Setting up an AWS policy

To configure archiving, you must first set up a policy in AWS IAM and obtain a cross-account role ARN.

  1. In AWS, create a new S3 bucket or designate an existing bucket.
    Be sure to block all public access. Audit events will be archived under the /cdp/cp folder, but you do not need to create this folder first.
  2. From the AWS account hosting the bucket, create an IAM policy that permits read and write access to the bucket.
    For example:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "cdpauditb",
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket",
                    "s3:ListBucketMultipartUploads",
                    "s3:GetBucketLocation"
                ],
                "Resource": [
                    "arn:aws:s3:::<$MYBUCKET>"
                ]
            },
            {
                "Sid": "cdpauditbo",
                "Effect": "Allow",
                "Action": [
                    "s3:ListMultipartUploadParts",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:PutObject"
                ],
                "Resource": [
                    "arn:aws:s3:::<$MYBUCKET>/*"
                ]
            }
        ]
    }
    
  3. From the AWS account hosting the bucket, create an IAM role for another AWS account, in this case, for the account running the CEP Control Plane.
    Include the policy you just created as the only one in the role. The account ID and external ID for the role can be found in the Cloudera Management Console's UI for creating a new credential, as the service manager account ID and external ID. They may also be found through the CDP CLI:
    cdp environments get-credential-prerequisites \
      --cloud-platform AWS