Adding an AWS IAM role

To allow a specific AWS IAM role to perform all operations on an Amazon S3 target, you must add it to R‑Cloud. You can do this as part of any of the following procedures:

Adding a cloud account, as described in this topic.
Adding the AWS account where the target resides, as described in Adding an AWS account as a source.
Setting up the target, as described in Setting up an Amazon S3 target.

Prerequisites

An AWS IAM role must be created in AWS. The role must have the policies with the permissions for the S3 services attached.

If you plan to set up a directory bucket as an Amazon S3 target, the permissions for the S3 Express service must also be included.

If you use Key Management Service (KMS) to encrypt your Amazon S3 bucket data, the permissions for KMS must also be included.

Service	Permissions
KMS	Decrypt DescribeKey Encrypt GenerateDataKey
S3	CreateBucket DeleteJobTagging DeleteObject DeleteObjectTagging DeleteObjectVersion DeleteObjectVersionTagging DeleteStorageLensConfigurationTagging GetBucketLocation GetBucketLogging GetBucketObjectLockConfiguration GetBucketPublicAccessBlock GetBucketTagging GetBucketVersioning GetEncryptionConfiguration GetLifecycleConfiguration GetObject GetObjectTagging ListAllMyBuckets ListBucket ListBucketVersions PutBucketPolicy PutBucketTagging PutJobTagging PutObject PutObjectLegalHold PutObjectRetention PutObjectTagging PutObjectVersionTagging PutStorageLensConfigurationTagging ReplicateTags For targets that have Object Lock (WORM) enabled, the following additional permissions are required: PutObjectRetention PutObjectLegalHold
S3 Express	CreateSession ListAllMyDirectoryBuckets

Service

Permissions

KMS

Decrypt
DescribeKey
Encrypt
GenerateDataKey

CreateBucket
DeleteJobTagging
DeleteObject
DeleteObjectTagging
DeleteObjectVersion
DeleteObjectVersionTagging
DeleteStorageLensConfigurationTagging
GetBucketLocation
GetBucketLogging
GetBucketObjectLockConfiguration
GetBucketPublicAccessBlock
GetBucketTagging
GetBucketVersioning
GetEncryptionConfiguration
GetLifecycleConfiguration
GetObject
GetObjectTagging
ListAllMyBuckets
ListBucket
ListBucketVersions
PutBucketPolicy
PutBucketTagging
PutJobTagging
PutObject
PutObjectLegalHold
PutObjectRetention
PutObjectTagging
PutObjectVersionTagging
PutStorageLensConfigurationTagging
ReplicateTags

For targets that have Object Lock (WORM) enabled, the following additional permissions are required:
PutObjectRetention
PutObjectLegalHold

S3 Express

CreateSession
ListAllMyDirectoryBuckets

For details on policies and permissions in IAM, see AWS documentation.

Your AWS IAM role must have a trust relationship established with R‑Cloud that includes the following:
- arn:aws:iam::<HYCUAWSAccountID>:root principal. To get your HYCU AWS account ID, contact HYCU Support.
- sts:AssumeRole action.
For details on how to establish a trust relationship, see AWS documentation.

Consideration

To ensure the highest level of security when using the AWS IAM role, consider limiting R‑Cloud access only to the buckets that are used as targets. In the AWS Management Console, do the following:

Update the required S3 bucket permissions to be applicable only to the buckets that are used as targets.
Update the required S3 object permissions to be applicable only for the contents that are stored within the relevant buckets.

To achieve this, instead of using a wildcard character for the Resource element in the IAM policy statement, define the buckets to which you want to allow access. For instructions, see AWS documentation about defining the Resource IAM JSON policy element.

Recommendation

Only if you plan to include KMS permissions in the AWS IAM role. It is recommended to only specify the KMS key Amazon Resource Name (ARN) in the policy. This allows you to limit R‑Cloud access only to the KMS key for the buckets that are used as targets.

To achieve this, define the KMS permissions and the KMS key resource to which you want to allow access by editing the IAM policy statement. For details, see AWS documentation about Using IAM policies with AWS KMS.

Procedure

In the Cloud Accounts dialog box, click New.
Select Add AWS IAM Role, and then click Next.
In the Name field, enter a name for your IAM role.
From the Protection Set drop-down menu, select the protection set to which you want to add your IAM role.
In the S3 ARN field, enter the Amazon Resource Name (ARN) of your IAM role.
In the External ID field, enter the external ID of your IAM role trust relationship.
Only if you plan to select this role to perform all operations on a private target. Enable the Skip validation switch to make sure R‑Cloud skips validating the cloud account credentials with the endpoint used by the target.
Click Save.

The IAM role is added to the list of cloud accounts in R‑Cloud.

You can at any time edit any of the IAM roles (click Edit Edit and make the required modifications) or delete the ones that you do not need anymore (click Delete Delete). Keep in mind that deleting the IAM role from R‑Cloud does not remove it from AWS.