sevco.io

AWS S3

About

AWS S3 is a scalable object storage service that allows users to store and protect their data for virtually any use case, such as data lakes, cloud-native applications, and mobile apps.

Why You Should Integrate

Syncing asset data from Sevco to an S3 bucket will allow you to leverage the scalability, reliability, and security of AWS S3 to store, manage, and analyze data; this can enhance your security operations and compliance efforts.

How Does the Integration Work

This integration allows you to sync asset data in Sevco to an AWS S3 bucket.

  • During configuration, you can choose to sync User and/or Device asset data.
  • Once the integration is configured, it will sync all of the data associated with the asset type(s) you've selected to your S3 bucket.
  • After the initial setup, this integration will perform a differential sync every 24 hours.

⚠️

If you haven't already, please review our instructions for configuring the AWS integration before proceeding with the instructions below.

Configuration Options

FieldDescriptionExample
Bucket Name *The name of the S3 Bucket Sevco Inventory will be syncing tosevco-inventory-sync
Key PrefixThe S3 Bucket folder Sevco Inventory will be syncing tousers/
RegionThe region containing the S3 instances to collectus-east-1

External Documentation

Creating Credentials

Access Key ID/Secret Access Key Schemas

See platform documentation for details on AWS - Creating credentials

Assume Role Schemas

You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.

Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId to replace the 11111111-1111-1111-1111-111111111111 value and the Sevco account ID to replace 123456789010.

Sample S3 Assume Role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_S3InventorySync"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "11111111-1111-1111-1111-111111111111"
                }
            }
        }
    ]
}

AWS CloudFormation Templates

If you would like to automate creating an assumable role for multiple accounts in your AWS organization, you can do so using a CloudFormation template.

See the CloudFormation template below:

AWSTemplateFormatVersion: '2010-09-09'
  Description: CloudFormation template to create an S3 asset sync role that can be assumed by a specific role with an ExternalId condition.

  Parameters:
  RoleName:
    Type: String
    Description: Name of the S3 role to create.
    Default: SevcoAssumableRole
    MinLength: 1
    MaxLength: 64
  TrustedAccountNumber:
    Type: String
    Description: The AWS account hosting the role that will allowed to assume the sync role in your account.
  ExternalId:
    Type: String
    Description: The ExternalId required for assuming the role.
  BucketARN:
    Type: String
    Description: The ARN of the bucket you would like to sync to

  Resources:
  AssumableS3Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${TrustedAccountNumber}:role/Sevco_USProd_S3InventorySync'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      Policies:
        - PolicyName: SevcoS3AssetCollectionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 's3:PutObject'
                  - 's3:AbortMultipartUpload'
                Resource: !Sub '${BucketARN}/*' # Your S3 bucket ARN
      MaxSessionDuration: 3600 # Session duration in seconds (1 hour)

  Outputs:
  RoleArn:
    Description: ARN of the created S3 role
    Value: !GetAtt AssumableS3Role.Arn
  RoleName:
    Description: Name of the created S3 role
    Value: !Ref AssumableS3Role

Required Permissions

Your IAM user (Access Key ID/Secret) or newly created role (AssumeRole) should use a permission policy with at least the following permissions:

AssumeRole

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "<S3_BUCKET_ARN>/*" // Replace with your bucket arn
        }
    ]
}

AssumeRole with KMS key

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:AbortMultipartUpload"
            ],
            "Resource": "<S3_BUCKET_ARN>/*" // Replace with your bucket arn
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<KMS_ARN>" // Replace with your KMS arn for custom KMS key
        }
    ]
} 

Contact Us

If you're having problems configuring an Integration, or if you've found something wrong in this document, please email us at [email protected] or suggest edits directly by selecting the Suggest Edits link located in the upper right hand corner of the documentation.

Tags: <on-prem/cloud>, <categories>