Get our latest book on "Top 10 artificial intelligence myths."
Download

Last updated

March 3, 2021

Table of contents

How to configure S3 Bucket permissions

In order to prevent unauthorized access to objects stored by Amazon’s S3 Service, most buckets are private — they require explicit permissions for any party looking to list, read, or modify the contents. As such, Impira requires a set of pre-configured credentials, specifically an AWS Access Key Id and Secret Key with permissions for S3 access, in order to ingest files from your organization’s bucket.

Instructions

This tutorial will help you create an IAM user that will allow Impira services to connect natively with your existing storage solutions while following the principle of least privilege.

Specifically, Impira requires the follow permissions on the specific S3 Bucket and Prefix you wish to ingest files from:

  • GetObject
  • GetObjectVersion
  • ListBucket
  • GetBucketAcl

First, we will be creating a new IAM User. Navigate to the IAM service within the AWS Web Console:

From here, select the Users tab on the left hand side navigation panel:

Screen_Shot_2020-12-04_at_7.18.02_PM.png

Here you should see a list of the existing users in your AWS account. Select ‘Add user’ at the top:

Screen_Shot_2020-12-04_at_7.05.30_PM.png

Name the user as you see fit; we recommend including ‘impira’ and the bucket name you wish to share in the user name to avoid confusion later. The created user will need programmatic access, but will not need AWS Console access:

On the next screen, we will ‘Attach existing policies directly’ to our user.

Screen_Shot_2020-12-04_at_7.09.16_PM.png

From there, select ‘Create policy’:

Screen_Shot_2020-12-04_at_7.15.57_PM.png

A new tab should open in your browser to create the policy. In our example, our bucket is “impira-external-integrations-testing” and we have shared the entire bucket (no prefix specified). Replace the bucket and prefix in the template below, and insert the policy using the JSON editor:

{
"Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "s3:GetObject",
               "s3:GetObjectVersion"
           ],
           "Resource": "arn:aws:s3:::{BUCKET_NAME_HERE}/{PREFIX}/*"
       },
       {
           "Effect": "Allow",
           "Action": [
               "s3:ListBucket",
               "s3:GetBucketAcl"
           ],
           "Resource": "arn:aws:s3:::{BUCKET_NAME_HERE}"
       }
   ]
}

Select ‘Review policy’ to proceed to the next screen. We need to give our policy a name and description; as before, we recommend something specifically indicating this policy is to give Impira access to a specific S3 bucket. Under the ‘Summary’ section, S3 should be the only service listed, with the ‘Read’ and ‘List’ access level. Once you have filled in a name and description, create the policy. You can now close the tab opened for policy creation.

We will need to attach our newly created Policy to our user. To do this, return to the user creation tab; we should still be on a screen covering user permission policies. You will likely need to refresh the list of policies (using the refresh button on the top right of the policy list) in order to see the newly created ‘bucket sharing’ policy. Use the search filter to easily find the policy you have created, and check the icon on the left of the policy to attach it to our user. Proceed to the next screen.

Impira does not use tags in the bucket sharing process; feel free to add them if you use tags for

resource organization. Proceed to the next screen.

Review the user we have setup: ensure the user name is appropriate, that the user has Programmatic access (with an access key), and that the correct policy is attached to the user.

After creating the user, you should be directed to a screen displaying an “Access key ID” and a Secret access key (this is hidden at first, and requires you to reveal the value). Save both of these values (or download the CSV) to share with Impira later.


Note: this is the only time you will be able to access the “Secret access key”

[Optional]: In the event that you need to share the credentials (‘Access key ID’ and ‘Secret access key’) for the user after creation, or share credentials for an existing user, navigate back to the ‘Users’ tab within the ‘IAM’ service in the AWS Web Console.

Select the user you wish to share, and navigate to the ‘Security credentials’ tab within the User summary:

As there is no way to retrieve an existing “Secret access key”, we will need to create a new one, using the ‘Create access key’ button:

Save the Access key ID and Secret access key from this screen to share with Impira.