AWS Resource Reference
      Back to home
      1. Arpio Documentation
      2. Reference Guides
      3. AWS Resource Reference

      IAM Policy Document Translation

      IAM policy document translation with Arpio

      Arpio translates IAM policy documents when replicating resources from your production environment to your recovery environment. The translation rules are outlined here.

      Principals

      Principals expressed in the policy document are translated as follows:

      • A principal of type "AWS" that is the ID of your primary environment's AWS account is translated to the ID of your recovery environment's AWS account.
      • A principal of type "AWS" that is an ARN is translated according to the ARN Translation Rules below.

      Resources

      Resources expressed in the policy document are translated according to the ARN Translation Rules below.

      Conditions

      Conditions expressed in the policy document are translated as follows:

      Condition Key Translation
      aws:requestedregion
      ec2:region
      s3:locationconstraint      		 If matches the primary environment's region, translated to the recovery environment's region
      aws:sourceaccount If matches the account ID of the primary environment, translated to the account ID of the recovery environment
      aws:sourcevpc Translated to the ID of the corresponding VPC in the recovery environment if one exists. Otherwise, left as is.
      aws:sourcearn
      iam:policyarn
      ec2:acceptervpc
      ec2:authorizeduser
      ec2:instanceprofile
      ec2:launchtemplate
      ec2:parentsnapshot
      ec2:parentvolume
      ec2:placementgroup
      ec2:requestervpc
      ec2:subnet
      ec2:vpc      		 Translated according to the ARN Translation Rules below.
      aws:sourceip If expressed as an IPv6 CIDR, and the address lives in the CIDR block of a VPC being replicated, translated to the corresponding IP address in the replicated VPC

      All other conditions are replicated identically to how they're expressed in the primary environment.

      ARN Translation Rules

      • An ARN representing a resource being replicated to your recovery environment is translated to the ARN of that resource in your recovery environment.
      • An ARN representing a resource that is not being replicated to your recovery environment is translated as follows:
        • If the ARN's region matches the region of your primary environment, and the ARN's account ID is your primary environment's account ID or '*', the region is translated to the region of your recovery environment
        • If the ARN's account ID matches the account ID of your primary environment, and the ARN's region is your primary environment region or empty, the account ID is translated to the account ID of your recovery environment.