Amazon S3 policies for Amazon IoT Analytics resources - Amazon IoT Analytics
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3 policies for Amazon IoT Analytics resources

You can store processed data store messages in an Amazon S3 bucket managed by Amazon IoT Analytics or in one that you manage. When you create a data store, select the Amazon S3 bucket you want by using the datastoreStorage API parameter. The default is a service-managed Amazon S3 bucket.

If you choose to have data store messages stored in an Amazon S3 bucket that you manage, you must grant Amazon IoT Analytics permission to perform these actions on your Amazon S3 bucket for you:

  • s3:GetBucketLocation

  • s3:PutObject

  • s3:DeleteObject

If you use the data store as a source for an SQL query dataset, set up an Amazon S3 bucket policy that grants Amazon IoT Analytics permission to invoke Amazon Athena queries on the contents of your bucket.

Note

We recommend that you specify aws:SourceArn in your bucket policy to help prevent the confused deputy security problem. This restricts access by allowing only those requests that come from a specified account. For more information about the confused deputy problem, see Cross-service confused deputy prevention.

The following is an example of a bucket policy that grants these required permissions.

{
    "Version": "2012-10-17",
    "Id": "MyPolicyID",
    "Statement": [
        {
            "Sid": "MyStatementSid",
            "Effect": "Allow",
            "Principal": {
                "Service": "iotanalytics.amazonaws.com"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ],
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:iotanalytics:us-east-1:123456789012:dataset/DOC-EXAMPLE-DATASET",
                        "arn:aws:iotanalytics:us-east-1:123456789012:datastore/DOC-EXAMPLE-DATASTORE"
                    ]
                }
            }
        }
    ]
}

For more information, see Cross-account access in the Amazon Athena User Guide.

Note

If you update the options or permissions of your customer managed data store, you might need to reprocess channel data to ensure that any previously ingested data is included in dataset contents. For more information, see Reprocessing channel data.