If you use Amazon Identity and Access Management (IAM) authentication to access AWS resources used by ArcGIS Enterprise deployments that you configure outside of ArcGIS Enterprise for Amazon Web Services deployment tools, you must configure IAM roles and policies yourself using AWS tools.
Sample JSON snippets for IAM policies are provided below. The samples use the 2012-10-17 version of the policy document. If you use a different version, the document format may need to change.
Replace the values inside angle brackets (<>) with values specific to your deployment.
Store the Portal for ArcGIS content directory in an S3 bucket
To store the Portal for ArcGIS content directory in an Amazon Simple Storage Service (S3) bucket, you need an IAM user or role with the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:PutObject",
"s3:ListBucket",
"s3:CreateBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<portal-content-bucket-name>/*",
"arn:aws:s3:::<portal-content-bucket-name>"
]
}
]
}Store the ArcGIS Server configuration store and shared server directories in S3, DynamoDB, and SQS
To store your ArcGIS Server configuration store and shared services directories using AWS services, you need an IAM user or role with the following IAM policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"<statement-id1>",
"Action":[
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:GetBucketAct",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetLifecycleConfiguration",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:PutObjectTagging",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutLifecycleConfiguration"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::arcgis-config-store-*",
"arn:aws:s3:::arcgis-config-store-*/*"
]
},
{
"Sid":"<statement-id2>",
"Action":[
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:GetRecords",
"dynamodb:Query",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:ListTables",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable",
"dynamodb:TagResource",
"dynamodb:UntagResource"
],
"Effect":"Allow",
"Resource":[
"arn:aws:dynamodb:*:*:table/*"
]
},
{
"Sid":"<statement-id2>",
"Action":[
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"sqs:CancelMessageMoveTask",
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:PurgeQueue",
"sqs:SendMessage",
"sqs:SetQueueAttributes",
"sqs:StartMessageMoveTask",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Effect": "Allow",
"Resource":[
"arn:aws:sql:*:*:SQS/ArcGIS-GP*"
]
}
]
}Use an S3 bucket as the object store
To register an S3 bucket as an ArcGIS Enterprise deployment's system object store, your IAM user or role requires the following IAM policy, at minimum:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:GetObject",
"S3:GetLifecycleConfiguration",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:PutObjectTagging",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutObject",
"S3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::<object-bucket-name>/*",
"arn:aws:s3:::<object-bucket-name>"
]
}
]
}Store caches in an S3 bucket
To register an S3 bucket as a cloud store for storing and accessing map and image caches, your IAM user or role requires the following IAM policy, at minimum:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<cache-bucket-name>/*",
"arn:aws:s3:::<cache-bucket-name>"
]
}
]
}Use an S3 bucket as a raster store
To register an S3 bucket as a raster store, your IAM user or role requires the following IAM policy, at minimum:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<raster-store-bucket-name>/*",
"arn:aws:s3:::<raster-store-bucket-name>"
]
}
]
}Use an S3 bucket for backups generated from the webgisdr utility
If you use the webgisdr utility installed with Portal for ArcGIS to create backups in an S3 bucket on AWS, your IAM user or role requires policies to create the backup files and policies to restore your deployment from those backup files.
The following are the minimum policy settings required to use the webgisdr utility to create a backup in an S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<webgisdr-bucket-name>",
"arn:aws:s3:::<portal-content-backup-bucket-name>",
"arn:aws:s3:::<webgisdr-bucket-name>/*",
"arn:aws:s3:::<portal-content-backup-bucket-name>/*"
]
}
]
}The following are the minimum policy settings required to use the webgisdr utility to restore a deployment from backup files stored in an S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<statement-id>",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<webgisdr-bucket-name>",
"arn:aws:s3:::<portal-content-backup-bucket-name>",
"arn:aws:s3:::<webgisdr-bucket-name>/*",
"arn:aws:s3:::<portal-content-backup-bucket-name>/*"
]
}
]
}