Amazon S3 Connector > Introduction to Amazon Connector > Administration of Amazon Connector

Administration of Amazon Connector

As a user, you can use Amazon Connector after the organization administrator performs the following tasks:

•Manage Authentication. Use either of the following two methods:

- Create an Access Key ID and Secret Access Key.

Provide the values for access key ID and secret access key when you configure the Amazon S3 connection. For more information about creating an access key ID and secret access key, see the AWS documentation.

- Configure AWS Identity and Access Management (IAM) Authentication to enhance security.

If you use IAM authentication, do not provide access key ID and secret access key explicitly in the Amazon S3 connection.

•Create a master symmetric key if you want to enable client-side encryption.
•Create an AWS Key Management Service (AWS KMS)-managed customer master key if you want to enable server-side encryption.
•Create a minimal Amazon S3 bucket policy for Amazon S3 Connector.

Create a Minimal Amazon IAM Policy

You can configure an IAM policy through the AWS console. Use Amazon IAM authentication to securely control access to Amazon S3 resources.

If you have valid AWS credentials and you want to use IAM authentication, you do not have to specify the access key and secret key when you create an Amazon S3 connection.

You can use the following minimum required actions for users to successfully write data to Amazon S3 bucket:

•PutObject
•GetObject
•DeleteObject
•ListBucket
•GetBucketPolicy

You can use the following sample minimal Amazon IAM policy:

{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
]
}
]
}

IAM authentication

Optionally, if you do not provide the access key and the secret key in the connection, Amazon S3 Connector uses AWS credentials provider chain that looks for credentials in the following order:

1The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables.
2The aws.accessKeyId and aws.secretKey java system properties.
3The credential profiles file at the default location, ~/.aws/credentials.
4The instance profile credentials delivered through the Amazon EC2 metadata service.

You can configure IAM authentication when the Secure Agent runs on an Amazon Elastic Compute Cloud (EC2) system.

Perform the following steps to configure IAM authentication on EC2:

1Create a minimal Amazon S3 bucket policy.
2Create the Amazon EC2 role. The Amazon EC2 role is used when you create an EC2 system. For more information about creating the Amazon EC2 role, see the AWS documentation.
3Link the minimal Amazon S3 bucket policy with the Amazon EC2 role.
4Create an EC2 instance. Assign the Amazon EC2 role that you created in step #2 to the EC2 instance.
5Install the Secure Agent on the EC2 system.

Use IAM authentication for secure and controlled access to Amazon S3 resources when you run a session.