Skip to content

Access AWS S3 with IAM Role

In this topic, you will see how you can use IAM role to configure AWS S3 service for Discovery scanning.

Create IAM Role with AWS S3 Permissions#

  1. Log in to the AWS console.

  2. Go to Identity and Access Management (IAM) and navigate to Access management > Roles.

  3. Create a role or edit an existing AWS IAM role. Refer to AWS documentation on how to create a IAM Role.

  4. Navigate to the role created or the role you are editing.

    1. Open the role.

      The role Summary page is displayed.

    2. Copy the Role ARN.

      Use the ARN in IAM Role ARN field when providing Application Properties details for the data source.

  5. Add policy to AWS IAM role.

    1. Open the role you created in step 3 or the role you are editing.

    2. Click Permissions tab.

    3. On the Permissions Policies section, click Attach Policies or Add inline policy.

    The Create policy page is displayed.

    1. Click the JSON tab to add the policy and permissions.

      Refer to the following sample permission JSON for the role on S3 bucket. Ensure to have Get and List actions in permissions policy of the role mentioned in step 3 and enter the bucket name in bucket-name.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "AllowAccountLevelS3Actions",
                  "Effect": "Allow",
                  "Action": [
                      "s3:ListAllMyBuckets",
                      "s3:Get*"
                  ],
                  "Resource": "*"
              },
              {
                  "Sid": "AllowListAndReadS3ActionOnMyBucket",
                  "Effect": "Allow",
                  "Action": [
                      "s3:Get*",
                      "s3:List*"
                  ],
                  "Resource": [
                      "arn:aws:s3:::bucket-name/*",
                      "arn:aws:s3:::bucket-name"
                  ]
              }
          ]
      }
      
    2. Click Review policy.

      The Review policy section is displayed.

    3. Enter the policy Name and click Create policy.

  6. Establish IAM Role Trust Relationship with Discovery Data Access Role.

    1. Open the role you created in step 3 or the role you are editing.

    2. Click Trust relationships tab.

    3. Click on Edit trust relationship.

    4. Refer to the following JSON to add a new policy document.

      { 
          "Version": "2012-10-17", 
          "Statement": [ 
              { 
                  "Effect": "Allow", 
                  "Principal": { 
                      "AWS": "arn:aws:iam::870790086151:role/DISCOVERY_PROD_DATA_ACCESS_ROLE", 
                      "Service": "s3.amazonaws.com" 
                  }, 
                  "Action": "sts:AssumeRole" 
              } 
      
          ] 
      
      }
      
    5. Click Update Trust Policy to save this revision.

Configure IAM Role for AWS S3#

  1. In Privacera Portal, add a datasource system. See Datasource: Discovery: Add a Discovery Datasource System.

  2. Add an application to the datasource.

    1. On the Datasource page, add an application by clicking on the ellipsis icon found on the upper right corner of the Datasource system.

      The Add Application dialog box opens to the Choose tab.

    2. Select DISCOVERY AWS S3 from the Application List.

      The Add Application dialog box opens to the Configure tab.

    3. Enter the following details:

      • Application Name: A meaningful and unique name.
      • Application Description (optional): A useful description of this data resource.
      • Application Code: A unique character string value (used as an internal identifier).
    4. Enable Use IAM Role and enter IAM Role ARN for the role copied from above.

    5. Enter AWS Region (optional), current default value is “us-east-1".

    6. Click Test Connection to check if the connection is successful, and then click Save.


Last update: August 13, 2021