Appendix
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Appendix

      How to create an IAM User, IAM EC2 Role, and a Read/List/Write/Delete Policy on AWS


      IAM User


      Create a RapidFort IAM user. The RapidFort user does not need access to the AWS Console.

      Generate and download AWS credentials (AWS Access Key ID and AWS Secret Access Key) for the RapidFort user.

      JSON Policy template:

         {

      "Version": "2012-10-17",

      "Statement": [

             {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

      "s3:DeleteObject",

      "s3:PutObject",

      "s3:GetObject",

      "s3:DescribeJob",

      "s3:ListBucket"

      ],

      "Resource": [

      "<S3_BUCKET_ARN>",

      "<S3_BUCKET_ARN>/*"

      ]

               }

                         ]

                }


      Sample Policy for AWS Commercial Cloud

      {

      "Version": "2012-10-17",

      "Statement": [

      {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

      "s3:DeleteObject",

      "s3:PutObject",

      "s3:GetObject",

      "s3:DescribeJob",

      "s3:ListBucket"

      ],

      "Resource": [

      "arn:aws:s3:::rapidfort-s3",

      "arn:aws:s3:::rapidfort-s3/*"

      ]

      }

      ]

      }


      Sample Policy for AWS GovCloud

      {

      "Version": "2012-10-17",

      "Statement": [

      {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

      "s3:DeleteObject",

      "s3:PutObject",

      "s3:GetObject",

      "s3:DescribeJob",

      "s3:ListBucket"

      ],

      "Resource": [

      "arn:aws-gov:s3:::rapidfort-s3",

      "arn:aws-gov:s3:::rapidfort-s3/*"

      ]

      }

      ]

      }

      IAM EC2 Role


      Create an IAM EC2 role. Make a note of the IAM Role ARN. Do not attach a policy to the role yet.

      Note: Policy must grant permissions to assume the role (sts:AssumeRole)


      JSON Policy template:

      {

      "Version": "2012-10-17",

      "Statement": [

             {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

      "s3:DeleteObject",

      "s3:PutObject",

      "s3:GetObject",

      "s3:DescribeJob",

      "s3:ListBucket"

      ],

      "Resource": [

      "<S3_BUCKET_ARN>",

      "<S3_BUCKET_ARN>/*"

      ]

                }

             ]

      },

      {

      "Effect": "Allow",

      "Action": "sts:AssumeRole",

      "Resource": "<ROLE_ARN>"

      }


      ]

      }


      Note: The following sample policies use “rapidfort-role” for  IAM EC2 role, “rapidfort-policy” for IAM EC2 policy, “arn:aws:iam::012345678910:role/rapidfort-role” for Commercial cloud Role ARN, “arn:aws-gov:iam::012345678910:role/rapidfort-role” for GovCloud Role ARN 


      Sample Policy for AWS Commercial Cloud

      {

      "Version": "2012-10-17",

      "Statement": [

      {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

      "s3:DeleteObject",

      "s3:PutObject",

      "s3:GetObject",

      "s3:DescribeJob",

      "s3:ListBucket"

      ],

      "Resource": [

      "arn:aws:s3:::rapidfort-s3",

      "arn:aws:s3:::rapidfort-s3/*"

      ]

      },

      {

      "Effect": "Allow",

      "Action": "sts:AssumeRole",

      "Resource": "arn:aws:iam::012345678910:role/rapidfort-role"

      }


      ]

      }


      Sample Policy for AWS GovCloud

      {

      "Version": "2012-10-17",

      "Statement": [

      {

      "Sid": "VisualEditor0",

      "Effect": "Allow",

      "Action": [

      "s3:DeleteObject",

      "s3:PutObject",

      "s3:GetObject",

      "s3:DescribeJob",

      "s3:ListBucket"

      ],

      "Resource": [

      "arn:aws-gov:s3:::rapidfort-s3",

      "arn:aws-gov:s3:::rapidfort-s3/*"

      ]

      },

      {

      "Effect": "Allow",

      "Action": "sts:AssumeRole",

      "Resource": "arn:aws-gov:iam::012345678910:role/rapidfort-role"

      }


      ]

      }