IAM policy definitions for the minimal cloud storage setup

Use the following IAM policy definitions when defining IAM policies for the minimal cloud storage setup described in the parent topic.

Note that:

  • The policy definitions refer to roles by using the convention presented in the table in the parent topic. If the IAM roles that you created use different names, you should update these names in the policy definitions below.
  • The policy definitions refer to the example S3 subdirectories presented in the parent topic. If the S3 bucket sub-directories that you created use different names, you should update these names in the policy definitions below.

While creating these IAM policies, make sure to replace the following with actual values:

  • ${ARN_PARTITION} - Replace this with "aws". Or, if you are using one of China regions, replace it with "aws-cn". See Amazon Resource Names (ARNs).
  • ${AWS_ACCOUNT_ID} - Replace this with your our AWS account ID.
  • ${DATALAKE_BUCKET} - Replace this with the name of your S3 bucket. For example my-bucket.
  • ${STORAGE_LOCATION_BASE} - Replace this with the path to your Data Lake directory in the S3 bucket specified as ${DATALAKE_BUCKET}/SOME_PATH. For example my-bucket/my-dl.
  • ${LOGS_BUCKET} - Replace this with the name of your S3 bucket for logs. For example my-bucket.
  • ${LOGS_LOCATION_BASE} - Replace this with the path to your S3 location for logs. For example my-bucket/my-dl.
  • ${BACKUP_LOCATION_BASE} - Replace this with the path to your S3 location for backups. This location is used for both FreeIPA and Data Lake backups. For example my-bucket/my-dl.
  • ${DYNAMODB_TABLE_NAME} - Replace this with the name of your DynamoDB table used for S3Guard. This should correspond to your DynamoDB Table Name provided under Enable S3Guard during environment creation.

aws-cdp-idbroker-assume-role-policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

aws-cdp-log-policy

Refer to aws-cdp-log-policy.json.

aws-cdp-backup-policy

Refer to aws-cdp-backup-policy.json.

aws-cdp-ranger-audit-s3-policy

Refer to aws-cdp-ranger-audit-s3-policy.json.

aws-cdp-datalake-admin-s3-policy

Refer to aws-cdp-datalake-admin-s3-policy.json.

aws-cdp-bucket-access-policy

Refer to aws-cdp-bucket-access-policy.json.

aws-datalake-backup-policy

Refer to aws-datalake-backup-policy.json.

Draft comment:
Dominika fixed link to correct backup policy

aws-datalake-restore-policy

Refer to aws-datalake-restore-policy.json.

Draft comment:
added restore policy here

aws-cdp-dynamodb-policy

Refer to aws-cdp-dynamodb-policy.json.

aws-cdp-ec2-role-trust-policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

aws-cdp-idbroker-role-trust-policy

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${IDBROKER_ROLE}"
        },
        "Action": "sts:AssumeRole"
      }
    ]
}