AWS S3 Bucket Policies
IAM (Identity and Access Management)
IAM policies allow you to control users' access to your S3 bucket. See What is IAM for information.
Minimum Policy Example
To apply a limited policy to your restricted user:
This should be done AFTER you have installed S-Drive and created a bucket. You will need the bucket name to create the policy.
Sign in to AWS Management Console and click "IAM" from Services menu.
Click "Policies" on the dashboard and then click "Create Policy" button.
Select "Create Your Own Policy" on the screen.
Type name into "Policy Name" area. Copy contents of the below example and paste into "Policy Document" area on AWS Console. Change the sdrivebucket bucket name references in the policy document example to the name of your S-Drive bucket and click "Create Policy". The purpose of this policy is to give proper access to your own Salesforce instance to be able to upload/ download files.
Click "Users" on the dashboard and click on your user name. Then Click "Attach Policy" button on the screen for the user that you use in S-Drive.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::sdrivebucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutBucketCORS"
],
"Resource": [
"arn:aws:s3:::sdrivebucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::sdrivebucket"
]
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::sdrivebucket"
}
]
}
Find the policy which you created in #4 and click "Attach Policy" button.
Enforce encryption of data in transit
AWS recommends “allowing only encrypted connections over HTTPS (TLS) by using the aws:SecureTransport condition in your Amazon S3 bucket policies.”
In your S3 bucket, go to the Permission tab and scroll down to Bucket Policy. You can paste in the following code, replacing amzn-s3-demo-bucket
with your bucket name.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BooleanExample",
"Action": "s3:ReplicateObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Server Access Logging
You may choose to enable Amazon S3 server access logging, which provides records of access to your bucket.