Add an "ArpioRetain" suffix to keep Arpio from reverting modifications to policy statements
You may find yourself needing to update access to resources that Arpio has created in your recovery environment for principals that are only in recovery environments. Typically Arpio will try to clean up "drift" in replicated resources so that they match the source resource, which would remove any special access you've added. To keep Arpio from reverting your modifications to the policy statements, you must add a "ArpioRetain" suffix to the SID for the statement you added to the resource policy.
See the example below where a statement has been added to the policy to give a special user the ability to send message to an SQS queue.
{
"Id": "Policy1732233417103",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSpecialUserArpioRetain",
"Action": [
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-1:123456123456:MyQueue",
"Principal": {
"AWS": [
"arn:aws:iam::123456123456:user/specialuser"
]
}
}
]
}
If Arpio sees that a statement SID has the "ArpioRetain" suffix, it will leave that statement there the next time it replicates the resource policy.
This only works for resources which Arpio replicates during standby. For resources which Arpio only replicates during failover, once the failover or test has completed, it will remove the resource and its bucket policy, including any additional statements you may have added.
The following resources which are replicated during standby are supported:
- KMS Keys
- Lambda Functions
- Lambda Function Versions
- Lambda Layers
- S3 Buckets
- SecretsManager Secrets
- SNS Topics
- SQS Queues