If you are configuring Cloud Resolver in a high-availability cluster and storing the snapshot information in an AWS S3 bucket, you must configure the following IAM policies in AWS to provide read and write access to the objects in the S3 bucket. For information on creating IAM policies, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html.
Cloud Resolver instances with the full role
If you are configuring a Cloud Resolver instance to operate with the full role, the Cloud Resolver instance must be able to read and write the snapshot in the S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<bucket-name>"]
},
{
"Sid": "PutObject",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::<bucket-name>/*"]
}
]
}
Where <bucket-name>
represents the name of the S3 bucket
that contains the snapshot. Once you have created the IAM policy, you must assign
the policy to the Cloud Resolver IAM role. For more information, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html.
Cloud Resolver instances with the resolver role
If you are configuring a Cloud Resolver instance to operate with the resolver role, the Cloud Resolver instance must be able to read the snapshot in the S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<bucket-name>"]
},
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::<bucket-name>/*"]
}
]
}
Where <bucket-name>
represents the name of the S3 bucket
that contains the snapshot. Once you have created the IAM policy, you must assign
the policy to the Cloud Resolver IAM role. For more information, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html.