Advanced AWS policy configuration#
This guide explains how to configure AWS policies for a destination, data source and storage.
Introduction#
Use Amazon Web Services (AWS) policies to provide a set of permissions and links to the AWS resource.
This guide explains what an AWS policy should contain in the following situations:
Using S3 as a destination
Using S3 as a data source
Using S3 as storage
Prerequisites#
Before you read this reference, perform all of the following actions:
Ensure you can access IAM console.
Ensure you can access the AWS Policy Generator.
Ensure you know the Bucketname and Pathname of your AWS S3 bucket. For more information on S3 Bucket properties, see the AWS documentation.
Using S3 as a destination#
To use an S3 Bucket as a destination, ensure the AWS Policy contains the following statements:
- Action
To use an S3 Bucket as a destination, you must include the following actions in the actions element of the AWS policy:
s3:DeleteObjects3:GetObjects3:PutObjects3:ListBucket- Include this action in a separate statement of the AWS policy that also contains a condition. See the example AWS policy below.
- Resource
Provide the pathway to the S3 Bucket in the following format:
arn:aws:s3:::BUCKETNAME/PATHNAME/*For the AWS Policy statement with the action
s3:ListBucket, include the following resource element:arn:aws:s3:::BUCKETNAMEFor more information on the resource element of the AWS policy, see the AWS documentation.
- Condition
Configure the condition element to control when the policy takes effect. Include the condition element in the AWS policy statement that includes the action
s3:ListBucket. See the example AWS policy below.Use the condition operator
StringLikewith the condition keys3:prefixto make sure the AWS policy only works for a certain resource pathname. An example of the condition element is as follows:"Condition": { "StringLike": { "s3:prefix": "PATHNAME*" } }
For more information on the condition element of the AWS policy, see the AWS documentation.
Example of an AWS policy when using S3 as a destination#
Below is an example of an AWS policy to use an S3 bucket as a destination.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME/PATHNAME/*"
],
"Effect": "Allow",
"Sid": "Stmt1478773756000"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME"
],
"Effect": "Allow",
"Sid": "Stmt1478773807000",
"Condition": {
"StringLike": {
"s3:prefix": "PATHNAME*"
}
}
}
]
}
Using S3 as a data source#
To use an S3 Bucket as a data source, ensure the AWS Policy contains the following statements:
- Action
To use an S3 Bucket as a data source, you must include the following actions in the actions element of the AWS policy:
s3:GetObjects3:ListBucket- Include this action in a separate statement of the AWS policy that also contains a condition. See the example AWS policy below.
- Resource
Provide the pathway to the S3 Bucket in the following format:
arn:aws:s3:::BUCKETNAME/PATHNAME/*For the AWS Policy statement with the action
s3:ListBucket, include the following resource element:arn:aws:s3:::BUCKETNAMEFor more information on the resource element of the AWS policy, see the AWS documentation.
- Condition
Configure the condition element to control when the policy takes effect. Include the condition element in the AWS policy statement that includes the action
s3:ListBucket. See the example AWS policy below.Use the condition operator
StringLikewith the condition keys3:prefixto make sure the AWS policy only works for a certain resource pathname. An example of the condition element is as follows:"Condition": { "StringLike": { "s3:prefix": "PATHNAME*" } }
For more information on the condition element of the AWS policy, see the AWS documentation.
Example of an AWS policy when using S3 as a destination#
Below is an example of an AWS policy to use an S3 bucket as a destination.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
],
"Resource": [
"arn:aws:s3:::BUCKETNAME/PATHNAME/*"
],
"Effect": "Allow",
"Sid": "Stmt1478773756000"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME"
],
"Effect": "Allow",
"Sid": "Stmt1478773807000",
"Condition": {
"StringLike": {
"s3:prefix": "PATHNAME*"
}
}
}
]
}
Using S3 as storage#
To use an S3 Bucket as storage, ensure the AWS Policy contains the following statements:
- Action
To use an S3 Bucket as storage, you must include the following actions in the actions element of the AWS policy:
s3:DeleteObjects3:GetObjects3:PutObjects3:ListBucket- Include this action in a separate statement of the
AWS policy that also contains a condition. See the example AWS policy below.
- Resource
Provide the pathway to the S3 Bucket in the following format:
arn:aws:s3:::BUCKETNAME/PATHNAME/*For the AWS Policy statement with the action
s3:ListBucket, include the following resource element:arn:aws:s3:::BUCKETNAMEFor more information on the resource element of the AWS policy, see the AWS documentation.
Example of an AWS policy when using S3 as a destination#
Below is an example of an AWS policy to use an S3 bucket as a destination.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME/PATHNAME/*"
],
"Effect": "Allow",
"Sid": "Stmt1478773756000"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME"
],
"Effect": "Allow",
"Sid": "Stmt1478773807000",
}
]
}
Applying an AWS policy#
An AWS policy is attached to an IAM user in your AWS account. For more information on how to attach and test a policy, see the AWS documentation.