Understanding configurations stored in Amazon S3
You can store configurations in an Amazon Simple Storage Service (Amazon S3) bucket. When you create the configuration profile, you specify the URI to a single S3 object in a bucket. You also specify the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that gives AWS AppConfig permission to get the object. Before you create a configuration profile for an Amazon S3 object, be aware of the following restrictions.
Restriction | Details |
---|---|
Size |
Configurations stored as S3 objects can be a maximum of 1 MB in size. |
Object encryption |
A configuration profile can target SSE-S3 and SSE-KMS encrypted objects. |
Storage classes |
AWS AppConfig supports the following S3 storage classes: |
Versioning |
AWS AppConfig requires that the S3 object use versioning. |
Configuring permissions for a configuration stored as an Amazon S3 object
When you create a configuration profile for a configuration stored as an S3 object, you must specify an ARN for an IAM role that gives AWS AppConfig permission to get the object. The role must include the following permissions.
Permissions to access the S3 object
-
s3:GetObject
-
s3:GetObjectVersion
Permissions to list S3 buckets
s3:ListAllMyBuckets
Permissions to access the S3 bucket where the object is stored
-
s3:GetBucketLocation
-
s3:GetBucketVersioning
-
s3:ListBucket
-
s3:ListBucketVersions
Complete the following procedure to create a role that enables AWS AppConfig to get a configuration stored in an S3 object.
Creating the IAM Policy for Accessing an S3 Object
Use the following procedure to create an IAM policy that enables AWS AppConfig to get a configuration stored in an S3 object.
To create an IAM policy for accessing an S3 object
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Policies, and then choose Create policy.
-
On the Create policy page, choose the JSON tab.
-
Update the following sample policy with information about your S3 bucket and configuration object. Then paste the policy into the text field on the JSON tab. Replace the
placeholder values
with your own information.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::
amzn-s3-demo-bucket
/my-configurations
/my-configuration
.json" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketVersioning", "s3:ListBucketVersions", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket
" ] }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] } -
Choose Review policy.
-
On the Review policy page, type a name in the Name box, and then type a description.
-
Choose Create policy. The system returns you to the Roles page.
Creating the IAM Role for Accessing an S3 Object
Use the following procedure to create an IAM role that enables AWS AppConfig to get a configuration stored in an S3 object.
To create an IAM role for accessing an Amazon S3 object
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles, and then choose Create role.
-
On the Select type of trusted entity section, choose AWS service.
-
In the Choose a use case section, under Common use cases, choose EC2, and then choose Next: Permissions.
-
On the Attach permissions policy page, in the search box, enter the name of the policy you created in the previous procedure.
-
Choose the policy and then choose Next: Tags.
-
On the Add tags (optional) page, enter a key and an optional value, and then choose Next: Review.
-
On the Review page, type a name in the Role name field, and then type a description.
-
Choose Create role. The system returns you to the Roles page.
-
On the Roles page, choose the role you just created to open the Summary page. Note the Role Name and Role ARN. You will specify the role ARN when you create the configuration profile later in this topic.
Creating a Trust Relationship
Use the following procedure to configure the role you just created to trust AWS AppConfig.
To add a trust relationship
-
In the Summary page for the role you just created, choose the Trust Relationships tab, and then choose Edit Trust Relationship.
-
Delete
"ec2.amazonaws.com"
and add"appconfig.amazonaws.com"
, as shown in the following example.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appconfig.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Choose Update Trust Policy.