HeatWave on AWS  /  ...  /  Creating an IAM Policy to Access an Amazon S3 Bucket

20.5.1 Creating an IAM Policy to Access an Amazon S3 Bucket

Use the AWS Management Console to create an IAM policy to access an Amazon S3 bucket.
This task requires the following:
  • Access to AWS Management Console.
  • The name of the Amazon S3 bucket you want to grant access to.
  • Sufficient IAM permissions for creating the IAM policies.
Do the following to create an IAM policy:
  1. Open the AWS Management Console and sign in with your credentials.
  2. In the AWS Management Console home page, click Services, and click Security, Identity, & Compliance, and then click IAM.
  3. In the navigation pane of the Console, under Access management, click Policies, and then click Create policy.
    It opens the Specify permissions page.
  4. In the Specify permissions page, in the Policy editor section, click JSON, and enter the following Amazon S3 permissions as per the feature you use. For more information on policies, see Generate policies.
    • Sample permissions for the Data Import role for using the Bulk Ingest Feature:
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {            
                  "Effect": "Allow",            
                  "Action": [                
                      "s3:GetObject"            
                  ],            
                  "Resource": [                
                      "arn:aws:s3:::<BulkIngestAmazonS3BucketName>/*"            
                  ]        
              }   
          ]
      }
    • Sample permissions for the Data Import role for using the Data Import Feature:
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {            
                  "Effect": "Allow",            
                  "Action": [                
                      "s3:GetObject"            
                  ],            
                  "Resource": [                
                      "arn:aws:s3:::<DataImportAmazonS3BucketName>/*"            
                  ]        
              },        
              {            
                  "Effect": "Allow",            
                  "Action": [                
                      "s3:ListBucket"           
                  ],            
                  "Resource": [                
                      "arn:aws:s3:::<DataImportAmazonS3BucketName>"            
                  ]        
              }    
          ]
      }
    • Sample permissions for the Lakehouse role for using Lakehouse:
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {            
                  "Effect": "Allow",            
                  "Action": [                
                      "s3:GetObject"            
                  ],            
                  "Resource": [                
                      "arn:aws:s3:::<LakehouseAmazonS3BucketName>/*"            
                  ]        
              },        
              {            
                  "Effect": "Allow",            
                  "Action": [                
                      "s3:ListBucket"           
                  ],            
                  "Resource": [                
                      "arn:aws:s3:::<LakehouseAmazonS3BucketName>"            
                  ]        
              }  
          ]
      }
    • Sample permissions for the Lakehouse role for exporting HeatWave query results to S3:
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {
                  "Effect": "Allow",
                  "Action": [ 
                      "s3:PutObject"
                  ],
                  "Resource": [ 
                      "arn:aws:s3:::<S3ExportAmazonS3BucketName>/*" 
                  ]
               },
               {
                  "Effect": "Allow",
                  "Action": [
                       "s3:DeleteObject" 
                   ],
                  "Resource": [ 
                      "arn:aws:s3:::<S3ExportAmazonS3BucketName>/*" 
                   ]
               }  
          ]
      }
    • If the objects in the Amazon S3 bucket are encrypted with a customer-managed KMS key, add the following permission for the keys used for encrypting the objects:
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {            
                  "Effect": "Allow",            
                  "Action": [                
                      "kms:Decrypt"          
                  ],            
                  "Resource": [                
                      "<KmsKeyArn>"            
                  ]        
              }
          ]
      }
      See Using IAM policies with AWS KMS.
  5. Resolve any warnings or errors generated during permissions validation, and then click Next.
  6. In the Review and create page, in the Policy details section, enter the following:
    • Policy name: Specify a name to identify this policy.
    • Description: (Optional) Specify a description of the policy.
  7. Click Create policy.