ArcGIS Enterprise on Amazon Web Services の IAM ポリシー—クラウド内の ArcGIS Enterprise

Amazon Identity and Access Management (IAM) は Amazon Web Services (AWS) リソースへのアクセスを制御します。

次の JSON スニペットは、ArcGIS Enterprise で使用される特定のリソースへアクセスするために、Esri が提供する ArcGIS Enterprise Cloud Builder for AWS テンプレートと CloudFormation テンプレートが作成し、設定する IAM ポリシーを示しています。

ヒント:

ArcGIS Enterprise を使用せずに Amazon Web Services デプロイメントツールでデプロイメントを作成する場合に、設定の必要があるポリシーについては、「AWS ツールを使用した IAM ロールポリシーの設定」をご参照ください。

ArcGIS Enterprise Cloud Builder for AWS

ArcGIS Enterprise Cloud Builder for AWS アプリまたは ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services を実行してデプロイメントを作成すると、以下に示すように IAM ポリシーが作成されます:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            
            "Action": [
                "rds:*",
                "events:*",
                "logs:*",
                "dynamodb:*",
                "autoscaling:*",
                "acm:*",
                "s3:*",
                "cloudformation:*",
                "elasticloadbalancing:*",
                "iam:*",
                "cloudwatch:*",
                "ssm:*",
                "ssmmessages:*",
                "lambda:*",
                "route53:*",
                "ec2:*",
		           "ec2messages:*",
                "secretsmanager:*",
                "sqs:*"
            ],
	      "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Esri の CloudFormation テンプレート

Esri が提供する AWS CloudFormation テンプレートを実行すると、IAM ロールとポリシーが作成されます。以下に、ポリシーについて説明します。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeLifecycleHooks",
                "autoscaling:DescribeLifecycleHookTypes",
                "autoscaling:DescribeLoadBalancers",
                "autoscaling:DescribeTags",
                "autoscaling:AttachInstances",
                "autoscaling:AttachLoadBalancers",
                "autoscaling:AttachLoadBalancerTargetGroups",
                "autoscaling:CompleteLifecycleAction",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DetachInstances",
                "autoscaling:DetachLoadBalancers",
                "autoscaling:DetachLoadBalancerTargetGroups",
                "autoscaling:PutLifecycleHook",
                "autoscaling:UpdateAutoScalingGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackResource",
                "cloudformation:SignalResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "dynamodb:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeAddresses",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifyInstanceMetadataOptions",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:SendReply"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DeleteLoadBalancerPolicy",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:SetRulePriorities"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "events:DescribeRule",
                "events:PutRule",
                "events:DeleteRule",
                "events:DisableRule",
                "events:EnableRule",
                "events:PutEvents",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::0123456789:role/XXXXXXXX",
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:PutMetricFilter"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetObject",
                "s3:GetLifecycleConfiguration",
                "s3:DeleteObjectTagging",
                "s3:PutBucketTagging",
                "s3:PutObjectTagging",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:PutLifecycleConfiguration"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:ListMessageMoveTasks",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "sqs:ReceiveMessage",
                "sqs:CancelMessageMoveTask",
                "sqs:ChangeMessageVisibility",
                "sqs:CreateQueue",
                "sqs:DeleteMessage",
                "sqs:DeleteQueue",
                "sqs:PurgeQueue",
                "sqs:SendMessage",
                "sqs:SetQueueAttributes",
                "sqs:StartMessageMoveTask",
                "sqs:TagQueue",
                "sqs:UntagQueue"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:ListAssociations",
                "ssm:DescribeAssociation",
                "ssm:DescribeDocument",
                "ssm:DescribeInstanceInformation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:GetManifest",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations",
                "ssm:ListInstanceAssociations",
                "ssm:PutConfigurePackageResult",
                "ssm:DeleteAssociation",
                "ssm:PutComplianceItems",
                "ssm:PutInventory",
                "ssm:SendCommand",
                "ssm:StartAutomationExecution",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

このトピックへのフィードバック