User Guide
Doc HomeSupport

Configuring S3 IAM Policies

To connect with Amazon S3, you create one policy for uploading data from Amazon S3, and a different policy for publishing data to Amazon S3. These IAM policies include the minimum permissions that must be allowed for connecting to S3.

If your Amazon S3 store is key management store (KMS) encrypted, see the example at the end of the topic.

Creating an IAM policy to Upload from Amazon S3

  1. Sign in to Amazon IAM console.
  2. Navigate to Policies.
  3. Select Create Policy.
  4. Copy the following policy and paste it into the editor.
    Replace <your-bucket-name> placeholders with your AWS S3 values.
{
	"Action": [
		"s3:ListAllMyBuckets",
		"s3:GetBucketLocation"
	],
	"Effect": "Allow",
	"Resource": "arn:aws:s3:::*",
	"Sid": "1"
},
{
	"Action": [
		"s3:ListBucket*",
		"s3:Get*"

	],
	"Effect": "Allow",
	"Resource": [
		"arn:aws:s3:::<your-bucket-name>/*",
		"arn:aws:s3:::<your-bucket-name>"
	],
	"Sid": ""
}
  1. Select Next: Tags.
  2. Optionally add tags, then select Next: Review.
  3. Review your policy, give it a name and optional description, then select Create policy.

Creating an IAM policy to Publish to Amazon S3

Note: For the s3:ListBucketMultipartUploads bucket-level action in the policy below, full bucket-level permission is required.

  1. Sign in to Amazon IAM console.
  2. Navigate to Policies.
  3. Select Create Policy.
  4. Copy the following policy and paste it into the editor.
    Replace {your-bucket-name} placeholders with your AWS S3 values.
{
	"Action": [
		"s3:ListAllMyBuckets",
		"s3:GetBucketLocation"
	],
	"Effect": "Allow",
	"Resource": "arn:aws:s3:::*",
	"Sid": "1"
},
{
	"Action": [
		"s3:Get*",
		"s3:Delete*",
		"s3:Put*",
		"s3:ListBucket",
		"s3:ListBucketMultipartUploads",
		"s3:AbortMultipartUpload"
	],
	"Effect": "Allow",
	"Resource": [
		"arn:aws:s3:::<your-bucket-name>/*",
		"arn:aws:s3:::<your-bucket-name>"
	],
	"Sid": ""
}
  1. Select Next: Tags.
  2. Optionally add tags, then select Next: Review.
  3. Review your policy, give it a name and optional description, then select Create policy.

Example Policy for KMS Encrypted S3 Stores

Replace <region>, <aws-account-number>, and <your-bucket-name>placeholders with your AWS S3 values.

In the example below, note the wildcard * for the KMS key. Optionally, you can provide the specific key.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": "arn:aws:kms:<region>:<aws-account-number>:key/*"
        },
        {
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::*",
            "Sid": "1"
        },
        {
            "Action": [
                "s3:Get*",
                "s3:Delete*",
                "s3:Put*",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<your-bucket-name>/*",
                "arn:aws:s3:::<your-bucket-name>"
            ],
            "Sid": ""
        }
    ]
}

Updated about 14 hours ago

© 2025, Tamr, Inc. All rights reserved.

License Agreement | Privacy Policy | Data Security Policy| AI Chatbot Disclaimer