Skip To Content

IAM policies for ArcGIS Enterprise on Amazon Web Services

Amazon Identity and Access Management (IAM) controls access to Amazon Web Services (AWS) resources. The following sample JSON snippets show the IAM policies required to access specific resources used by ArcGIS Enterprise.

Run ArcGIS Enterprise Cloud Builder for AWS

If you run the ArcGIS Enterprise Cloud Builder for AWS app or ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services to create a deployment, create an IAM policy as described below and assign it to an IAM user. You will use this user's credentials, such as Access Key ID and Secret Access Key, to sign in to Cloud Builder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            
            "Action": [
                "rds:*",
                "events:*",
                "logs:*",
                "dynamodb:*",
                "autoscaling:*",
                "acm:*",
                "s3:*",
                "cloudformation:*",
                "elasticloadbalancing:*",
                "iam:*",
                "cloudwatch:*",
                "ssm:*",
                "ssmmessages:*",
                "lambda:*",
                "route53:*",
                "ec2:*",
		   "ec2messages:*",
                "secretsmanager:*"
            ],
	      "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

CloudFormation templates from Esri

When you run the AWS CloudFormation templates provided by Esri, they create an IAM role and policy for you. The policy is described below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeLifecycleHooks",
                "autoscaling:DescribeLifecycleHookTypes",
                "autoscaling:DescribeLoadBalancers",
                "autoscaling:DescribeTags",
                "autoscaling:AttachInstances",
                "autoscaling:AttachLoadBalancers",
                "autoscaling:AttachLoadBalancerTargetGroups",
                "autoscaling:CompleteLifecycleAction",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DetachInstances",
                "autoscaling:DetachLoadBalancers",
                "autoscaling:DetachLoadBalancerTargetGroups",
                "autoscaling:PutLifecycleHook",
                "autoscaling:UpdateAutoScalingGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackResource",
                "cloudformation:SignalResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "dynamodb:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeAddresses",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifyInstanceMetadataOptions",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:SendReply"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DeleteLoadBalancerPolicy",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:SetRulePriorities"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "events:DescribeRule",
                "events:PutRule",
                "events:DeleteRule",
                "events:DisableRule",
                "events:EnableRule",
                "events:PutEvents",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::0123456789:role/XXXXXXXX",
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:PutMetricFilter"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetObject",
                "s3:GetLifecycleConfiguration",
                "s3:DeleteObjectTagging",
                "s3:PutBucketTagging",
                "s3:PutObjectTagging",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:PutLifecycleConfiguration"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:ListMessageMoveTasks",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "sqs:ReceiveMessage",
                "sqs:CancelMessageMoveTask",
                "sqs:ChangelMessageVisibility",
                "sqs:CreateQueue",
                "sqs:DeleteMessage",
                "sqs:DeleteQueue",
                "sqs:PurgeQueue",
                "sqs:SendMessage",
                "sqs:SetQueueAttributes",
                "sqs:StartMessageMoveTask",
                "sqs:TagQueue",
                "sqs:UntagQueue"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:ListAssociations",
                "ssm:DescribeAssociation",
                "ssm:DescribeDocument",
                "ssm:DescribeInstanceInformation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:GetManifest",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations",
                "ssm:ListInstanceAssociations",
                "ssm:PutConfigurePackageResult",
                "ssm:DeleteAssociation",
                "ssm:PutComplianceItems",
                "ssm:PutInventory",
                "ssm:SendCommand",
                "ssm:StartAutomationExecution",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Store the Portal for ArcGIS content directory in an S3 bucket

To store the Portal for ArcGIS content directory in an Amazon Simple Storage Service (S3) bucket, you need an IAM user or role with the following IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<portal-content-bucket-name>/*",
                "arn:aws:s3:::<portal-content-bucket-name>"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Store the ArcGIS Server configuration store directory in S3 and DynamoDB

To store your ArcGIS Server configuration store directory using AWS storage services, you need an IAM user or role with the following IAM policy:

