Hi, How can we help?

Configuring Amazon S3 Cross-Account for Exporting

You can configure your Amazon S3 cross-account to export data from the InfoSum Platform using the S3 cross-account ICC connector. 

This article describes step-by-step how to configure your Amazon S3 cross-account to export data from the InfoSum Platform using the InfoSum S3 cross-account destination

Infosum recommends creating two different AWS policies for importing and exporting.

First, create an Amazon S3 bucket. For the steps to do this, see Creating a bucket - Amazon Simple Storage Service. Once you have created an Amazon S3 bucket, you will need to do the following to export from the InfoSum Platform:

  1. Create a policy
  2. Associate the policy with a role, a user and a bucket
  3. Permissions Policy
  4. Adding details to the destination.

 

Before creating the policy it will be helpful to obtain the following first

  1. Session Name 

As extra validation, you must choose a session name for InfoSum to use when assuming your role. 

  1. External ID

You will need to copy the external ID from the InfoSum S3 cross-account destination to your clipboard. This will be added to the Trust Relationships tab in a later step.

Configuring and exporting to a S3 cross account destination – InfoSum

 

  1. Policy ID

In the same ‘create a new destination’ screen copy and paste the Principal ID for use in the section:  

 

Create a policy

The AWS policy when attached to a Bunker defines the Bunker’s permissions. You will need to manually create the policy to export data into InfoSum, as there is no policy to do this within AWS. To create an AWS policy for S3:

Go to the Identity and Access Management (IAM) Dashboard by searching for IAM in AWS.

Select Policies from the Access Management section.

In the Policies window, click the Create Policy button.

Choose the S3 service (this is the service the policy relates to).

Select the permissions required for InfoSum Platform to access files in the S3 bucket. 

 

The table below shows the minimum permissions from the Write access levels you need to select to allow InfoSum Platform to complete the S3 export:

Access Level Permission
Write PutObject

 

Scroll down to the ‘Resources’ dropdown and specify ‘Specific’ to add the resources ARN to restrict access.

Click on ‘Add ARNs’

In the Specify ARN window you can now add the following details.

  1. Enter the ‘Resource Bucket Name’. This can be obtained from the S3 bucket you have created in S3 → S3 Bucket
  2. Tick ‘Any Object Name’
  3. Click the Add/Edit ARN Box

 

 

On the next screen ‘Specify Permissions’ Click ‘Next’

On the Policy Details page, give the policy a name to identity.

Scroll down and confirm that the permissions are correct for the S3 service on the ‘Permissions defined in this policy’  and then Click ‘Create Policy’

You have now created the Policy permission.

Next, you will need to create a role which you will associate with the policy.

Associating the policy with a role, a user and a bucket

Note: If you are exporting data to an S3 bucket, you will need to create a separate role in AWS for exporting.

Go to IAM Dashboard and select Roles from the Access Management section. 

In the Roles window, click the Create Role button.

 

Select the ‘Custom Trust Policy’ as shown below.

Copy and paste the following script into your custom trust policy.

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:sts::134928160093:assumed-role/InfoSumPushConnector/Your Session Name"
     },
     "Action": "sts:AssumeRole",
     "Condition": {
       "StringEquals": {
         "sts:ExternalId": "d68b1db43ed52e7e0297dbaca2bad20f40d4faaf92b5349891f08fddde530e23"
       }
     }
   }
 ]
}

 

The External ID now needs to be changed in your policy to match the ID in the platform destination. In order to get this information you will need to begin the process of creating an S3 cross account destination Configuring and exporting to a S3 cross account destination – InfoSum

Once you are at the ‘Create a new destination’ screen, copy the External ID from the Destination Details field

 

Paste the External ID into the Custom Trust Policy in AWS.

Copy the Principal ID from the ‘Create a new destination’ screen

Paste the Principal ID into the Custom Trust Policy in AWS.

In the script you have pasted into the custom trust policy you will need to rename ‘Your Session Name’ to your own session name.

arn:aws:sts::134928160093:assumed-role/InfoSumPushConnector/Your Session Name

 

Once this has been updated. Click Next

 

Permissions Policy

In the permissions policy screen, find your export policy and select it.

Click Next.

Enter a Role name.

Click ‘Create Role’.

Adding details to the destination.

The next step is to add your details into the S3 Cross account destination within the Infosum platform.

Enter the bucket name.

Select bucket region.

Find your role within the IAM page within AWS.

Click into the required Role and copy the ARN.

 

In the Infosum platform destination screen paste the ARN in the field ‘Push Role ARN’.

Enter the session name. This is the name you have set in the Trust Relationship within IAM.

Enter the filename of the file to be exported.

Click Submit.

For more information on Destinations please see the following page.

Configuring-and-exporting-to-a-S3-cross-account-destination

 

Was this article helpful?

Have more questions? Submit a request

-