Uploading to an Amazon S3 Bucket - Amazon Personalize

Uploading to an Amazon S3 Bucket

After you format your historical input data (see Formatting Your Input Data), you must upload the CSV file to an Amazon S3 bucket and give Amazon Personalize permission to access to your Amazon S3 resources:

  1. If you haven't already, follow the steps in Setting Up Permissions to set up permissions so your IAM users can access Amazon Personalize and Amazon Personalize can access your resources.

  2. Upload your CSV files to an Amazon Simple Storage Service ( Amazon S3) bucket. This is the location that Amazon Personalize imports your data from. For more information, see Uploading Files and Folders by Using Drag and Drop in the Amazon Simple Storage Service Console User Guide.

  3. Give Amazon Personalize access to your Amazon S3 resources by attaching access policies to your Amazon S3 bucket and Amazon Personalize service role. See Giving Amazon Personalize Access to Amazon S3 Resources.

Note

Amazon S3 buckets and objects must be either encryption free or, if you are using AWS Key Management Service (AWS KMS) for encryption, you must give your IAM user and Amazon Personalize IAM service role permission to use your key. For more information see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

After you upload your data to an Amazon S3 bucket and give Amazon Personalize access to Amazon S3, import your data into Amazon Personalize. See Step 3: Importing Your Data.

Giving Amazon Personalize Access to Amazon S3 Resources

To give Amazon Personalize access to your Amazon S3 bucket, do the following:

  1. If you haven't already, follow the steps in Setting Up Permissions to set up permissions so your IAM users can access Amazon Personalize and Amazon Personalize can access your resources.

  2. Attach a policy to the Amazon Personalize service role (see Creating an IAM Role for Amazon Personalize) that allows access to your Amazon S3 bucket. For more information, see Attaching an Amazon S3 Policy to the Amazon Personalize Service Role.

  3. Attach a bucket policy to the Amazon S3 bucket containing your data files so Amazon Personalize can access them. For more information, see Attaching an Amazon Personalize Access Policy to Your S3 Bucket.

  4. If you are using AWS KMS for encryption, give your Amazon Personalize service role permission to use your key. For more information see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

Note

Because Amazon Personalize doesn’t communicate with AWS VPCs, Amazon Personalize can't interact with Amazon S3 buckets that allow only VPC access.

Attaching an Amazon S3 Policy to the Amazon Personalize Service Role

To attach an Amazon S3 policy to your Amazon Personalize role do the following:

  1. Sign in to the IAM console (https://console.aws.amazon.com/iam).

  2. In the navigation pane, choose Policies, and choose Create policy.

  3. Choose the JSON tab, and update the policy as follows. Replace bucket-name with the name of your bucket. If you are using a batch workflow, Amazon Personalize needs additional permissions. See Amazon S3 Policy for Batch Workflows.

    { "Version": "2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] }
  4. Choose Review policy.

  5. For Name, enter PersonalizeS3BucketAccessPolicy.

  6. (Optional) For Description, enter a short sentence describing this policy, for example, Allow Amazon Personalize to access its S3 bucket.

  7. Choose Create policy.

  8. In the navigation pane, choose Roles, and choose the role you created for Amazon Personalize. See Creating an IAM Role for Amazon Personalize.

  9. For Permissions, choose Attach policies.

  10. To display the policy in the list, type part of the policy name in the Filter policies filter box.

  11. Choose the check box next to the policy you created earlier in this procedure.

  12. Choose Attach policy.

    Before your role is ready for use with Amazon Personalize you must also attach a bucket policy to the Amazon S3 bucket containing your data. See Attaching an Amazon Personalize Access Policy to Your S3 Bucket.

Amazon S3 Policy for Batch Workflows

For batch workflows, Amazon Personalize needs permission to access and add files to your Amazon S3 bucket. Follow the steps above to attach the following policy to your Amazon Personalize role. Replace bucket-name with the name of your bucket. For more information on batch workflows, see Getting Batch Recommendations.

{ "Version": "2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] }

Attaching an Amazon Personalize Access Policy to Your S3 Bucket

Amazon Personalize needs permission to access the S3 bucket. For non-batch workflows, attach the following policy to your bucket. Replace bucket-name with the name of your bucket. For batch workflows, see S3 Bucket Policy for Batch Workflows.

For more information on Amazon S3 bucket policies, see How Do I Add an S3 Bucket Policy?.

{ "Version": "2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Principal": { "Service": "personalize.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] }

S3 Bucket Policy for Batch Workflows

For batch workflows, Amazon Personalize needs permission to access and add files to your Amazon S3 bucket. Attach the following policy to your bucket. Replace bucket-name with the name of your bucket.

For more information on adding an Amazon S3 bucket policy to a bucket, see How Do I Add an S3 Bucket Policy?. For more information on batch workflows, see Getting Batch Recommendations.

{ "Version": "2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Principal": { "Service": "personalize.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] }