Creating the Custom S3 Access IAM Policy

AWS Identity & Access Management (IAM) manages credentials for the Cluster Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, associating IAM roles with a new instance, or updating records in the Route 53 service.

IAM Roles are also used to provide the Cluster Manager access to your S3 buckets. If you are not using S3 cloud storage with Cluster Manager, you can skip these instructions. For more information about accessing S3 cloud storage with the Cluster Manager, see Access Key Overview.

The S3 Access IAM policy grants an IAM role the permission to access the specified S3 bucket. An IAM role requires a minimum level of permissions set in its policy in order for Aspera to upload, download, or list contents in an S3 buckets. The table below shows the IAM policy rules required for each specific operation.

Permission	Required for upload?	Required for download?	Required for browse or delete?
`s3:AbortMultipartUpload`	X		Browse & Delete
`s3:DeleteObject`	X		Browse & Delete
`s3:GetBucketLocation`	X	X
`s3:GetObject`		X
`s3:ListBucket`	X	X	Browse
`s3:ListBucketMultipartUploads`	X	X	Browse
`s3:ListMultipartUploadParts`	X		Browser & Delete
`s3:PutObject`	X

Aspera recommends attaching the S3 Access IAM policy to an S3 Access Key Management IAM Role (see Creating an IAM Role for S3 Access In the Same AWS Account).

If you want to allow access to all of your S3 buckets, you can use the built in policy, AmazonS3FullAccess, instead of creating a custom policy. Otherwise, follow the instructions below to create the S3 Access IAM policy.

From the AWS console, go to Security & Identity > Identity & Access Management and select Policies from the Details sidebar.
Click Create Policy. Select the Create Your Own Policy option.
Name the new policy atc-s3-policy.

Enter the following policy into the Policy Document field to grant access to your S3 bucket.

{
  "Version": "2012-10-17",
    "Statement": [       
      {
          
        "Effect": "Allow",           
        "Action": [               
          "s3:AbortMultipartUpload",               
          "s3:DeleteObject",               
          "s3:ListMultipartUploadParts",               
          "s3:PutObject"           
        ],           
        "Resource": [               
          "arn:aws:s3:::your_s3_bucket/*"           
        ]       
      },       
      {           
        "Effect": "Allow",           
        "Action": [               
          "s3:GetBucketLocation",               
          "s3:ListBucket",               
          "s3:ListBucketMultipartUploads"           
        ],           
        "Resource": [               
          "arn:aws:s3:::your_s3_bucket"           
      ]       
    }
  ]
}

For example, if your S3 Bucket is named atc-s3-bucket, the Resource object would be the following:

"Resource": "arn:aws:s3:::atc-s3-bucket"

Note: For more information on specifying Resource in a policy, see "Specifying Resources in a Policy" at http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html on the AWS website.

Click Validate Policy to check for formatting issues. The policy must be well-formed JSON text.
Click Create Policy.