Skip to main content

AWS S3

info

☀️ Make sure your Security Team reviews these policies before applying

Sundial internally creates a dedicated IAM Role for your organization, denoted by arn:aws:iam::826846318854:role/<sundial-role>. You can copy this role ARN from the connector creation form if enabled, or Sundial will send it to you via email otherwise. Grant permissions to this role following the steps below.

Read-Only Permissions

Apply the following bucket policy to give read permissions to your S3 Bucket which contains the data, denoted by <DATA-SHARING-BUCKET-NAME>.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sundial-Perms",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::826846318854:role/<sundial-role>"
            },
            "Action": [
                "s3:Get*",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::<DATA-SHARING-BUCKET-NAME>",
                "arn:aws:s3:::<DATA-SHARING-BUCKET-NAME>/*"
            ]
        },
        {
            "Sid": "SSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<DATA-SHARING-BUCKET-NAME>",
                "arn:aws:s3:::<DATA-SHARING-BUCKET-NAME>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "Encryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::<DATA-SHARING-BUCKET-NAME>",
                "arn:aws:s3:::<DATA-SHARING-BUCKET-NAME>/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        }
    ]
}

Write Permissions (Optional)

Sundial can store generated Standard Product Metrics into your S3 bucket. If this is required, please provide write permissions to the Sundial IAM Role.

Apply the following bucket policy to give write permissions to the S3 Bucket which Sundial should write to: <DATA-WRITING-BUCKET-NAME>. You can combine these statements with the read-only policy above (Sundial-Perms) if you want the read and write buckets to be the same.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sundial-Write-Perms",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::826846318854:role/<sundial-role>"
            },
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<DATA-WRITING-BUCKET-NAME>",
                "arn:aws:s3:::<DATA-WRITING-BUCKET-NAME>/*"
            ]
        }
    ]
}

Please share the bucket name <DATA-WRITING-BUCKET-NAME> with Sundial over email.

What to share with Sundial

Provide the following information in the S3 connector setup form if enabled, or share them with Sundial via email otherwise.

Format Type: The format type of the data in your bucket (csv, parquet, json, delta, csv.gz, json.gz)
S3 Region: The AWS region of your S3 bucket
Bucket Name: The name of your S3 bucket that Sundial should read from (<DATA-SHARING-BUCKET-NAME>)
Write Bucket Name (Optional): The name of your S3 bucket that Sundial should write to (<DATA-WRITING-BUCKET-NAME>)
Still have questions?
Write to support@sundial.so