Skip to content

Access AWS S3 with IAM Role

In this topic, you will see how you can use IAM role to configure AWS S3 service for Discovery scanning.

Create IAM Role with AWS S3 Permissions#

  1. Log in to the AWS console.

  2. Go to Identity and Access Management (IAM) and navigate to Access management > Roles.

  3. Create a role or edit an existing AWS IAM role. Refer to AWS documentation on how to create a IAM Role.

  4. Navigate to the role created or the role you are editing.

    1. Open the role.

      The role Summary page is displayed.

    2. Copy the Role ARN.

      Use the ARN in IAM Role ARN field when providing Application Properties details for the data source.

  5. Add policy to AWS IAM role.

    1. Open the role you created in step 3 or the role you are editing.

    2. Click Permissions tab.

    3. On the Permissions Policies section, click Attach Policies or Add inline policy.

    The Create policy page is displayed.

    1. Click the JSON tab to add the policy and permissions.

      Refer to the following sample permission JSON for the role on S3 bucket. Ensure to have Get and List actions in permissions policy of the role mentioned in step 3 and enter the bucket name in bucket-name.

      Note

      You can scan multiple buckets in multiple regions or same region from a single IAM role that is configured as part of data source.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "AllowAccountLevelS3Actions",
                  "Effect": "Allow",
                  "Action": [
                      "s3:ListAllMyBuckets",
                      "s3:Get*"
                  ],
                  "Resource": "*"
              },
              {
                  "Sid": "AllowListAndReadS3ActionOnMyBucket",
                  "Effect": "Allow",
                  "Action": [
                      "s3:Get*",
                      "s3:List*"
                  ],
                  "Resource": [
                      "arn:aws:s3:::bucket-name/*",
                      "arn:aws:s3:::bucket-name"
                      "arn:aws:s3:::bucket1-name/*",
                      "arn:aws:s3:::bucket1-name",
                      "arn:aws:s3:::bucket2-name/*",
                      "arn:aws:s3:::bucket2-name",
                      "arn:aws:s3:::bucket3-name/*",
                      "arn:aws:s3:::bucket3-name",
                      "arn:aws:s3:::bucket4-name/*",
                      "arn:aws:s3:::bucket4-name",
                      "arn:aws:s3:::bucket5-name/*",
                      "arn:aws:s3:::bucket5-name",
                      "arn:aws:s3:::bucket6-name/*",
                      "arn:aws:s3:::bucket6-name"
                  ]
              }
          ]
      }
      
    2. Click Review policy.

      The Review policy section is displayed.

    3. Enter the policy Name and click Create policy.

  6. Establish IAM Role Trust Relationship with Discovery Data Access Role.

    1. Open the role you created in step 3 or the role you are editing.

    2. Click Trust relationships tab.

    3. Click Edit trust relationship.

    4. Refer to the following JSON to add a new policy document.

      { 
          "Version": "2012-10-17", 
          "Statement": [ 
              { 
                  "Effect": "Allow", 
                  "Principal": { 
                      "AWS": "arn:aws:iam::870790086151:role/DISCOVERY_PROD_DATA_ACCESS_ROLE", 
                      "Service": "s3.amazonaws.com" 
                  }, 
                  "Action": "sts:AssumeRole" 
              } 
      
          ] 
      
      }
      
    5. Click Update Trust Policy to save this revision.

Configure IAM Role for AWS S3#

For more information, see S3 application with Access Manager and Data Discovery.


Last update: March 24, 2022