Storage access

You can manage permissions and control which resources can be accessed by users. Secure InsuranceSuite and Cloud Data Access (CDA) access points by:

Granting permissions only to specific users or roles.
Reviewing and editing existing permissions.
Revoking permissions.

For details on Amazon S3 usage in Cloud Platform, see Guidewire Cloud Standards.

Note:

Access to this application is managed by Guidewire Hub. For details, see Access Cloud Platform apps and services.

Access types

You can configure an access point with one of the following access types:

IAM user

A person that has specific permissions and access keys. You can only create one IAM user for a AWS S3 bucket.
IAM role

Designed to be assumed by trusted applications or users that need temporary access to perform specific actions in your AWS S3 bucket.
You can create one of the following roles:
- Internal to which you can assign inbound and outbound permissions. Recommended for internal teams in your organization.
- External, recommended for external vendors and third-party integrations. External role users can't access files of another external role. To create it, select permissions and provide an integration name.
Requires additional IAM configuration on your AWS account.

You can configure IAM role only for InsuranceSuite S3 bucket.
Bucket policy

Defines what activities a user or role can perform in your AWS S3 bucket.

Requires additional IAM configuration on your AWS account.

Note that the created access points work separately and don't affect each other.

Access keys

Access keys are credentials that you can create for an IAM user. An access key consists of the following parts:

Access key ID
Secret access key

Both parts are required to authenticate a request.

The following rules apply:

You must create at least one access key for each IAM user.
You can create a maximum of 2 keys at a time.
An access key is valid for 350 days.

After that time, the access key is marked as expired but is still usable.

Warning:

To increase security, you must rotate an expired access key. Guidewire doesn't rotate expired access keys.

Access types permissions

Permissions define the level of access that users have to your AWS S3 bucket.

IAM user, IAM role, and bucket policy

Permissions are already set and can't be changed for the following access types:

IAM users created with Guidewire account.
IAM roles used for cross-account access.

Requires additional configuration in your own AWS account. For details, see IAM role statement.
Bucket policies.

Requires additional configuration in your own AWS account. For details, see Bucket policy statement.

Each permission creates a separate policy in AWS:

Inbound read/write

Resource	Security policy
`/inbound-files/pending/*`	put
`/inbound-files/pending/*`	get
`/inbound-files/pending/*`	list
`/inbound-files/processed/*`	list
`/inbound-files/failed/*`	get
`/inbound-files/failed/*`	list

Where in Resource, the expected target paths are:

{bucket-name}/{planet-name}/{app-name}/inbound-files/
{bucket-name}/{planet-name}/{app-name}/outbound-files/

Outbound read/delete

Resource	Security policy
`/outbound-files/*`	get
`/outbound-files/*`	delete
`/outbound-files/*`	list

Where in Resource, the expected target paths are:

{bucket-name}/{planet-name}/{app-name}/inbound-files/
{bucket-name}/{planet-name}/{app-name}/outbound-files/

Bucket

This permission allows a user to read the AWS region in which the S3 bucket resides.

IAM role (external)

When creating an external IAM role, you can limit the number of actions that a user can do. It's recommended for external vendors and third-party integrations. Each permission creates a separate policy in AWS:

Inbound read/write

Resource	Security policy
`/inbound-files/pending/{integration-name}/*`	put
`/inbound-files/pending/{integration-name}/*`	get
`/inbound-files/pending/{integration-name}/*`	list
`/inbound-files/processed/{integration-name}/*`	list
`/inbound-files/failed/{integration-name}/`	list

Where in Resource, the expected target paths are:

{bucket-name}/{planet-name}/{app-name}/inbound-files/
{bucket-name}/{planet-name}/{app-name}/outbound-files/

Outbound read/delete

Resource	Security policy
`/outbound-files/{integration-name}/*`	get
`/outbound-files/{integration-name}/*`	delete
`/outbound-files/{integration-name}/*`	list

Where in Resource, the expected target paths are:

{bucket-name}/{planet-name}/{app-name}/inbound-files/
{bucket-name}/{planet-name}/{app-name}/outbound-files/

Outbound write

Resource	Security policy
`/outbound-files/{integration-name}/*`	put
`/outbound-files/{integration-name}/*`	list

Where in Resource, the expected target paths are:

{bucket-name}/{planet-name}/{app-name}/inbound-files/
{bucket-name}/{planet-name}/{app-name}/outbound-files/

CDA user and CDA bucket policy

This policy grants read access to the whole CDA bucket. You can configure it only for IAM user and bucket policy access types.

Security configuration

When creating an access point, you can allow users to connect only from a specific IP range or VPC endpoint. When you provide an IP address or VPC endpoint, the following Condition is added to your AWS statement:

Example statement
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "...",
      "Effect": "Allow",
      "Action": ["s3:..."],
      "Resource": ["arn:aws:s3:::{bucket-name}"],
      "Condition": {
        "IpAddressIfExists": {
          "aws:SourceIp": ["1.1.1.1", "1.2.2.1/32"]
        },
        "StringEqualsIfExists": {
          "aws:SourceVpce": ["vpce-id"]
        }
      }
    }
  ]
}

Where:

aws:SourceIp must be in the CIDR format.
Both IP address and VPC endpoint conditions use the "ifExists" function. This means that if you provide an IP address or a VPC endpoint in the statement, it has to have a value in your authentication request. If there is no IP address or VPC endpoint provided during the authentication, these conditions are omitted.

Note:

For details on configuring security, see:

IAM role configuration

When you create an access point of IAM role or bucket policy type, you must also configure your IAM user or role with permission to access Guidewire resources. To configure the permission, add a statement to your IAM user.

IAM role statement

To configure the permission for an IAM role, add a statement to your IAM user or IAM role:

Example statement
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AccessToAssumeRoleGuidewire",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "ARN"
    }
  ]
}

Where Resource contains an ARN of an IAM role. You can view and copy ARN from the Access point table.

Bucket policy statement

To configure the permission for a bucket policy, add a statement to your IAM user or IAM role:

Example statement
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AccessToGuidewireS3",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::{bucket-name},"
                "arn:aws:s3:::{bucket-name}/*"
            ]
        }
    ]
}

You need to configure an IAM role for both, InsuranceSuite and CDA.

Access types​

Access keys​

Access types permissions​

IAM user, IAM role, and bucket policy​

IAM role (external)​

CDA user and CDA bucket policy​

Security configuration​

IAM role configuration​

IAM role statement​

Bucket policy statement​

Access types

Access keys

Access types permissions

IAM user, IAM role, and bucket policy

IAM role (external)

CDA user and CDA bucket policy

Security configuration

IAM role configuration

IAM role statement

Bucket policy statement