Tenant IAM role policy

The JSON code for the EKS worker node policy describes the policy. The policy is representative of one of the three policies you add to the IAM role.

{
   “Version”: “2012-10-17",
    “Statement”: [
    {
      “Sid”: “VisualEditor0”,
      “Effect”: “Allow”,
      “Action”: [
        “kms:Decrypt”,
        “s3:ListAllMyBuckets”,
        “kms:Encrypt”,
        “kms:ListAliases”,
        “kms:GenerateDataKey”,
        “kms:DescribeKey”
        ],
      “Resource”: “*”
    }
    ]
}
s3-read-write
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:Delete*",
                "s3:Put*",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<SDX_BUCKET>",
                "arn:aws:s3:::<SDX_BUCKET>/*",
                "arn:aws:s3:::tenant-1-bucket-1",
                "arn:aws:s3:::tenant-1-bucket-1/*"
            ],
            "Effect": "Allow"
        }
    ]
}

In CDW, you need full access to the SDX bucket, even if you used only folder level while creating the CB environment.