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Sid":"<statement-id1>",
         "Action":[  
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetObject",
            "s3:DeleteObjectTagging",
            "s3:PutBucketTagging",
            "s3:PutObjectTagging",
            "s3:CreateBucket",
            "s3:DeleteBucket",
            "s3:DeleteObject",
            "s3:PutObject"
         ],
         "Effect":"Allow",
         "Resource":[  
            "arn:aws:s3:::arcgis-config-store-*",
            "arn:aws:s3:::arcgis-config-store-*/*"
         ]
      },
      {  
         "Sid":"<statement-id2>",
         "Action":[  
            "dynamodb:UntagResource",
            "dynamodb:PutItem",
            "dynamodb:ListTables",
            "dynamodb:DeleteItem",
            "dynamodb:Scan",
            "dynamodb:ListTagsOfResource",
            "dynamodb:Query",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteTable",
            "dynamodb:CreateTable",
            "dynamodb:TagResource",
            "dynamodb:DescribeTable",
            "dynamodb:GetItem",
            "dynamodb:UpdateTable",
            "dynamodb:GetRecords"
         ],
         "Effect":"Allow",
         "Resource":[  
            "arn:aws:dynamodb:*:*:table/ArcGISConfigStores",
            "arn:aws:dynamodb:*:*:table/ArcGISConfigStore.*"
         ]
      }
   ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Use an S3 bucket as the object store

To register an S3 bucket as an ArcGIS Enterprise deployment's system object store, your IAM user or role requires the following IAM policy, at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListMultipartUploadParts",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetObject",
                "S3:GetLifecycleConfiguration",
                "s3:DeleteObjectTagging",
                "s3:PutBucketTagging",
                "s3:PutObjectTagging",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:PutObject",
                "S3:PutLifecycleConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::<object-bucket-name>/*",
                "arn:aws:s3:::<object-bucket-name>"
            ]
        },
        {
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:ListMessageMoveTasks",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "sqs:ReceiveMessage",
                "sqs:CancelMessageMoveTask",
                "sqs:ChangelMessageVisibility",
                "sqs:CreateQueue",
                "sqs:DeleteMessage",
                "sqs:DeleteQueue",
                "sqs:PurgeQueue",
                "sqs:SendMessage",
                "sqs:SetQueueAttributes",
                "sqs:StartMessageMoveTask",
                "sqs:TagQueue",
                "sqs:UntagQueue"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Store caches in an S3 bucket

To register an S3 bucket as a cloud store for storing and accessing map and image caches, your IAM user or role requires the following IAM policy, at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetObjectVersion",
																"s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<cache-bucket-name>/*",
                "arn:aws:s3:::<cache-bucket-name>"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Use an S3 bucket as a raster store

To register an S3 bucket as a raster store, your IAM user or role requires the following IAM policy, at minimum:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<raster-store-bucket-name>/*",
                "arn:aws:s3:::<raster-store-bucket-name>"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.

Use an S3 bucket for backups generated from the webgisdr utility

If you use the webgisdr utility installed with Portal for ArcGIS to create backups in an S3 bucket on AWS, your IAM user or role requires policies to create the backup files and policies to restore your deployment from those backup files.

The following are the minimum policy settings required to use the webgisdr utility to create a backup in an S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<webgisdr-bucket-name>",
                "arn:aws:s3:::<portal-content-backup-bucket-name>",
                "arn:aws:s3:::<webgisdr-bucket-name>/*",
                "arn:aws:s3:::<portal-content-backup-bucket-name>/*"
            ]
        }
    ]
}

The following are the minimum policy settings required to use the webgisdr utility to restore a deployment from backup files stored in an S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<webgisdr-bucket-name>",
                "arn:aws:s3:::<portal-content-backup-bucket-name>",
                "arn:aws:s3:::<webgisdr-bucket-name>/*",
                "arn:aws:s3:::<portal-content-backup-bucket-name>/*"
            ]
        }
    ]
}

Replace the values inside angle brackets (<>) with values specific to your deployment.

2012-10-17 is the version of the policy document format shown here. If you change this version date, the document format may need to change.