Administration of Amazon S3 Connector
As a user, you can use Amazon S3 Connector after the organization administrator performs the following tasks:
- •Mandatory. Create an Access Key ID and Secret Access Key.
- •Optional. Enable client-side encryption.
- •Optional. Create minimal Amazon S3 bucket policy for Amazon S3 Connector.
Create an Access Key ID and Secret Access Key
1. Log in to Amazon Web Services and navigate to the Security Credentials page.
2. Expand the Access Keys section, and click Create New Access Key.
3. Click the Show Access Key link.
4. Click Download Key File and save the file on the Secure Agent machine.
Create Minimal Amazon S3 Bucket Policy
The minimal Amazon S3 bucket policy ensures performs read and write operations successfully.
You can use AWS Identity and Access Management (IAM) authentication to securely control access to Amazon S3 resources. If you have valid AWS credentials and you want to use IAM authentication, you do not have to specify the access key and secret key when you create an Amazon S3 connection.
You can restrict user operations and user access to particular Amazon S3 buckets by assigning an AWS Identity and Access Management (IAM) policy to users. Configure the IAM policy through the AWS console. Following are the minimum required permissions for users to successfully read data from and write data to Amazon S3 bucket.
- •PutObject
- •GetObject
- •GetObjectVersion
- •DeleteObject
- •DeleteObjectVersion
- •ListBucket
- •GetBucketPolicy
Sample Policy:
{
"Version": "2012-10-17", "Statement": [
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::<specify_bucket_name>/*", "arn:aws:s3:::<specify_bucket_name>" ] }
]
}
The Amazon S3 bucket policy must contain GetBucketPolicy to connect to Amazon S3.
IAM Authentication
Optional. You can configure IAM authentication when the Secure Agent runs on an Amazon Elastic Compute Cloud (EC2) system. Use IAM authentication for secure and controlled access to Amazon S3 resources when you run a session.
Perform the following steps to configure IAM authentication:
- 1. Create Minimal Amazon S3 Bucket Policy. For more information, see Create Minimal Amazon S3 Bucket Policy
- 2. Create the Amazon EC2 role. For more information, see Create the Amazon EC2 Role
- 3. Create an EC2 instance. Assign the Amazon EC2 role that you created in step #2 to the EC2 instance.
- 4. Install the Secure Agent on the EC2 system.
Create the Amazon EC2 Role
The Amazon EC2 role is used when you create an EC2 system in the S3 bucket.
Perform the following steps to create the Amazon EC2 role:
1. Log in to the AWS Console.
2. Click Identity & Access Management.
3. Select Role under the Details menu and click Create New Role.
4. Specify the name of the role in the Set Role Name page.
5. Click Next Step.
6. Select the Amazon EC2 role type in the Select Role Type page.
7. Select the required Amazon S3 policy in the Attach Policy page.
8. Click Next Step.
9. Review the Role Name, Role ARN, Trusted Entities, and Policies values in the Review page.
10. Click Create Role.
After creating the Amazon EC2 role, create an EC2 instance. Assign the Amazon EC2 role to the EC2 instance.