AWS S3 Policy

Trying to set up the S3 connector in Filestash? If you’re wondering how to configure your IAM policy, this guide will walk you through the essentials. The starting point is the IAM Policy page from the AWS Console. From there, you have two options:

Use one of the AWS Managed Policies
Create a Custom Policy with only the permissions you need

Option 1 - AWS Managed Policies

If you prefer simplicity and don’t mind broader permissions, you can use one of the AWS Managed Policies provided by Amazon. There is only 2 policies that are relevant to us:

AmazonS3FullAccess: grant read / write / delete access to all buckets and objects. The underlying policy is defined as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

AmazonS3ReadOnlyAccess: grant read-only access. The underlying policy is defined as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Describe*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        }
    ]
}

Option 2 - Custom Policies

If you want to enable only the minimum, here is the baseline:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "*"
        }
    ]
}

Under the hood we use:

“s3:ListAllMyBuckets”: to list the available buckets when accessing the root with a call to the “ListBuckets” method
“s3:ListBucket”: to list the content of your buckets when accessing a particular bucket. Under the hood, these are calls to ListObjectV2
“s3:GetBucketLocation”: to get the region information of a bucket if you did not explicitly set as a parameter. Under the hood, Filestash will execute a call to the GetBucketLocation API.
“s3:GetObject”: to make the calls to the GetObject API.
“s3:PutObject”: this is to be used only if you want to enabled the creation of objects via the PutObject and CopyObject API calls used by the Filestash save, touch and mv operations.
“s3:DeleteObject”: this is to be used only if you want to enabled the deletion of objects via the DeleteObject used by the Filestash rm and mv operations

If you want to go one step ahead, you can reduce the amount of access by setting up the Resource key so your policy is restricted to a particular location and everything else is forbidden.

This is for the base use case of the default Filestash s3 connector. If you want to enable things like versioning, restoration of object stored on S3, metadata, reach out to support and we will guide you through the details of those use cases.