Data Integration Elastic Administration > AWS integration tasks > Define security for direct access to Amazon data sources
  

Define security for direct access to Amazon data sources

If you use a connector that has direct access to Amazon data sources, define either credential-based security or role-based security.
You can define one of the following types of security:
Credential-based security
Credential-based security restricts access to Amazon resources to users that have the proper credentials.
Note: Credential-based security overrides role-based security. If you configure connection-level AWS credentials and the same credentials cannot access the data sources and the staging location in an elastic job, the job fails.
Role-based security
Role-based security grants temporary privileges to a user. For example, you can grant temporary privileges to access an Amazon S3 source in an elastic mapping.
For more information about connectors with direct access to Amazon data sources, see Direct and indirect access to resources.

Define credential-based security

To implement credential-based security for elastic jobs, provide AWS credentials in the connections that access Amazon data sources in a job.
The connection-level AWS credentials must be able to access the Amazon S3 staging location that the job uses. The user-defined or default worker role is used to access the log location.
If you require cross-account access to S3 buckets in multiple Amazon accounts, provide credentials for each Amazon account at the connection level as well.

Define role-based security

To implement role-based security for an elastic job, the Secure Agent role and the worker role must have access to the Amazon data sources in the job.
Configure and manage role-based security based on the type of master and worker roles that you use:
User-defined master and worker roles.
If you use user-defined master and worker roles, make sure that the Secure Agent role has access to the same sources and targets as the worker role.
Default master and worker roles
If you use default master and worker roles, consider the following guidelines:
Note: Permission boundaries for the Secure Agent role are not honored.

Step 1. Provide access to Amazon data sources

If you use role-based security, provide access to Amazon data sources to access the data sources when you design and run an elastic job.
To provide access to data sources, complete the following tasks:
  1. 1. Identify minimal policies for direct access to Amazon data sources based on connector requirements.
  2. For information about the minimal policies and connector requirements, see the help for the appropriate connector.
  3. 2. Distribute the policies to AWS roles based on the type of master and worker roles that you configure.

Default master and worker roles

If you use default master and worker roles, create unique policies and attach the policies to the Secure Agent role. The Secure Agent will identify the policies that are attached to the Secure Agent role and pass the policies to the worker role.

User-defined master and worker roles

If you use user-defined master and worker roles, make sure that both the Secure Agent role and the worker role have access to the data sources.
You can provide access to the data sources in either of the following ways:
Create one managed policy.
You can create one managed policy that provides access to the data sources. Then, attach the policy to both the Secure Agent role and the worker role.
Reuse the policy content that is generated for the CCS and required for the worker role.
If you reuse the policy content that is generated for the CCS, specify the data sources in the Resource elements.
For example, the Resource element in the following statement specifies the staging and log locations:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<cluster-staging-dir1>/*",
"arn:aws:s3:::<cluster-logging-dir1>/*"
]
}
Below "arn:aws:s3:::<cluster-logging-dir1>/*", list the data sources.
The policy content for the CCS is attached as a policy to the worker role. To reuse the policy content, add the Secure Agent role to the trust relationship of the worker role and add the worker role to the trust relationship of the Secure Agent role.

Step 2. Configure cross-account access

If you want to have cross-account access to S3 buckets in multiple Amazon accounts and you use user-defined master and worker roles, you can set up cross-account IAM roles in AWS.
When you set up cross-account IAM roles in AWS, complete the following additional tasks:
Note: You cannot use cross-account access with default master and worker roles and role-based security. If your organization requires cross-account access, consider one of the following options:
For information about how to set up cross-account IAM roles, refer to the AWS documentation.