Am currently working to configure config store for the ArcGIS enterprise on AWS cloud. As a part of this configuration , s3 and dynamodb tables will be created and, therefore, IAM role needs to be created for the same. I am currently trying to create the IAM role which will have full read and write access to create specific s3 buckets and dynamodb tables. ESRI consultant has redirected me to the link for the IAM policy which is required to be attached to the IAM role: https://enterprise.arcgis.com/en/server/latest/cloud/amazon/iam-roles.htm#ESRI_SECTION1_15173439923C...
My and as well my security team has the concern on the * rule on the resource policy which has been defined as part of documentation. Below mentioned policy has very wide permissions and can delete and read the contents from the non-arcgis S3 buckets which has sensitive data.
Can somebody shared their insights or their practical implementation experience for the above scenario.
Further down in that document it describes the specific IAM permissions required for Portal for ArcGIS and ArcGIS Server when using S3/DynamoDB, the resource policy you attached is for the deployment IAM user when using the CloudFormation templates or Cloud Builder application. I've attached the ArcGIS Server subsection as a reference below, hope that helps!
Store the ArcGIS Server configuration store directory in S3 and DynamoDB