Adding AWS IAM roles

To allow a specific AWS IAM role to perform all operations on an Amazon S3 target, you must add the role to R‑Cloud as a cloud account (as an alternative to creating an AWS IAM role as part of adding the AWS account where the target resides to R‑Cloud), and then specify it when setting up the target.

For details on how to specify an AWS IAM role when setting up an Amazon S3 target, see Setting up an Amazon S3 target.

Prerequisites

An AWS IAM role must be created in AWS. The role must have the policies with the permissions for the S3 services attached. If you plan to set up a directory bucket as an Amazon S3 target, the permissions for the S3 Express service must also be included.

Service	Permissions
S3	ListBucket ListBucketVersions GetBucketLocation GetBucketObjectLockConfiguration GetBucketPublicAccessBlock GetBucketTagging GetBucketVersioning GetEncryptionConfiguration GetLifecycleConfiguration GetObject GetObjectTagging DeleteObject DeleteObjectVersion PutBucketTagging PutObjectTagging PutObject ListAllMyBuckets For targets that have Object Lock (WORM) enabled, the following additional permissions are required: PutObjectRetention PutObjectLegalHold
S3 Express	CreateSession ListAllMyDirectoryBuckets

Service

Permissions

ListBucket
ListBucketVersions
GetBucketLocation
GetBucketObjectLockConfiguration
GetBucketPublicAccessBlock
GetBucketTagging
GetBucketVersioning
GetEncryptionConfiguration
GetLifecycleConfiguration
GetObject
GetObjectTagging
DeleteObject
DeleteObjectVersion
PutBucketTagging
PutObjectTagging
PutObject
ListAllMyBuckets

For targets that have Object Lock (WORM) enabled, the following additional permissions are required:
PutObjectRetention
PutObjectLegalHold

S3 Express

CreateSession
ListAllMyDirectoryBuckets

For details on policies and permissions in IAM, see AWS documentation.

Your AWS IAM role must have a trust relationship established with R‑Cloud that includes the following:
- The AWS principal: arn:aws:iam::<HYCUAWSAccountID>:root. To get your HYCU AWS account ID, contact HYCU Support.
- The sts:AssumeRole action.
For details on how to establish a trust relationship, see AWS documentation.

Procedure

In the Cloud Accounts dialog box, click New.
Select Add AWS IAM Role, and then click Next.
In the Name field, enter a name for your IAM role.
From the Protection Set drop-down menu, select the protection set to which you want to add your IAM role.
In the S3 ARN field, enter the Amazon Resource Name (ARN) of your IAM role.
In the External ID field, enter the external ID of your IAM role trust relationship.
Click Save.

The IAM role is added to the list of cloud accounts in R‑Cloud.

You can at any time edit any of the IAM roles (click Edit Edit and make the required modifications) or delete the ones that you do not need anymore (click Delete Delete). Keep in mind that deleting the IAM role from R‑Cloud does not remove it from AWS.