Configuring IAM policies for Batch Replication - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring IAM policies for Batch Replication

Because S3 Batch Replication is a type of Batch Operations job, you must create a Batch Operations Amazon Identity and Access Management (IAM) role to grant Amazon S3 permissions to perform actions on your behalf. You also must attach a Batch Replication IAM policy to the Batch Operations IAM role. The following example creates an IAM role that gives Batch Operations permission to initiate a Batch Replication job.

Create IAM role and policy

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. Under Access management, choose Roles.

  3. Choose Create Role.

  4. Choose Amazon Web Service as the type of trusted entity, Amazon S3 as the service, and S3 Batch Operations as the use case.

  5. Choose Next: Permissions.

  6. Choose Create Policy.

  7. Choose JSON and insert one of the following policies based on your manifest.

    Note

    Different permission are needed if you are generating a manifest or supplying one. For more information see, Specifying a manifest for a Batch Replication job.

    Policy if using and storing a S3 generated manifest

    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "s3:InitiateReplication"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::*** replication source bucket ***/*"
         ]
      },
      {
         "Action":[
            "s3:GetReplicationConfiguration",
            "s3:PutInventoryConfiguration"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::*** replication source bucket ***"
         ]
      },
      {
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::*** manifest bucket ***/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::*** completion report bucket ****/*",
            "arn:aws:s3:::*** manifest bucket ****/*"    
         ]
      }
   ]
}

    Policy if using a user supplied manifest

    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "s3:InitiateReplication"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::*** replication source bucket ***/*"
         ]
      },
            {
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::*** manifest bucket ***/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::*** completion report bucket ****/*"    
         ]
      }
   ]
}

  8. Choose Next: Tags.

  9. Choose Next: Review.

  10. Choose a name for the policy and choose Create policy.

  11. Attach this policy to your role and choose Next: Tags.

  12. Choose Next: Review.

  13. Choose a name for the role and choose Create role.

Verify trust policy

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. Under Access management, choose Roles, and select your newly created role.

  3. Under Trust relationships tab, choose Edit trust relationship.

  4. Verify this role is using the following trust policy:

    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"batchoperations.s3.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}