Amazon Identity and Access Management (IAM) controla el acceso a los recursos de Amazon Web Services (AWS).
Los siguientes fragmentos JSON muestran las políticas de IAM que ArcGIS Enterprise Cloud Builder for AWS y las plantillas de CloudFormation que proporciona Esri crearán y configurarán para acceder a recursos específicos utilizados por ArcGIS Enterprise.
Sugerencia:
Para obtener información sobre las políticas que debe establecer si no utiliza ArcGIS Enterprise para las herramientas de implementación de Amazon Web Services con el fin de crear la implementación, consulte Definir políticas de roles de IAM con herramientas de AWS.
ArcGIS Enterprise Cloud Builder for AWS
Si ejecuta la aplicación ArcGIS Enterprise Cloud Builder for AWS o Interfaz de línea de comandos de ArcGIS Enterprise Cloud Builder para Amazon Web Services para crear una implementación, cree una política de IAM tal y como se describe a continuación:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"events:*",
"logs:*",
"dynamodb:*",
"autoscaling:*",
"acm:*",
"s3:*",
"cloudformation:*",
"elasticloadbalancing:*",
"iam:*",
"cloudwatch:*",
"ssm:*",
"ssmmessages:*",
"lambda:*",
"route53:*",
"ec2:*",
"ec2messages:*",
"secretsmanager:*",
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}Plantillas de CloudFormation desde Esri
Cuando ejecuta las plantillas de AWS CloudFormation proporcionadas por Esri, estas crean un rol y una política de IAM para usted. La política se describe a continuación.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribeLifecycleHookTypes",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DescribeTags",
"autoscaling:AttachInstances",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DetachInstances",
"autoscaling:DetachLoadBalancers",
"autoscaling:DetachLoadBalancerTargetGroups",
"autoscaling:PutLifecycleHook",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "dynamodb:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyInstanceMetadataOptions",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:SendReply"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerPolicy",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetRulePriorities"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:PutEvents",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::0123456789:role/XXXXXXXX",
"Effect": "Allow"
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetLifecycleConfiguration",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:PutObjectTagging",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutLifecycleConfiguration"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"sqs:CancelMessageMoveTask",
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:PurgeQueue",
"sqs:SendMessage",
"sqs:SetQueueAttributes",
"sqs:StartMessageMoveTask",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:ListAssociations",
"ssm:DescribeAssociation",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListCommands",
"ssm:ListCommandInvocations",
"ssm:ListInstanceAssociations",
"ssm:PutConfigurePackageResult",
"ssm:DeleteAssociation",
"ssm:PutComplianceItems",
"ssm:PutInventory",
"ssm:SendCommand",
"ssm:StartAutomationExecution",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*",
"Effect": "Allow"
}
]
}