Mapping S3 buckets to IAM policies in your data lake

We recommend that you map the data lake’s Amazon Simple Storage Service (Amazon S3) buckets and paths to AWS Identity and Access Management (IAM) policies and roles by using the bucket names or paths in the IAM policy or role name. The following table shows a sample S3 bucket name and a sample IAM policy that is used to access this S3 bucket.

Sample Amazon S3 object path Sample IAM policy

S3 bucket name – <companyname>-raw-<aws_region>-<aws_accountid>-dev

S3 bucket path – nosql/us/customers/year=2020/month=03/day=01/table_customers_20210301.csv


{
      “Version” : “2012-10-17",
      “Statement” : [
      {
      “Sid” : “s3-nosql-us-customers-get-list",
      “Effect” : “Allow”,
      “Principal” : “*”,
      “Action” : [
      “s3:GetObject”,
      “s3:ListBucket”
      ],
      “Resource” : [
      “arn:aws:s3:::<companyname>-raw-<aws_region>-<aws_accountid>-dev/*”
      ]
      }
      ]
      }

Note

This is a sample IAM policy that shows our recommended naming standard for S3 buckets; however, you should ensure that you correctly configure S3 bucket policies according to your organization's policies and requirements.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Analytics layer S3 bucket

Handling sensitive data