Configure S3 bucket policy script

Last updated on October 4, 2023

Overview

The S3 bucket policy for Data Connector service plays a crucial role in enhancing the security and access control of your Amazon S3 bucket where data will be streamed. By configuring a well-defined bucket policy, you can control and restrict the actions that are permitted on your S3 bucket, ensuring that only authorized users and systems have the necessary access.

This documentation aims to guide you through the process of setting up an effective S3 bucket policy for Data Connector service, covering the goals, prerequisites, and actions that should be included in the policy.

Goals

The primary goals of configuring the S3 bucket policy for the Connector are:

  • Security:
    • Ensure that only authorized users and systems have access to the S3 bucket where data will be stored.
    • Prevent unauthorized access and potential security breaches.
  • Access Control:
    • Define specific actions that are allowed or denied on the S3 bucket.
    • Fine-tune access permissions to align with the requirements of the Data Connector service.
  • Compliance: Meet security and compliance standards by implementing a policy that controls access to sensitive data stored in the S3 bucket.

Prerequisites

Before configuring the S3 bucket policy for the Data Connector service, make sure you have:

  • Access to the AGS Admin Portal.
  • An existing Amazon S3 bucket to store the streamed data from the Data Connector service.
  • An understanding of AWS Identity and Access Management (IAM) concepts, including policies, roles, and permissions.

S3 actions

The following S3 actions are the actions used for setting up an S3 bucket policy for the Data Connector service. These actions control various aspects of accessing and manipulating objects in the S3 bucket.

s3:GetObject

  • Action: Allows the Connector to retrieve (read) an object (file) from the S3 bucket.
  • Purpose: This permission is necessary for the Connector to fetch data files from the S3 bucket during the streaming process.
  • More details: AWS Documentation - s3:GetObject

s3:GetObjectVersion

  • Action: Allows the Connector to retrieve a specific version of an object (file) from the S3 bucket.
  • Purpose: This permission allows the Connector to access a specific version of a data file in case versioning is enabled for the S3 bucket and data objects have multiple versions.
  • More details: AWS Documentation - s3:GetObject

s3:PutObject

  • Action: Grants the Connector permission to upload (write) an object (file) to the S3 bucket.
  • Purpose: This permission is essential for the Connector to store data in the S3 bucket during the streaming process.
  • More details: AWS Documentation - s3:PutObject

s3:GetbucketLocation

  • Action: Allows the Connector to retrieve the geographic region of the S3 bucket.
  • Purpose: The Connector needs this permission to ensure it accesses the correct AWS region where the S3 bucket is located.
  • More details: AWS Documentation - s3:GetBucketLocation

s3:ListBucket

  • Action: Permits the Connector to list up to 1,000 objects (files) within the S3 bucket.
  • Purpose: This permission enables the Connector to discover and access the data files stored within the specified S3 bucket.
  • More details: AWS Documentation - s3:ListBucket

Example S3 bucket policy

Here's an example S3 bucket policy that demonstrates how to restrict access to the specified actions for the Connector's S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AccelByteAnalyticsConnector",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<accelbyte-aws-account-id>:role/<analytics_connector_role_name>"
      },
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:PutObject",
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<your-s3-bucket>",
        "arn:aws:s3:::<your-s3-bucket>/*"
      ]
    }
  ]
}

Implement the bucket policy

Implementing the S3 bucket policy for the Connector is a simple process that involves copying and pasting the provided policy template from the Admin Portal into your S3 bucket's policy configuration.

Follow these steps:

  1. Copy the policy template provided in the Admin Portal when configuring the Connector. This template includes the necessary actions, resources, and conditions to ensure proper access control for the Connector.

  2. Log in to the AWS Management Console.

  3. From the AWS Management Console, navigate to the Amazon S3 service. Click on the Services dropdown, select Storage, and then click on S3.

  4. In the S3 console, locate and select the bucket where the Connector will store the streamed data. The selected bucket will serve as the S3 bucket.

  5. Within the selected bucket's dashboard, click on the Permissions tab to manage the bucket's permissions and policies.

  6. Under the Permissions tab, locate the Bucket Policy section and click the Edit button to add or modify the bucket's policy.

  7. In the bucket policy editor, paste the policy template that you copied from the Admin Portal. Ensure that the policy includes the correct information, such as the bucket name, actions, and any specific conditions required.

  8. After you've pasted the policy template, review it to ensure it aligns with your security and access control needs, then lick the Save Changes button to apply the policy to the bucket.

Last updated on

On this page