AWS S3
About
AWS S3 is a scalable object storage service that allows users to store and protect their data for virtually any use case, such as data lakes, cloud-native applications, and mobile apps.
Why You Should Integrate
Syncing asset data from Sevco to an S3 bucket will allow you to leverage the scalability, reliability, and security of AWS S3 to store, manage, and analyze data; this can enhance your security operations and compliance efforts.
How Does the Integration Work
This integration allows you to sync asset data in Sevco to an AWS S3 bucket.
- During configuration, you can choose to sync User and/or Device asset data.
- Once the integration is configured, it will sync all of the data associated with the asset type(s) you've selected to your S3 bucket.
- After the initial setup, this integration will perform a differential sync every 24 hours.
If you haven't already, please review our instructions for configuring the AWS integration before proceeding with the instructions below.
Configuration Options
Field | Description | Example |
---|---|---|
Bucket Name * | The name of the S3 Bucket Sevco Inventory will be syncing to | sevco-inventory-sync |
Key Prefix | The S3 Bucket folder Sevco Inventory will be syncing to | users/ |
Region | The region containing the S3 instances to collect | us-east-1 |
External Documentation
Creating Credentials
Access Key ID/Secret Access Key Schemas
See platform documentation for details on AWS - Creating credentials
Assume Role Schemas
You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.
Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId
to replace the 11111111-1111-1111-1111-111111111111
value and the Sevco account ID to replace 123456789010
.
Sample S3 Assume Role trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_S3InventorySync"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "11111111-1111-1111-1111-111111111111"
}
}
}
]
}
AWS CloudFormation Templates
If you would like to automate creating an assumable role for multiple accounts in your AWS organization, you can do so using a CloudFormation template.
See the CloudFormation template below:
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create an S3 asset sync role that can be assumed by a specific role with an ExternalId condition.
Parameters:
RoleName:
Type: String
Description: Name of the S3 role to create.
Default: SevcoAssumableRole
MinLength: 1
MaxLength: 64
TrustedAccountNumber:
Type: String
Description: The AWS account hosting the role that will allowed to assume the sync role in your account.
ExternalId:
Type: String
Description: The ExternalId required for assuming the role.
BucketARN:
Type: String
Description: The ARN of the bucket you would like to sync to
Resources:
AssumableS3Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${TrustedAccountNumber}:role/Sevco_USProd_S3InventorySync'
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
Policies:
- PolicyName: SevcoS3AssetCollectionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
- 's3:AbortMultipartUpload'
Resource: !Sub '${BucketARN}/*' # Your S3 bucket ARN
MaxSessionDuration: 3600 # Session duration in seconds (1 hour)
Outputs:
RoleArn:
Description: ARN of the created S3 role
Value: !GetAtt AssumableS3Role.Arn
RoleName:
Description: Name of the created S3 role
Value: !Ref AssumableS3Role
Required Permissions
Your IAM user (Access Key ID/Secret) or newly created role (AssumeRole) should use a permission policy with at least the following permissions:
AssumeRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": "<S3_BUCKET_ARN>/*" // Replace with your bucket arn
}
]
}
AssumeRole with KMS key
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": "<S3_BUCKET_ARN>/*" // Replace with your bucket arn
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "<KMS_ARN>" // Replace with your KMS arn for custom KMS key
}
]
}
Contact Us
If you're having problems configuring an Integration, or if you've found something wrong in this document, please email us at [email protected] or suggest edits directly by selecting the Suggest Edits
link located in the upper right hand corner of the documentation.
Tags: <on-prem/cloud>, <categories>
Updated 3 days ago