Amazon S3 V2 Connector > Introduction to Amazon S3 V2 Connector > Administration of Amazon S3 V2 Connector
  

Administration of Amazon S3 V2 Connector

As a user, you can use Amazon S3 V2 Connector after the organization administrator performs the following tasks:
Prerequisites for client-side and server-side encryption
Prerequisites for Informatica encryption
Prerequisites for temporary security credentials via AssumeRole

Create minimal Amazon S3 bucket policy

The minimal Amazon S3 bucket policy restricts user operations and user access to particular Amazon S3 buckets by assigning an AWS Identity and Access Management (IAM) policy to users.
You can configure the IAM policy through the AWS console. Use AWS Identity and Access Management (IAM) authentication to securely control access to Amazon S3 resources.
In elastic mappings, you can use different AWS accounts within the same AWS region. Make sure that the Amazon S3 bucket policy confirms access to the AWS accounts used in elastic mappings.
You can use the following minimum required actions for users to successfully read data from and write data to Amazon S3 bucket:
Sample Policy:
{
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket" ],"Resource": [ "arn:aws:s3:::<bucket_name>/*", "arn:aws:s3:::<bucket_name>" ] } ]
}

IAM authentication

Optionally, if you do not provide the access key and the secret key in the connection, Amazon S3 V2 Connector uses AWS credentials provider chain that looks for credentials in the following order:
  1. 1. The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables.
  2. 2. The aws.accessKeyId and aws.secretKey java system properties.
  3. 3. The credential profiles file at the default location, ~/.aws/credentials.
  4. 4. The instance profile credentials delivered through the Amazon EC2 metadata service.
You can configure IAM authentication when the Secure Agent runs on an Amazon Elastic Compute Cloud (EC2) system. When you use a serverless runtime environment, you cannot configure IAM authentication.
Perform the following steps to configure IAM authentication on EC2:
  1. 1. Create minimal Amazon S3 bucket policy.
  2. 2. Create the Amazon EC2 role. The Amazon EC2 role is used when you create an EC2 system. For more information about creating the Amazon EC2 role, see the AWS documentation.
  3. 3. Link the minimal Amazon S3 bucket policy with the Amazon EC2 role.
  4. 4. Create an EC2 instance. Assign the Amazon EC2 role that you created in step #2 to the EC2 instance.
  5. 5. Install the Secure Agent on the EC2 system.
Use IAM authentication for secure and controlled access to Amazon S3 resources when you run a session.

Temporary security credentials using AssumeRole

You can use the temporary security credentials using AssumeRole to access the AWS resources from the same or different AWS accounts.
Ensure that you have the sts:AssumeRole permission and a trust relationship established within the AWS accounts to use the temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the IAM user as a trusted entity allowing the IAM users to use the temporary security credentials and access the AWS accounts. For more information about how to establish the trust relationship, see the AWS documentation.
When the trusted IAM user requests for the temporary security credentials, the AWS Security Token Service (AWS STS) dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted IAM users. The temporary security credentials consist of access key ID, secret access key, and secret token.
To use the dynamically generated temporary security credentials, provide the value of the IAM Role ARN connection property when you create an Amazon S3 V2 connection. The IAM Role ARN uniquely identifies the AWS resources. Then, specify the time duration in seconds during which you can use the temporarily security credentials in the Temporary Credential Duration advanced source and target properties.

External ID

You can specify the external ID for a more secure cross-account access to the Amazon S3 bucket when the Amazon S3 bucket is in a different AWS account.
You can optionally specify the external ID in the AssumeRole request to the AWS Security Token Service (STS).
The external ID must be a string.
The following sample shows an external ID condition in the assumed IAM role's trust policy:
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_Account_ID : user/user_name"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "dummy_external_id"
}
}
}
]

Temporary security credentials policy

To use the temporary security credentials to access the AWS resources, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
{
"Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" }
}
IAM role
An IAM role must have a sts:AssumeRole policy and a trust policy attached with the IAM role to allow the IAM user to access the AWS resource using the temporary security credentials. The policy specifies the AWS resource that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the AWS resource.
The following policy is a sample trust policy:
{
"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:root" },
"Action":"sts:AssumeRole" }
]
}
}
Here, in the Principal attribute, you can also provide the ARN of IAM user who can use the dynamically generated temporary security credentials and to restrict further access. For example,
"Principal" : { "AWS" : "arn:aws:iam:: AWS-account-ID :user/ user-name " }
To use the temporary security credentials with AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.
You can perform the following operations to use the temporary security credentials and enable the encryption with KMS:
Sample policy:
{
"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource":"*"
}
]
}

Temporary security credentials using AssumeRole for EC2

You can use temporary security credentials using AssumeRole for an Amazon EC2 role to access the AWS resources from the same or different AWS accounts.
The Amazon EC2 role would be able to assume another IAM Role from the same or different AWS account without requiring a permanent access key and secret key. The Amazon EC2 role can also assume another IAM role from a different region.
Consider the following prerequisites when you use temporary security credentials using AssumeRole for EC2:
To configure an EC2 role to assume the IAM role provided in the IAM Role ARN connection property, select the Use EC2 Role to Assume Role check box in the connection properties.

Rules and guidelines for using the temporary security credentials

Consider the following guidelines when you use the temporary security credentials:

Credential profile file authentication

You can provide the credentials required to establish the connection with Amazon S3 through the credential profile file that contains an access key and secret key. The credential profile file contains an access key, a secret key, and a session token when you use temporary security credentials.
You can use permanent IAM credentials or temporary security credentials with a session token when you use credential profile file authentication.
If you do not specify the credential profile file path, the default credential file path is used. If you do not specify the profile name, the credentials are used from the default profile in the credential file.
Consider the following rules for a credential profile file:
A sample credential profile file:
[default]

aws_access_key_id = 1233333

aws_secret_access_key = abcabcabc


[test-profile]

aws_access_key_id = 1233333

aws_secret_access_key = abcabcabc

aws_session_token = jahaheieomdrtflmlioerp
The aws_access_key_id and aws_secret_access_key specify the AWS access key and secret key used as part of credentials to authenticate the user.
The aws_session_token specifies an AWS session token used as part of the credentials to authenticate the user. A session token is required only if you specify temporary security credentials.