search

S3

hashtag
Requirements

Name
Description

Teleskope Role

Attach S3 read and/or write permissions to the Teleskope IAM role you created

1

hashtag
Grant Teleskope Read Access to S3

Teleskope needs read access to scan and classify your data stored in S3.

Attach the AmazonS3ReadOnlyAccess to the Teleskope IAM role you created.

hashtag
Terraform

resource "aws_iam_role_policy_attachment" "s3_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

Or create a least-privilege policy, and specify bucket restrictions under resource, and attach that policy to the role

hashtag
Terraform

resource "aws_iam_policy" "teleskope_s3_policy" {
  name        = "TeleskopeS3Policy"
  description = "Policy to grant various read permissions for S3 resources."

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "s3:GetBucketPolicyStatus",
          "s3:GetBucketPublicAccessBlock",
          "s3:GetLifecycleConfiguration",
          "s3:GetBucketTagging",
          "s3:GetInventoryConfiguration",
          "s3:GetBucketWebsite",
          "s3:GetBucketLogging",
          "s3:ListBucket",
          "s3:GetBucketVersioning",
          "s3:GetBucketAcl",
          "s3:GetBucketNotification",
          "s3:GetBucketPolicy",
          "s3:GetReplicationConfiguration",
          "s3:GetBucketObjectLockConfiguration",
          "s3:GetEncryptionConfiguration",
          "s3:PutBucketTagging",
          "s3:GetBucketCORS",
          "s3:GetBucketLocation"
        ]
        Resource = "arn:aws:s3:::*"
      },
      {
        Effect = "Allow"
        Action = [
          "s3:GetObjectAcl",
          "s3:GetObject",
          "s3:GetObjectTagging",
          "s3:PutObjectTagging",
          "s3:GetObjectVersion"
        ]
        Resource = "arn:aws:s3:::*/*"
      },
      {
        Effect = "Allow"
        Action = [
          "s3:GetAccountPublicAccessBlock",
          "s3:ListAllMyBuckets",
          "s3:GetBucketInventoryConfiguration"
        ]
        Resource = "*"
      }
    ]
  })
}
2

hashtag
Grant Teleskope Read & Write Access to S3 (Optional)

Teleskope needs write access take enforce remediation policies such as tagging, redaction, deletion, etc.

Attach the AmazonS3FullAccess to the Teleskope IAM role you created.

hashtag
Terraform

resource "aws_iam_role_policy_attachment" "s3_policy" {
  role       = "TeleskopeRole"
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}

hashtag
Inventory Reports (optional)

We highly recommend enabling inventory reports on your buckets. Teleskope could use those reports to efficiently list objects and reduce cost on your cloud. When enabling inventory reports, please make sure to add the following fields:

  1. Bucket

  2. Key

  3. Size

  4. Last Modified Date

  5. Storage Class

PreviousRedshiftNextSNS

Last updated

Was this helpful?