Amazon Identity and Access Management (IAM) contrôle l’accès aux ressources Amazon Web Services (AWS).
Les extraits de code JSON suivants illustrent les stratégies IAM que ArcGIS Enterprise Cloud Builder for AWS et les modèles CloudFormation fournis par Esri vont créer et configurer pour accéder à des ressources spécifiques utilisées par ArcGIS Enterprise.
Conseil :
Pour connaître les stratégies à configurer si vous n’utilisez pas les outils de déploiement ArcGIS Enterprise pour Amazon Web Services afin de créer le déploiement, consultez la rubrique traitant de la configuration des stratégies de rôle IAM avec des outils AWS.
ArcGIS Enterprise Cloud Builder for AWS
Si vous exécutez l’application ArcGIS Enterprise Cloud Builder for AWS ou ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services pour créer un déploiement, une stratégie IAM est créée comme décrit ci-dessous :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"events:*",
"logs:*",
"dynamodb:*",
"autoscaling:*",
"acm:*",
"s3:*",
"cloudformation:*",
"elasticloadbalancing:*",
"iam:*",
"cloudwatch:*",
"ssm:*",
"ssmmessages:*",
"lambda:*",
"route53:*",
"ec2:*",
"ec2messages:*",
"secretsmanager:*",
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}Modèles CloudFormation de Esri
Lorsque vous exécutez les modèles AWS CloudFormation fournis par Esri, ils créent un rôle et une stratégie IAM. Cette stratégie est décrite ci-dessous.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribeLifecycleHookTypes",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DescribeTags",
"autoscaling:AttachInstances",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DetachInstances",
"autoscaling:DetachLoadBalancers",
"autoscaling:DetachLoadBalancerTargetGroups",
"autoscaling:PutLifecycleHook",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "dynamodb:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyInstanceMetadataOptions",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:SendReply"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerPolicy",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetRulePriorities"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:PutEvents",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::0123456789:role/XXXXXXXX",
"Effect": "Allow"
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetLifecycleConfiguration",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:PutObjectTagging",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutLifecycleConfiguration"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"sqs:CancelMessageMoveTask",
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:PurgeQueue",
"sqs:SendMessage",
"sqs:SetQueueAttributes",
"sqs:StartMessageMoveTask",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:ListAssociations",
"ssm:DescribeAssociation",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListCommands",
"ssm:ListCommandInvocations",
"ssm:ListInstanceAssociations",
"ssm:PutConfigurePackageResult",
"ssm:DeleteAssociation",
"ssm:PutComplianceItems",
"ssm:PutInventory",
"ssm:SendCommand",
"ssm:StartAutomationExecution",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Vous avez un commentaire à formuler concernant cette rubrique ?