Storage access to AWS S3 buckets

You can manage permissions and control which AWS resources can be accessed by users. Secure InsuranceSuite and Cloud Data Access (CDA) access points by:

• Granting permissions only to specific users or roles.
• Reviewing and editing existing permissions.
• Revoking permissions.

For details on Amazon S3 usage in Cloud Platform, see Guidewire Cloud Standards.

Note:

Access to this application is managed by Guidewire Hub. For details, see Access Cloud Platform apps and services.

Access types

You can configure an access point with one of the following access types:

• IAM user
• IAM role
• Bucket policy

Note that the created access points work separately and don't affect one another.

IAM user

IAM user is a person that has specific permissions and access keys. You can only create one IAM user for an AWS S3 bucket.

Access keys for IAM user

Access keys are credentials that you can create for an IAM user. An access key consists of the following parts:

• Access key ID
• Secret access key

Both parts are required to authenticate a request.

The following rules apply:

• You must create at least one access key for each IAM user.

• You can create a maximum of two keys at a time.

• An access key is valid for 350 days.

  After that time, the access key is marked as expired but is still usable.

Warning:

To increase security, you must rotate an expired access key. Guidewire doesn't rotate expired access keys.

IAM role

IAM role is designed to be assumed by trusted applications or users that need temporary access to perform specific actions in your AWS S3 bucket.

You can create one of the following roles:

• Internal to which you can assign inbound and outbound permissions.

  Recommended for internal teams in your organization.
  You can create only one internal IAM role.

• External, recommended for external vendors and third-party integrations.

  External role users can't access files of another external role. To create it, select permissions and provide an integration name.
  You can add more than one external ID.

IAM roles require additional IAM configuration on your AWS account.

Note:

You can configure IAM role only for InsuranceSuite S3 bucket. You can't configure IAM role for CDA.

Bucket policy

Bucket policies define what activities a user or role can perform in your AWS S3 bucket. Bucket policies require additional IAM configuration on your AWS account.

Permissions for InsuranceSuite

Permissions define the level of access that users have to your AWS S3 bucket.

For the following access types, the permissions are already set and can't be changed:

• IAM users created with Guidewire account

• IAM roles used for cross-account access

  Requires additional configuration in your own AWS account. For details, see IAM role statement.

• Bucket policies

  Requires additional configuration in your own AWS account. For details, see Bucket policy statement.

For other access types, the permissions are as follows and depend on the access type:

IAM user and the internal IAM role

Each permission creates a separate policy in AWS:

Policy name	Permissions	Resource
IAM Bucket Policy	s3:GetBucketLocation	*
IAM Inbound read/write	s3:PutObject	<IS Bucket>/*/inbound-files/pending/*
	s3:GetObject	<IS Bucket>/*/inbound-files/failed/* <IS Bucket>/*/inbound-files/pending/*
	s3:ListBucket	<IS Bucket>/*/inbound-files/pending/* <IS Bucket>/*/inbound-files/processed/* <IS Bucket>/*/inbound-files/failed/*
IAM Outbound read/write	s3:GetObject	<IS Bucket>/*/outbound-files/*
	s3:DeleteObject	<IS Bucket>/*/outbound-files/*
	s3:ListBucket	<IS Bucket>/*/outbound-files/*

Where in Resource, the expected target paths are:

• {bucket-name}/{planet-name}/{app-name}/inbound-files/
• {bucket-name}/{planet-name}/{app-name}/outbound-files/

IAM role (external)

When creating an external IAM role, you can limit the number of actions that a user can do. It's recommended for external vendors and third-party integrations.

Each permission creates a separate policy in AWS:

Policy name	Permissions	Resource
IAM Inbound read/write	s3:PutObject	<IS Bucket>/*/inbound-files/pending/<IntegrationName>/*
	s3:GetObject	<IS Bucket>/*/inbound-files/failed/<IntegrationName>/*
	s3:ListBucket	<IS Bucket>/*/inbound-files/pending/<IntegrationName>/* <IS Bucket>/*/inbound-files/processed/<IntegrationName>/* <IS Bucket>/*/inbound-files/failed/<IntegrationName>/*
IAM Outbound read/delete	s3:GetObject	<IS Bucket>/*/outbound-files/<IntegrationName>/*
	s3:DeleteObject	<IS Bucket>/*/outbound-files/<IntegrationName>/*
	s3:ListBucket	<IS Bucket>/*/outbound-files/<IntegrationName>/*
IAM Outbound write	s3:PutObject	<IS Bucket>/*/outbound-files/<IntegrationName>/*
	s3:ListBucket	<IS Bucket>/*/outbound-files/<IntegrationName>/*

