From your RudderStack dashboard, add a source. Then, from the list of destinations, select Amazon S3.
Assign a name to the destination and click Continue.
Connection settings
If you have already configured the AWS credentials in your RudderStack setup via the environment credentials or by following these steps, specifying only S3 Bucket Name and Prefix (optional but recommended) is sufficient to set up your S3 destination.
S3 Bucket Name: Enter your S3 bucket name.
Prefix: If specified, RudderStack creates a folder in the S3 bucket with this name and pushes all data within that folder. For example, s3://<bucket_name>/<prefix>/.
Role-based Authentication: This setting is toggled on by default and lets you use the RudderStack IAM role for authentication.
IAM Role ARN: Enter the ARN of the IAM role.
If Role-based Authentication is disabled, enter the AWS Access Key ID and AWS Secret Access Key to authorize RudderStack to write to your S3 bucket. For more information on obtaining these credentials, see the Permissions section.
Note the following:
Using Role-based Authentication is highly recommended as the access keys-based authentication method is deprecated and will be discontinued soon.
In both the role-based and access key-based authentication methods, you need to set a policy specifying the required permissions for RudderStack to write to your S3 bucket.
Enable Server Side Encryption: When you enable this setting, RudderStack adds a header x-amz-server-side-encryption with the value AES256 to the PutObject request when sending the data to the S3 bucket. See Encryption with S3 managed keys for more information.
It is recommended to create a new bucket for storing events coming from RudderStack.
Permissions
To send events to S3 successfully, you need to give RudderStack the necessary permissions to write to your bucket. You can choose any of the following approaches based on your company’s security policies and setup preferences:
Option 1: Use RudderStack IAM role
It is highly recommended to use this option for setting up the required S3 bucket permissions.
Use this approach if you are going to set up the S3 destination in RudderStack using Role Based Authentication.
AWS does not recommend access key credentials-based authentication.
Use this approach to set up the S3 destination in RudderStack using Access Key Based Authentication.
If the AWS credentials are already configured on your instance (see Option 4) where the RudderStack server is set up, you do not need to specify these credentials.
Create an IAM user. Choose a policy that has write access to your bucket. Alternatively, you can create a new policy with the following permissions and attach it to the IAM user:
You want to allow RudderStack to write into your S3 bucket directly.
For this option, you can leave the role based authentication (IAM Role ARN) or access key based authentication (AWS Access Key ID and AWS Secret Access Key) fields blank while setting up your S3 destination in RudderStack.
If you’re using your S3 bucket as an intermediary object storage for a warehouse destination, then attach the below permissions policy depending on your use case:
Note that the below policy is applicable only for the below authentication options:
Make sure to replace <S3_BUCKET_NAME> with the actual bucket name.
Encryption
Amazon S3 provides encryption at rest. The objects get encrypted while saving them to the bucket and are decrypted before downloading from S3.
S3 lets you set the default encryption behavior for a bucket. It encrypts the objects using server-side encryption with either Amazon S3 managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
Go to the Properties tab and scroll down to Default encryption. Then, click Edit.
Under Encryption key type, choose from Amazon S3 managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS):
The following settings are applicable if you choose AWS KMS-managed keys (SSE-KMS) as the encryption key type:
You can choose an existing AWS KMS key, enter the ARN of an AWS KMS key, or create a new KMS key.
Under Bucket Key, choose Enable and click Save changes.
For more information on setting the default encryption behavior for a bucket, see the S3 documentation.
AWS KMS keys
When the default encryption is set to AWS KMS-managed keys (SSE-KMS), S3 encrypts the objects using the customer managed keys (CMK) when they are uploaded to the bucket.
Set an Alias for the key. You can also add a description or tags for the key as required.
Choose the IAM user or role who can administer and use this key.
Review the configuration and click Finish to create the customer managed key.
Finally, set the default encryption for your S3 bucket as AWS KMS-managed keys (SSE-KMS) and select this customer managed key.
S3 managed keys
When you enable the Enable Server Side Encryption dashboard setting while configuring your S3 destination, RudderStack adds a x-amz-server-side-encryption header with the value AES256 to all the PutObject requests. S3 then encrypts the object with the AES256 encryption algorithm. For more information, see S3 encryption with S3 managed keys.
If you set the default encryption key type to Amazon S3 managed keys (SSE-S3), then S3 encrypts the objects that are uploaded in the bucket with AES256 encryption - irrespective of whether the Enable Server Side Encryption is enabled in the RudderStack dashboard or the presence of the x-amz-server-side-encryption header in the PutObject requests.
This site uses cookies to improve your experience while you navigate through the website. Out of
these
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
essential
for the working of basic functionalities of the website. We also use third-party cookies that
help
us
analyze and understand how you use this website. These cookies will be stored in your browser
only
with
your
consent. You also have the option to opt-out of these cookies. But opting out of some of these
cookies
may
have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
This site uses cookies to improve your experience. If you want to
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.