Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Creating an IAM Policy to Access Amazon S3 Resources

Aurora can access Amazon S3 resources to either load data to or save data from an Aurora DB cluster. However, you must first create an IAM policy that provides the bucket and object permissions that allow Aurora to access Amazon S3.

The following table lists the Aurora features that can access an Amazon S3 bucket on your behalf, and the minimum required bucket and object permissions required by each feature.

Feature Bucket Permissions Object Permissions

LOAD DATA FROM S3

ListBucket

GetObject

GetObjectVersion

LOAD XML FROM S3

ListBucket

GetObject

GetObjectVersion

SELECT INTO OUTFILE S3

ListBucket

AbortMultipartUpload

DeleteObject

GetObject

ListMultipartUploadParts

PutObject

You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to access an Amazon S3 bucket on your behalf. To allow Aurora to access all of your Amazon S3 buckets, you can skip these steps and use either the AmazonS3ReadOnlyAccess or AmazonS3FullAccess predefined IAM policy instead of creating your own.

To create an IAM policy to grant access to your Amazon S3 resources

  1. Open the IAM Console.

  2. In the navigation pane, choose Policies.

  3. Choose Create Policy.

  4. For Policy Generator, choose Select.

  5. In Edit Permissions, set the following values to grant bucket permissions:

    • EffectAllow

    • AWS ServiceAmazon S3

    • Actions – Specify the bucket permissions needed for the IAM policy.

      Bucket permissions are permissions for bucket operations in Amazon S3, and need to be granted on either a wildcard (*) or a bucket. For more information about permissions for bucket operations in Amazon S3, see Specifying Permissions in a Policy.

    • Set Amazon Resource Name (ARN) to the ARN of the Amazon S3 bucket to allow access to. For instance, if you want to allow Aurora to access the Amazon S3 bucket named example-bucket, then set the ARN value to arn:aws:s3:::example-bucket.

  6. Choose Add Statement.

    Note

    You can repeat this and the previous step to add corresponding bucket permission statements to your policy for each Amazon S3 bucket that you want Aurora to access. Optionally, you can also grant access to all buckets and objects in Amazon S3.

  7. In Edit Permissions, set the following values to grant object permissions:

    • EffectAllow

    • AWS ServiceAmazon S3

    • Actions – Specify the object permissions needed for the IAM policy.

      Object permissions are permissions for object operations in Amazon S3, and need to be granted for objects in a bucket, not the bucket itself. For more information about permissions for object operations in Amazon S3, see Specifying Permissions in a Policy.

    • Set Amazon Resource Name (ARN) to the ARN of the Amazon S3 bucket to allow access to. For instance, if you want to allow Aurora to access all of the files in the Amazon S3 bucket named example-bucket, then set the ARN value to arn:aws:s3:::example-bucket/*.

    Note

    You can set Amazon Resource Name (ARN) to a more specific ARN value in order to allow Aurora to access only specific files or folders in an Amazon S3 bucket. For more information about how to define an access policy for Amazon S3, see Managing Access Permissions to Your Amazon S3 Resources.

  8. Choose Add Statement.

    Note

    You can repeat this and the previous step to add corresponding object permission statements to your policy for each Amazon S3 bucket that you want Aurora to access. Optionally, you can also grant access to all buckets and objects in Amazon S3.

  9. Choose Next Step.

  10. Set Policy Name to a name for your IAM policy, for example AllowAuroraToExampleBucket. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional Description value.

  11. Choose Create Policy.