Set up credentials for Amazon S3
Step 1: Create an IAM policy
-
Open AWS Management Console.
-
Choose IAM > Policy, and choose Create Policy.
-
Create a policy. You can follow the example below to use IAM policy statement with minimum permissions, and change the
<your-bucket-name>in the policy statement accordingly.
Note
For S3 buckets in AWS China Regions, make sure you also change to use arn:aws-cn:s3::: instead of arn:aws:s3:::.
Policy for source bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "dth",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource":[
"arn:aws:s3:::<your-bucket-name>/*",
"arn:aws:s3:::<your-bucket-name>"
]
}
]
}
Policy for destination bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "dth",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:PutObjectAcl",
"s3:AbortMultipartUpload",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::<your-bucket-name>/*",
"arn:aws:s3:::<your-bucket-name>"
]
}
]
}
To enable S3 Delete Event, you need to add "s3:DeleteObject" permission to the policy.
Data Transfer Hub has native support for the S3 source bucket which enabled SSE-S3 and SSE-KMS. If your source bucket enabled SSE-CMK, please replace the source bucket policy with the policy in the link for S3 SSE-KMS.
Step 2: Create a user
- Open AWS Management Console.
- Choose IAM > User, and choose Add User to follow the wizard to create a user with credential.
- Specify a user name, for example, dth-user.
- For Access Type, select Programmatic access only and choose Next: Permissions.
- Select Attach existing policies directly, search and use the policy created in Step 1, and choose Next: Tags.
- Add tags if needed, and choose Next: Review.
- Review the user details, and choose Create User.
- Make sure you copied/saved the credential, and then choose Close.
