Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
Amazon S3 policies for AWS IoT Analytics resources - AWS IoT Analytics

AWS IoT Analytics is no longer available to new customers. Existing customers of AWS IoT Analytics can continue to use the service as normal. Learn more

AWS IoT Analytics is no longer available to new customers. Existing customers of AWS IoT Analytics can continue to use the service as normal. Learn more

Amazon S3 policies for AWS IoT Analytics resources

PDFRSS

You can store processed data store messages in an Amazon S3 bucket managed by AWS IoT Analytics or in one that you manage. When you create a data store, select the Amazon S3 bucket you want by using the datastoreStorage API parameter. The default is a service-managed Amazon S3 bucket.

If you choose to have data store messages stored in an Amazon S3 bucket that you manage, you must grant AWS IoT Analytics permission to perform these actions on your Amazon S3 bucket for you:

  • s3:GetBucketLocation

  • s3:PutObject

  • s3:DeleteObject

If you use the data store as a source for an SQL query dataset, set up an Amazon S3 bucket policy that grants AWS IoT Analytics permission to invoke Amazon Athena queries on the contents of your bucket.

Note

We recommend that you specify aws:SourceArn in your bucket policy to help prevent the confused deputy security problem. This restricts access by allowing only those requests that come from a specified account. For more information about the confused deputy problem, see Cross-service confused deputy prevention.

The following is an example of a bucket policy that grants these required permissions.

{
    "Version": "2012-10-17",
    "Id": "MyPolicyID",
    "Statement": [
        {
            "Sid": "MyStatementSid",
            "Effect": "Allow",
            "Principal": {
                "Service": "iotanalytics.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ],
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:iotanalytics:us-east-1:123456789012:dataset/DOC-EXAMPLE-DATASET",
                        "arn:aws:iotanalytics:us-east-1:123456789012:datastore/DOC-EXAMPLE-DATASTORE"
                    ]
                }
            }
        }
    ]
}

For more information, see Cross-account access in the Amazon Athena User Guide.

Note

If you update the options or permissions of your customer managed data store, you might need to reprocess channel data to ensure that any previously ingested data is included in dataset contents. For more information, see Reprocessing channel data.

Next topic:

File formats

Previous topic:

Creating a data store

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.