We highly recommend creating new credentials just for use by our API on your Destination provider.
Create IAM User or Role:
- In your Destination provider's IAM system, create a dedicated IAM User or Role that will be used solely for writing to the S3 bucket (or equivalent). This separation of duties ensures security and can be easily audited.
Assign Necessary IAM Policies:
- Attach policies to the user or role to ensure it has the appropriate permissions to interact with your S3 bucket (or equivalent), such as write and list
- For added security, consider scoping the policy to limit the allowed actions to the specific bucket and its necessary folders (prefixes), by using the resource element in the policy
Credential Setup:
- For security, generate new Access Keys (Access Key ID and Secret Access Key) for this IAM user or role. Store these credentials securely and ensure they are only used by your integration.
Validate Permissions
- We recommend using a tool, such as AWS IAM Access Analyzer, to validate that the permissions you’ve granted are not overly permissive