Управление идентификацией и доступом Amazon (IAM) определяет доступ к ресурсам Amazon Web Services (AWS).
Следующие фрагменты JSON показывают правила IAM, которые ArcGIS Enterprise Cloud Builder for AWS, а также шаблоны CloudFormation, предоставленные Esri, будут создавать и настраивать для доступа к определенным ресурсам, используемым ArcGIS Enterprise.
Подсказка:
Для получения информации о правилах, которые необходимо установить вам, если вы не используете инструменты развертывания ArcGIS Enterprise для Amazon Web Services для создания развертывания, см. раздел Установка прав ролей IAM с помощью инструментов AWS.
ArcGIS Enterprise Cloud Builder for AWS
Если вы запускаете приложение ArcGIS Enterprise Cloud Builder for AWS или Интерфейс командной строки ArcGIS Enterprise Cloud Builder для Amazon Web Services для создания развертывания, оно создает правила IAM, как показано ниже:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"events:*",
"logs:*",
"dynamodb:*",
"autoscaling:*",
"acm:*",
"s3:*",
"cloudformation:*",
"elasticloadbalancing:*",
"iam:*",
"cloudwatch:*",
"ssm:*",
"ssmmessages:*",
"lambda:*",
"route53:*",
"ec2:*",
"ec2messages:*",
"secretsmanager:*",
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}Шаблоны CloudFormation из Esri
Когда вы запускаете шаблоны AWS CloudFormation, предоставленные Esri, они создают роль и правила IAM для вас. Правила описаны ниже.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribeLifecycleHookTypes",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DescribeTags",
"autoscaling:AttachInstances",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DetachInstances",
"autoscaling:DetachLoadBalancers",
"autoscaling:DetachLoadBalancerTargetGroups",
"autoscaling:PutLifecycleHook",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "dynamodb:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyInstanceMetadataOptions",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:SendReply"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerPolicy",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetRulePriorities"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"events:DescribeRule",
"events:PutRule",
"events:DeleteRule",
"events:DisableRule",
"events:EnableRule",
"events:PutEvents",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::0123456789:role/XXXXXXXX",
"Effect": "Allow"
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetLifecycleConfiguration",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:PutObjectTagging",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutObject",
"s3:PutLifecycleConfiguration"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:ReceiveMessage",
"sqs:CancelMessageMoveTask",
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:PurgeQueue",
"sqs:SendMessage",
"sqs:SetQueueAttributes",
"sqs:StartMessageMoveTask",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:ListAssociations",
"ssm:DescribeAssociation",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListCommands",
"ssm:ListCommandInvocations",
"ssm:ListInstanceAssociations",
"ssm:PutConfigurePackageResult",
"ssm:DeleteAssociation",
"ssm:PutComplianceItems",
"ssm:PutInventory",
"ssm:SendCommand",
"ssm:StartAutomationExecution",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*",
"Effect": "Allow"
}
]
}