How do I configure AWS S3 bucket policies for Diplomat MFT?
The way that Diplomat MFT works with Amazon S3 Transport is to make a connection to S3 in the default region, then obtain a list of all buckets in order to confirm that the configured bucket exists and to obtain bucket ownership information. Then Diplomat queries the objects in that bucket to determine if any match the Source File settings of your transaction.
This means that you have to set up an access policy on the bucket itself (for listing the contents of the bucket), as well as a policy attached to the user account which allows listing all buckets in S3.
Here is what you have to do.
IAM User Account Policy
In the IAM, go to the user account that you are using to access the Bucket in Diplomat. Attach a new policy, however, you wish, which allows "ListAllMyBuckets" and "GetBucketLocation" on the entire S3 resource. NOTE this is a per-user policy in IAM, not a bucket policy. As follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
You can also put this policy into a role or group, and assign this to the user in IAM.
S3 Bucket Policy
In the S3 console, go to the bucket to which you wish Diplomat MFT to connect. Edit the bucket policy and allow the appropriate read/write/delete options that you will need for your workflow (for example, you need to add "DeleteObject" if you intend for Diplomat to download files from S3 and then delete them).
Here is an example policy (be sure to update the "Principal" value to match the user account you are going to use in the Diplomat transaction):
{
"Version": "2012-10-17",
"Id": "covaintS3BucketAllowPolicy",
"Statement": [
{
"Sid": "coviantS3BucketAllow",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111000555000:user/diplomatmft"
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::coviant01backup/*"
]
}
]
}