Skip to main content

AWS S3 Bucket Access

This document describes how to setup an AWS User and S3 bucket for secure DAS S3 access. The DAS supports S3 and S3 compatible bucket systems. S3 buckets can be utilized in S3 data sources, bundle registry, decision log, and activity log exporters.

DAS S3 buckets are configured from the following data elements:

  • Bucket URL. For example: "s3://styra-storage" or "gs://styra-storage/folder".
  • Custom endpoint or S3 compatible system endpoint. For example: "https://storage.googleapis.com".
  • Region. For example: "us-east-1" or "auto".
  • Access key ID
  • Secret access key

Secure AWS S3 bucket access

Use AWS IAM Management Console

Perform the following steps to create new user, setup permissions and collect the access keys.

note

The names "styra", "StyraAccess" and "styra-storage" are used as illustrations and can be changed to follow any enterprise naming conventions.

  1. Create a new AWS user "styra"

    DAS on AWS

    Select "Access key - Programmatic access".

  2. Create a "StyraAccess" permissions policy

    DAS on AWS

    Select the "Create policy" to start the new permissions policy editor.

  3. Setup permissions policy secure access

    DAS on AWS

    Add a policy for each S3 bucket or S3 bucket folder to grant DAS access to. To constrain access to a specific folder, change the resource to "arn:aws:s3:::styra-storage/foldername/*".

    Sample Permissions Policy:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "StyraAccess0",
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": [
    "arn:aws:s3:::styra-storage"
    ]
    },
    {
    "Sid": "StyraAccess1",
    "Effect": "Allow",
    "Action": [
    "s3:PutObject",
    "s3:GetObject"
    ],
    "Resource": "arn:aws:s3:::styra-storage/*"
    }
    ]
    }
  4. Save "StyraAccess" permissions policy

    DAS on AWS

  5. Attach "StyraAccess" permissions to user

    DAS on AWS

  6. Save the created user's security credentials

    DAS on AWS

    Save the users "Access key ID" and "Secret access key" for later use when configuring DAS S3 components.

Use AWS Amazon S3 manager

Perform the following S3 storage actions:

  1. Create a S3 bucket

    DAS on AWS

  2. Create a bucket retention policy

    The DAS decisions and activity exporters write unlimited files to the S3 bucket.