AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You can use IAM to create a group, a user or a role and associate a policy with the set of privileges/permissions to access your AWS resources. For more information, refer to the Overview of IAM Policies article in the AWS documentation.
The IAM role name specified in the stack should have the following permissions:
- s3:PutObject
- s3:PutObjectAcl
- s3:GetObject
- s3:DeleteObject
As an example, here is an IAM role with the permissions to the S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::waf-license-bucket",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::waf-bootstrap-bucket",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::waf-cluster-bucket",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::qa-waf-bc",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::waf-license-bucket/*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::waf-bootstrap-bucket/*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::waf-cluster-bucket/*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::qa-waf-bc/*",
"Effect": "Allow"
}
]
}