20.5.1 Creating an IAM Policy to Access an Amazon S3
Bucket
Use the AWS Management Console to create an IAM policy to access an
Amazon S3 bucket.
This task requires the following:
- Access to AWS Management Console.
- The name of the Amazon S3 bucket you want to grant access to.
- Sufficient IAM permissions for creating the IAM policies.
Do the following to create an IAM policy:
- Open the AWS Management Console and sign in with
your credentials.
- In the AWS Management Console home page, click Services, and click
Security, Identity, & Compliance, and then click
IAM.
- In the navigation pane of the Console, under Access management, click
Policies, and then click Create policy.
It opens the Specify permissions page.
- In the Specify permissions page, in the Policy editor section,
click JSON, and enter the following Amazon S3 permissions as per the
feature you use. For more information on policies, see Generate policies.
- Sample permissions for the Data Import role for using
the Bulk Ingest Feature:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<BulkIngestAmazonS3BucketName>/*"
]
}
]
}
- Sample permissions for the Data Import role for using
the Data Import Feature:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<DataImportAmazonS3BucketName>/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<DataImportAmazonS3BucketName>"
]
}
]
}
- Sample permissions for the Lakehouse role for using
Lakehouse:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<LakehouseAmazonS3BucketName>/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<LakehouseAmazonS3BucketName>"
]
}
]
}
- Sample permissions for the Lakehouse role for
exporting HeatWave query results to S3:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<S3ExportAmazonS3BucketName>/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<S3ExportAmazonS3BucketName>/*"
]
}
]
}
- If the objects in the Amazon S3 bucket are encrypted with a
customer-managed KMS key, add the following permission for the keys used
for encrypting the
objects:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"<KmsKeyArn>"
]
}
]
}
See
Using IAM policies with
AWS KMS.
- Resolve any warnings or errors generated during permissions validation, and
then click Next.
- In the Review and create page, in the Policy details section,
enter the following:
- Policy name: Specify a name to identify this
policy.
- Description: (Optional) Specify a description of the
policy.
- Click Create policy.