ARCGIS Config store configuration S3/dynamoDB

857
1
09-06-2021 05:18 PM
AshishAGGupta
New Contributor

Hi Experts,

Am currently working to configure config store for the ArcGIS enterprise on AWS cloud. As a part of this configuration , s3 and dynamodb tables will be created and, therefore, IAM role needs to be created  for the same. I am currently trying to create the IAM role which will have full read and write access to create specific s3 buckets and dynamodb tables.  ESRI consultant has redirected me to the  link for the IAM policy which is required to be attached to the IAM  role: https://enterprise.arcgis.com/en/server/latest/cloud/amazon/iam-roles.htm#ESRI_SECTION1_15173439923C...

My and as well my security team has the concern on the  *  rule on the resource policy which has been defined as part of documentation. Below mentioned policy has very wide permissions and can delete and read the contents from the non-arcgis S3 buckets which has sensitive data.

AshishAGGupta_0-1630973576801.png

 

Can somebody shared their insights or their practical implementation experience for the above scenario. 

Regards,

Ashish

 

Tags (3)
0 Kudos
1 Reply
ChristopherPawlyszyn
Esri Contributor

Further down in that document it describes the specific IAM permissions required for Portal for ArcGIS and ArcGIS Server when using S3/DynamoDB, the resource policy you attached is for the deployment IAM user when using the CloudFormation templates or Cloud Builder application. I've attached the ArcGIS Server subsection as a reference below, hope that helps!

 

Store the ArcGIS Server configuration store directory in S3 and DynamoDB
https://enterprise.arcgis.com/en/server/latest/cloud/amazon/iam-roles.htm#ESRI_SECTION1_5D9D294F8701...


-- Chris Pawlyszyn
0 Kudos