IAM policy definitions for the minimal cloud storage setup

Use the following IAM policy definitions when defining IAM policies for the minimal cloud storage setup described in the parent topic.

Note that:

  • The policy definitions refer to roles by using the convention presented in the table in the parent topic. If the IAM roles that you created use different names, you should update these names in the policy definitions below.
  • The policy definitions refer to the example S3 subdirectories presented in the parent topic. If the S3 bucket sub-directories that you created use different names, you should update these names in the policy definitions below.

While creating these IAM policies, make sure to replace the following with actual values:

  • ${AWS_ACCOUNT_ID} - Your AWS account ID
  • ${DATALAKE_BUCKET} - Your S3 bucket. For example my-bucket
  • ${STORAGE_LOCATION_BASE} - Path to your Data Lake directory in the S3 bucket specified as ${DATALAKE_BUCKET}/SOME_PATH. For example my-bucket/my-dl
  • ${LOGS_BUCKET} - Your S3 bucket for logs. For example my-bucket.
  • ${LOGS_LOCATION_BASE} - Path to your S3 location for logs. For example my-bucket/my-dl
  • ${BACKUP_LOCATION_BASE} - Path to your S3 location for FreeIPA backups. For example my-bucket/my-dl
  • ${DYNAMODB_TABLE_NAME} - The name of your DynamoDB table used for S3Guard. This should correspond to your DynamoDB Table Name provided under Enable S3Guard during environment creation.

aws-cdp-idbroker-assume-role-policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

aws-cdp-log-policy

Refer to aws-cdp-log-policy.json.

aws-cdp-backup-policy

Refer to aws-cdp-backup-policy.json.

aws-cdp-ranger-audit-s3-policy

Refer to aws-cdp-ranger-audit-s3-policy.json.

aws-cdp-datalake-admin-s3-policy

Refer to aws-cdp-datalake-admin-s3-policy.json.

aws-cdp-bucket-access-policy

Refer to aws-cdp-bucket-access-policy.json.

aws-cdp-dynamodb-policy

Refer to aws-cdp-dynamodb-policy.json.

aws-cdp-ec2-role-trust-policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

aws-cdp-idbroker-role-trust-policy

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${IDBROKER_ROLE}"
        },
        "Action": "sts:AssumeRole"
      }
    ]
}