Skip To Content

ArcGIS Enterprise on Amazon Web Services 的 IAM 策略

Amazon 身份和访问管理 (IAM) 可控制对 Amazon Web Services (AWS) 资源的访问权限。 以下示例 JSON 片段可显示访问 ArcGIS Enterprise 所使用的特定资源所需的 IAM 策略。

运行 ArcGIS Enterprise Cloud Builder for AWS

如果您运行 ArcGIS Enterprise Cloud Builder for AWS 应用程序或 ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services 来创建部署,请按如下所述创建 IAM 策略并将其分配给 IAM 用户。 您将使用此用户的凭据(例如访问密钥 ID 和保密访问密钥)登录到 Cloud Builder

{
    "Version": "2012-10-17",
    "Statement": [
        {
            
            "Action": [
                "rds:*",
                "events:*",
                "logs:*",
                "dynamodb:*",
                "autoscaling:*",
                "acm:*",
                "s3:*",
                "cloudformation:*",
                "elasticloadbalancing:*",
                "iam:*",
                "cloudwatch:*",
                "ssm:*",
                "ssmmessages:*",
                "lambda:*",
                "route53:*",
                "ec2:*",
		   "ec2messages:*",
                "secretsmanager:*"
            ],
	      "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

来自 EsriCloudFormation 模板

当您运行 Esri 提供的 AWS CloudFormation 模板时,将为您创建 IAM 角色和策略。 以下内容将介绍策略。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeLifecycleHooks",
                "autoscaling:DescribeLifecycleHookTypes",
                "autoscaling:DescribeLoadBalancers",
                "autoscaling:DescribeTags",
                "autoscaling:AttachInstances",
                "autoscaling:AttachLoadBalancers",
                "autoscaling:AttachLoadBalancerTargetGroups",
                "autoscaling:CompleteLifecycleAction",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DetachInstances",
                "autoscaling:DetachLoadBalancers",
                "autoscaling:DetachLoadBalancerTargetGroups",
                "autoscaling:PutLifecycleHook",
                "autoscaling:UpdateAutoScalingGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackResource",
                "cloudformation:SignalResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "dynamodb:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeAddresses",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifyInstanceMetadataOptions",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:SendReply"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DeleteLoadBalancerPolicy",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:SetRulePriorities"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "events:DescribeRule",
                "events:PutRule",
                "events:DeleteRule",
                "events:DisableRule",
                "events:EnableRule",
                "events:PutEvents",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::0123456789:role/XXXXXXXX",
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:PutMetricFilter"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetObject",
                "s3:DeleteObjectTagging",
                "s3:PutBucketTagging",
                "s3:PutObjectTagging",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:ListAssociations",
                "ssm:DescribeAssociation",
                "ssm:DescribeDocument",
                "ssm:DescribeInstanceInformation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:GetManifest",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations",
                "ssm:ListInstanceAssociations",
                "ssm:PutConfigurePackageResult",
                "ssm:DeleteAssociation",
                "ssm:PutComplianceItems",
                "ssm:PutInventory",
                "ssm:SendCommand",
                "ssm:StartAutomationExecution",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Portal for ArcGIS 内容目录存储在 S3 存储段中

要将 Portal for ArcGIS 内容目录存储在 Amazon Simple Storage Service (S3) 存储段中,您需要一个具有以下 IAM 策略的 IAM 用户或角色:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<portal-content-bucket-name>/*",
                "arn:aws:s3:::<portal-content-bucket-name>"
            ]
        }
    ]
}

将尖括号 (<>) 内的值替换为部署特定值。

2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。

ArcGIS Server 配置存储目录存储在 S3DynamoDB

要使用 AWS 存储服务存储 ArcGIS Server 配置存储目录,您需要一个具有以下 IAM 策略的 IAM 用户或角色:

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Sid":"<statement-id1>",
         "Action":[  
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetObject",
            "s3:DeleteObjectTagging",
            "s3:PutBucketTagging",
            "s3:PutObjectTagging",
            "s3:CreateBucket",
            "s3:DeleteBucket",
            "s3:DeleteObject",
            "s3:PutObject"
         ],
         "Effect":"Allow",
         "Resource":[  
            "arn:aws:s3:::arcgis-config-store-*",
            "arn:aws:s3:::arcgis-config-store-*/*"
         ]
      },
      {  
         "Sid":"<statement-id2>",
         "Action":[  
            "dynamodb:UntagResource",
            "dynamodb:PutItem",
            "dynamodb:ListTables",
            "dynamodb:DeleteItem",
            "dynamodb:Scan",
            "dynamodb:ListTagsOfResource",
            "dynamodb:Query",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteTable",
            "dynamodb:CreateTable",
            "dynamodb:TagResource",
            "dynamodb:DescribeTable",
            "dynamodb:GetItem",
            "dynamodb:UpdateTable",
            "dynamodb:GetRecords"
         ],
         "Effect":"Allow",
         "Resource":[  
            "arn:aws:dynamodb:*:*:table/ArcGISConfigStores",
            "arn:aws:dynamodb:*:*:table/ArcGISConfigStore.*"
         ]
      }
   ]
}

将尖括号 (<>) 内的值替换为部署特定值。

2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。

将缓存存储在 S3 存储段中

要将 S3 存储段注册为云存储以用于存储和访问地图和图像缓存,您的 IAM 用户或角色至少需要具有以下 IAM 策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetObjectVersion",
																"s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<cache-bucket-name>/*",
                "arn:aws:s3:::<cache-bucket-name>"
            ]
        }
    ]
}

将尖括号 (<>) 内的值替换为部署特定值。

2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。

S3 存储段用作大数据文件共享

要将 S3 存储段注册为大数据文件共享,您的 IAM 用户或角色至少需要具有以下 IAM 策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::<bdfs-bucket-name>/*",
                "arn:aws:s3:::<bdfs-bucket-name>"
            ]
        }
    ]
}

将尖括号 (<>) 内的值替换为部署特定值。

2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。

S3 存储段用作栅格存储

要将 S3 存储段注册为栅格存储,您的 IAM 用户或角色至少需要具有以下 IAM 策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<raster-store-bucket-name>/*",
                "arn:aws:s3:::<raster-store-bucket-name>"
            ]
        }
    ]
}

将尖括号 (<>) 内的值替换为部署特定值。

2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。

为 webgisdr 实用程序生成的备份使用 S3 存储段。

如果您使用随 Portal for ArcGIS 安装的 webgisdr 实用程序在 AWS 上的 S3 存储段中创建备份,则您的 IAM 用户或角色需要用于创建备份文件的策略和用于从这些备份文件恢复部署的策略。

以下是使用 webgisdr 实用程序在 S3 存储段中创建备份所需的最低策略设置:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<webgisdr-bucket-name>",
                "arn:aws:s3:::<portal-content-backup-bucket-name>",
                "arn:aws:s3:::<webgisdr-bucket-name>/*",
                "arn:aws:s3:::<portal-content-backup-bucket-name>/*"
            ]
        }
    ]
}

以下是使用 webgisdr 实用程序从存储在 S3 存储段中的备份文件恢复部署所需的最低策略设置:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<statement-id>",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<webgisdr-bucket-name>",
                "arn:aws:s3:::<portal-content-backup-bucket-name>",
                "arn:aws:s3:::<webgisdr-bucket-name>/*",
                "arn:aws:s3:::<portal-content-backup-bucket-name>/*"
            ]
        }
    ]
}

将尖括号 (<>) 内的值替换为部署特定值。

2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。