Amazon Identity and Access Management (IAM) controls access to Amazon Web Services (AWS) resources.
The following JSON snippets show the IAM policies that ArcGIS Enterprise Cloud Builder for AWS and the CloudFormation templates that Esri provides will create and set to access specific resources used by ArcGIS Enterprise.
Tip:
For information about policies you must set if you do not use ArcGIS Enterprise for Amazon Web Services deployment tools to create the deployment, see Set IAM role policies using AWS tools.
ArcGIS Enterprise Cloud Builder for AWS
If you run the ArcGIS Enterprise Cloud Builder for AWS app or ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services to create a deployment, it creates an IAM policy as shown below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"events:*",
"logs:*",
"dynamodb:*",
"autoscaling:*",
"acm:*",
"s3:*",
"cloudformation:*",
"elasticloadbalancing:*",
"iam:*",
"cloudwatch:*",
"ssm:*",
"ssmmessages:*",
"lambda:*",
"route53:*",
"ec2:*",
"ec2messages:*",
"secretsmanager:*",
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}CloudFormation templates from Esri
When you run the AWS CloudFormation templates provided by Esri, they create an IAM role and policy for you. The policy is described below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribeLifecycleHookTypes",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DescribeTags",
"autoscaling:AttachInstances",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DetachInstances",
"autoscaling:DetachLoadBalancers",
"autoscaling:DetachLoadBalancerTargetGroups",
"autoscaling:PutLifecycleHook",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "dynamodb:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyInstanceMetadataOptions",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:SendReply"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerPolicy",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetRulePriorities"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:PutEvents",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::0123456789:role/XXXXXXXX",
"Effect": "Allow"
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetLifecycleConfiguration",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:PutObjectTagging",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutLifecycleConfiguration"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"sqs:CancelMessageMoveTask",
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:PurgeQueue",
"sqs:SendMessage",
"sqs:SetQueueAttributes",
"sqs:StartMessageMoveTask",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:ListAssociations",
"ssm:DescribeAssociation",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListCommands",
"ssm:ListCommandInvocations",
"ssm:ListInstanceAssociations",
"ssm:PutConfigurePackageResult",
"ssm:DeleteAssociation",
"ssm:PutComplianceItems",
"ssm:PutInventory",
"ssm:SendCommand",
"ssm:StartAutomationExecution",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*",
"Effect": "Allow"
}
]
}