Skip to main content

AWS S3

info

☀️ Make sure your Security Team reviews these policies before applying

info

☀️ Ask Sundial for the role created for you. It’s marked as <sundial-role> here

Apply the following bucket policy to give read permissions to the S3 Bucket which contains the data path - <DATA-SHARING-BUCKET-PATH>.

DATA-SHARING-BUCKET-PATH : This is the bucket path which contains the data.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sundial-Perms",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::826846318854:role/<sundial-role>"
            },
            "Action": [
                "s3:Get*",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>",
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>/*"
            ]
        },
        {
            "Sid": "SSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>",
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "Encryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>",
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        }
    ]
}

After applying either of the above policies; please share the bucket-path <DATA-SHARING-BUCKET-PATH> with Sundial. This is the path on which the permissions were applied.

Apply the following bucket policy to give write permissions to the S3 Bucket which contains the data path which Sundial should write to: <DATA-WRITING-BUCKET-PATH>. You can add these permissions in the same policy Sundial-Perms if the read and write bucket will be same.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sundial-Perms",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::826846318854:role/<sundial-role>"
            },
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetObject",
            ],
            "Resource": [
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>",
                "arn:aws:s3:::<DATA-SHARING-BUCKET-PATH>/*"
            ]
        },
    ]
}