Where in Resource, the expected target paths are:

• {bucket-name}/{planet-name}/{app-name}/inbound-files/
• {bucket-name}/{planet-name}/{app-name}/outbound-files/

Bucket policy

Policy name	Permissions	Resource
S3 Bucket Policy	s3:GetObject	<IS Bucket>/*/inbound-files/failed/* <IS Bucket>/*/inbound-files/pending/* <IS Bucket>/*/outbound-files/*
	s3:PutObject	<IS Bucket>/*/inbound-files/pending/*
	s3:DeleteObject	<IS Bucket>/*/outbound-files/*
	s3:ListBucket	<IS Bucket>/*/inbound-files/pending/* <IS Bucket>/*/inbound-files/processed/* <IS Bucket>/*/inbound-files/failed/* <IS Bucket>/*/outbound-files/*

Where in Resource, the expected target paths are:

• {bucket-name}/{planet-name}/{app-name}/inbound-files/
• {bucket-name}/{planet-name}/{app-name}/outbound-files/

Permissions for Cloud Data Access (CDA)

This policy grants read access to the whole CDA bucket. You can configure it only for IAM user and bucket policy access types.

IAM user permissions

Example IAM user policy statement for CDA

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToCDABucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketLocation",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                <CDA Bucket ARN>,
                <CDA Bucket ARN>/*"
            ]
        }
    ]
}

Bucket policy permissions

Example bucket policy statement for CDA

{
    "Sid": "AllowAccessToCDABucket",
    "Effect": "Allow",
    "Principal": {
        "AWS": <ARN provided in Role Details>
    },
    "Action": [
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:GetBucketLocation",
        "s3:GetObjectVersionAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectAcl",
        "s3:GetObject",
        "s3:AbortMultipartUpload"
    ],
    "Resource": [
        <CDA Bucket ARN>,
        <CDA Bucket ARN>/*"
    ]
}

Security configuration

When creating an access point, you can allow users to connect only from a specific range of public IPs or private VPC endpoints. If you enter only a range of public IPs, it has no impact on the traffic from VPC endpoints. All VPCs are allowed. Similarly, if you enter only a list of VPC endpoints, it has no impact on the traffic from public IPs. All IPs are allowed.

When you provide public IPs or private VPC endpoints, the following Condition is added to your AWS statement:

Example statement

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "...",
      "Effect": "Allow",
      "Action": ["s3:..."],
      "Resource": ["arn:aws:s3:::{bucket-name}"],
      "Condition": {
        "IpAddressIfExists": {
          "aws:SourceIp": ["1.1.1.1", "1.2.2.1/32"]
        },
        "StringEqualsIfExists": {
          "aws:SourceVpce": ["vpce-id"]
        }
      }
    }
  ]
}

Where:

• aws:SourceIp must be in the CIDR format.
• Both IP address and VPC endpoint conditions use the "ifExists" function. This means that if you provide an IP address or a VPC endpoint in the statement, it has to have a value in your authentication request. If there is no IP address or VPC endpoint provided during the authentication, these conditions are omitted.

Note:

For details on configuring security, see:

• AWS S3 documentation
• AWS IAM documentation

Add statements to your own AWS IAM user or IAM role

When you create an access point of the IAM role or bucket policy type, you must also configure your own IAM user or IAM role with the permission to access Guidewire resources. To configure the permission, add a statement to your AWS IAM user or IAM role.

IAM role statement

To configure the permission to access the Guidewire resources for an IAM role, add the following statement to your AWS IAM user or IAM role:

Example statement

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AccessToAssumeRoleGuidewire",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "ARN"
    }
  ]
}

Where Resource contains the Amazon Resource Name (ARN) of an IAM role. You can view and copy the ARN from the Access point table.

Bucket policy statement

To configure the permission to access the Guidewire resources for a bucket policy, add the following statement to your AWS IAM user or IAM role:

Example statement

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AccessToGuidewireS3",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket-name},"
                "arn:aws:s3:::{bucket-name}/*"
            ]
        }
    ]
}