aws:s3:::<object-bucket-name>" ] }, { "Action": [ "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListDeadLetterSourceQueues", "sqs:ListMessageMoveTasks", "sqs:ListQueues", "sqs:ListQueueTags", "sqs:ReceiveMessage", "sqs:CancelMessageMoveTask", "sqs:ChangelMessageVisibility", "sqs:CreateQueue", "sqs:DeleteMessage", "sqs:DeleteQueue", "sqs:PurgeQueue", "sqs:SendMessage", "sqs:SetQueueAttributes", "sqs:StartMessageMoveTask", "sqs:TagQueue", "sqs:UntagQueue" ], "Resource": "*", "Effect": "Allow" } ] }
Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Store caches in an S3 bucket
To register an S3 bucket as a cloud store for storing and accessing map and image caches, your IAM user or role requires the following IAM policy, at minimum:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:GetBucketAcl", "s3:GetObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<cache-bucket-name>/*", "arn:aws:s3:::<cache-bucket-name>" ] } ] }
Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Use an S3 bucket as a raster store
To register an S3 bucket as a raster store, your IAM user or role requires the following IAM policy, at minimum:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:GetBucketAcl", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<raster-store-bucket-name>/*", "arn:aws:s3:::<raster-store-bucket-name>" ] } ] }
Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.
Use an S3 bucket for backups generated from the webgisdr utility
If you use the webgisdr utility installed with Portal for ArcGIS to create backups in an S3 bucket on AWS, your IAM user or role requires policies to create the backup files and policies to restore your deployment from those backup files.
The following are the minimum policy settings required to use the webgisdr utility to create a backup in an S3 bucket:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::<webgisdr-bucket-name>", "arn:aws:s3:::<portal-content-backup-bucket-name>", "arn:aws:s3:::<webgisdr-bucket-name>/*", "arn:aws:s3:::<portal-content-backup-bucket-name>/*" ] } ] }
The following are the minimum policy settings required to use the webgisdr utility to restore a deployment from backup files stored in an S3 bucket:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketAcl", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<webgisdr-bucket-name>", "arn:aws:s3:::<portal-content-backup-bucket-name>", "arn:aws:s3:::<webgisdr-bucket-name>/*", "arn:aws:s3:::<portal-content-backup-bucket-name>/*" ] } ] }
Replace the values inside angle brackets (<>) with values specific to your deployment.
2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.