Creating an IAM policy to access Amazon S3 resources - Amazon Aurora

Creating an IAM policy to access Amazon S3 resources

Aurora can access Amazon S3 resources to either load data to or save data from an Aurora DB cluster. However, you must first create an IAM policy that provides the bucket and object permissions that allow Aurora to access Amazon S3.

The following table lists the Aurora features that can access an Amazon S3 bucket on your behalf, and the minimum required bucket and object permissions required by each feature.

Feature Bucket permissions Object permissions

LOAD DATA FROM S3

ListBucket

GetObject

GetObjectVersion

LOAD XML FROM S3

ListBucket

GetObject

GetObjectVersion

SELECT INTO OUTFILE S3

ListBucket

AbortMultipartUpload

DeleteObject

GetObject

ListMultipartUploadParts

PutObject

The following policy adds the permissions that might be required by Aurora to access an Amazon S3 bucket on your behalf.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAuroraToExampleBucket", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "s3:ListBucket", "s3:DeleteObject", "s3:GetObjectVersion", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*", "arn:aws:s3:::amzn-s3-demo-bucket" ] } ] }
Note

Make sure to include both entries for the Resource value. Aurora needs the permissions on both the bucket itself and all the objects inside the bucket.

Based on your use case, you might not need to add all of the permissions in the sample policy. Also, other permissions might be required. For example, if your Amazon S3 bucket is encrypted, you need to add kms:Decrypt permissions.

You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access an Amazon S3 bucket on your behalf. To allow Aurora to access all of your Amazon S3 buckets, you can skip these steps and use either the AmazonS3ReadOnlyAccess or AmazonS3FullAccess predefined IAM policy instead of creating your own.

To create an IAM policy to grant access to your Amazon S3 resources
  1. Open the IAM Management Console.

  2. In the navigation pane, choose Policies.

  3. Choose Create policy.

  4. On the Visual editor tab, choose Choose a service, and then choose S3.

  5. For Actions, choose Expand all, and then choose the bucket permissions and object permissions needed for the IAM policy.

    Object permissions are permissions for object operations in Amazon S3, and need to be granted for objects in a bucket, not the bucket itself. For more information about permissions for object operations in Amazon S3, see Permissions for object operations.

  6. Choose Resources, and choose Add ARN for bucket.

  7. In the Add ARN(s) dialog box, provide the details about your resource, and choose Add.

    Specify the Amazon S3 bucket to allow access to. For instance, if you want to allow Aurora to access the Amazon S3 bucket named amzn-s3-demo-bucket, then set the Amazon Resource Name (ARN) value to arn:aws:s3:::amzn-s3-demo-bucket.

  8. If the object resource is listed, choose Add ARN for object.

  9. In the Add ARN(s) dialog box, provide the details about your resource.

    For the Amazon S3 bucket, specify the Amazon S3 bucket to allow access to. For the object, you can choose Any to grant permissions to any object in the bucket.

    Note

    You can set Amazon Resource Name (ARN) to a more specific ARN value in order to allow Aurora to access only specific files or folders in an Amazon S3 bucket. For more information about how to define an access policy for Amazon S3, see Managing access permissions to your Amazon S3 resources.

  10. (Optional) Choose Add ARN for bucket to add another Amazon S3 bucket to the policy, and repeat the previous steps for the bucket.

    Note

    You can repeat this to add corresponding bucket permission statements to your policy for each Amazon S3 bucket that you want Aurora to access. Optionally, you can also grant access to all buckets and objects in Amazon S3.

  11. Choose Review policy.

  12. For Name, enter a name for your IAM policy, for example AllowAuroraToExampleBucket. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional Description value.

  13. Choose Create policy.

  14. Complete the steps in Creating an IAM role to allow Amazon Aurora to access AWS services.