Configuring permissions for a configuration stored as an Amazon S3 object

Understanding configurations stored in Amazon S3

You can store configurations in an Amazon Simple Storage Service (Amazon S3) bucket. When you create the configuration profile, you specify the URI to a single S3 object in a bucket. You also specify the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that gives AWS AppConfig permission to get the object. Before you create a configuration profile for an Amazon S3 object, be aware of the following restrictions.

Restriction	Details
Size	Configurations stored as S3 objects can be a maximum of 1 MB in size.
Object encryption	A configuration profile can target SSE-S3 and SSE-KMS encrypted objects.
Storage classes	AWS AppConfig supports the following S3 storage classes: `STANDARD`, `INTELLIGENT_TIERING`, `REDUCED_REDUNDANCY`, `STANDARD_IA`, and `ONEZONE_IA`. The following classes are not supported: All S3 Glacier classes (`GLACIER` and `DEEP_ARCHIVE`).
Versioning	AWS AppConfig requires that the S3 object use versioning.

Configuring permissions for a configuration stored as an Amazon S3 object

When you create a configuration profile for a configuration stored as an S3 object, you must specify an ARN for an IAM role that gives AWS AppConfig permission to get the object. The role must include the following permissions.

Permissions to access the S3 object

s3:GetObject
s3:GetObjectVersion

Permissions to list S3 buckets

s3:ListAllMyBuckets

Permissions to access the S3 bucket where the object is stored

s3:GetBucketLocation
s3:GetBucketVersioning
s3:ListBucket
s3:ListBucketVersions

Complete the following procedure to create a role that enables AWS AppConfig to get a configuration stored in an S3 object.

Creating the IAM Policy for Accessing an S3 Object

Use the following procedure to create an IAM policy that enables AWS AppConfig to get a configuration stored in an S3 object.

To create an IAM policy for accessing an S3 object

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Policies, and then choose Create policy.
On the Create policy page, choose the JSON tab.

Update the following sample policy with information about your S3 bucket and configuration object. Then paste the policy into the text field on the JSON tab. Replace the placeholder values with your own information.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/my-configurations/my-configuration.json"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:ListBucketVersions",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    } 
  ]
}

Choose Review policy.
On the Review policy page, type a name in the Name box, and then type a description.
Choose Create policy. The system returns you to the Roles page.

Creating the IAM Role for Accessing an S3 Object

Use the following procedure to create an IAM role that enables AWS AppConfig to get a configuration stored in an S3 object.

To create an IAM role for accessing an Amazon S3 object

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Roles, and then choose Create role.
On the Select type of trusted entity section, choose AWS service.
In the Choose a use case section, under Common use cases, choose EC2, and then choose Next: Permissions.
On the Attach permissions policy page, in the search box, enter the name of the policy you created in the previous procedure.
Choose the policy and then choose Next: Tags.
On the Add tags (optional) page, enter a key and an optional value, and then choose Next: Review.
On the Review page, type a name in the Role name field, and then type a description.
Choose Create role. The system returns you to the Roles page.
On the Roles page, choose the role you just created to open the Summary page. Note the Role Name and Role ARN. You will specify the role ARN when you create the configuration profile later in this topic.

Creating a Trust Relationship

Use the following procedure to configure the role you just created to trust AWS AppConfig.

To add a trust relationship

In the Summary page for the role you just created, choose the Trust Relationships tab, and then choose Edit Trust Relationship.

Delete "ec2.amazonaws.com" and add "appconfig.amazonaws.com", as shown in the following example.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "appconfig.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Choose Update Trust Policy.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Understanding the AWS AppConfig hosted configuration store

Creating an AWS AppConfig freeform configuration profile (console)