Configure an Amazon S3 Integration and Create an S3 Data Source

Private preview: The Amazon S3 integration is available to select accounts. Reach out to your Immuta representative for details.

The Amazon S3 resource allows you to create, configure, and manage your . In this integration, Immuta provides coarse-grained access controls for data in S3 by performing permission grants using the Access Grants API so that users don't have to manage individual IAM policies themselves.

Use the /integrations endpoint to

Requirements

S3 integration enabled in Immuta; contact your Immuta representative to enable this integration
; contact your Immuta representative to get this feature enabled
No location is registered in your AWS Access Grants instance before configuring the integration in Immuta

Permissions

APPLICATION_ADMIN Immuta permission to configure the integration
CREATE_S3_DATASOURCE Immuta permission to register S3 prefixes
The AWS account credentials or optional AWS IAM role you provide Immuta to configure the integration must
- have the to create locations and issue grants:
  - accessgrantslocation resource:
    s3:CreateAccessGrant
    s3:DeleteAccessGrantsLocation
    s3:GetAccessGrantsLocation
    s3:UpdateAccessGrantsLocation
  - accessgrantsinstance resource:
    s3:CreateAccessGrantsInstance
    s3:CreateAccessGrantsLocation
    s3:DeleteAccessGrantsInstance
    s3:GetAccessGrantsInstance
    s3:GetAccessGrantsInstanceForPrefix
    s3:GetAccessGrantsInstanceResourcePolicy
    s3:ListAccessGrants
    s3:ListAccessGrantsLocations
  - accessgrant resource:
    s3:DeleteAccessGrant
    s3:GetAccessGrant
  - bucket resource: s3:ListBucket
  - role resource:
    iam:GetRole
    iam:PassRole
  - all resources: s3:ListAccessGrantsInstances

Set up S3 Access Grants instance

- sts:AssumeRole
- sts:SetSourceIdentity

IAM role trust policy example

s3:GetObject
s3:GetObjectVersion
s3:GetObjectAcl
s3:GetObjectVersionAcl
s3:ListMultipartUploadParts
s3:PutObject
s3:PutObjectAcl
s3:PutObjectVersionAcl
s3:DeleteObject
s3:DeleteObjectVersion
s3:AbortMultipartUpload
s3:ListBucket
s3:ListAllMyBuckets

IAM policy example

Replace <bucket_arn> in the example below with the ARN of the bucket scope that contains data you want to grant access to.

If you use server-side encryption with AWS Key Management Service (AWS KMS) keys to encrypt your data, the following permissions are required for the IAM role in the policy. If you do not use this feature, do not include these permissions in your IAM policy:

kms:Decrypt
kms:GenerateDataKey

IAM policy example

Replace <role_arn> and <access_grants_instance_arn> in the example below with the ARNs of the role you created and your Access Grants instance, respectively. The Access Grants instance resource ARN should be scoped to apply to any future locations that will be created under this Access Grants instance. For example, "Resource": "arn:aws:s3:us-east-2:6********499:access-grants/default*" ensures that the role would have permissions for both of these locations:

arn:aws:s3:us-east-2:6********499:access-grants/default/newlocation1
arn:aws:s3:us-east-2:6********499:access-grants/default/newlocation2

Configure the integration in Immuta

AWS S3 access key example

This request configures the integration using the AWS access key authentication method.

Copy the request example. The example uses JSON format, but the request also accepts YAML.
Change the config values to your own, where
- name is the name for the integration that is unique across all Amazon S3 integrations configured in Immuta.
- awsAccountId is the ID of your AWS account.
- awsRegion is the account's AWS region (such as us-east1).
- awsLocationRole is the AWS IAM role ARN assigned to the base access grants location. This is the role the AWS Access Grants service assumes to vend credentials to the grantee.
- awsLocationPath is the base S3 location prefix that Immuta will use for this connection when registering S3 data sources. This path must be unique across all S3 integrations configured in Immuta.
- awsAccessKeyId is the AWS access key ID of the AWS account configuring the integration.
- awsSecretAccessKey is the AWS secret access key of the AWS account configuring the integration.

AWS S3 automatic authentication example

Copy the request example. The example uses JSON format, but the request also accepts YAML.
Change the config values to your own, where
- name is the name for the integration that is unique across all Amazon S3 integrations configured in Immuta.
- awsAccountId is the ID of your AWS account.
- awsRegion is the account's AWS region (such as us-east1).
- awsLocationRole is the AWS IAM role ARN assigned to the base access grants location. This is the role the AWS Access Grants service assumes to vend credentials to the grantee.
- awsLocationPath is the base S3 location that Immuta will use for this connection when registering S3 data sources. This path must be unique across all S3 integrations configured in Immuta.

Response

A successful response includes the validation tests statuses.

Get an integration

Copy the request example.

Response

Get all integrations

Copy the request example.

Response

Delete an integration

Copy the request example.
Replace the {id} request parameter with the unique identifier of the integration you want to delete.

Response

Create a data source

Copy the request example. The example uses JSON format, but the request also accepts YAML.
Change the dataSources values to your own, where
- dataSourceName is the name of your data source.
- prefix creates a data source for the prefix, bucket, or object provided in the path. If the data source prefix ends in a wildcard (), it protects all items starting with that prefix. If the data source prefix ends without a wildcard (), it protects a single object.

Response

PreviousHow-to Guides NextConfigure an Azure Synapse Analytics Integration

Last updated 2 days ago