Authorization

Amazon S3

Follow this guide to create a new Amazon S3 credential that will allow Nexla to authenticate to and exchange data with your Amazon S3 account.

To learn more about credentials in Nexla, including how to share them with other users, see our Credentials guides.

Prerequisites

AWS Account Setup

Before creating an Amazon S3 credential in Nexla, you must have an AWS account with appropriate permissions to access S3 resources. If you don't have an AWS account, you can create one at aws.amazon.com.

IAM User and Permissions

You'll need to create an IAM user with the necessary permissions to access your S3 buckets. IAM (Identity and Access Management) is AWS's service for controlling access to resources.

For complete information about AWS IAM concepts, see the AWS IAM User Guide.

Determine Required Permissions

The specific permissions required depend on your use case. Review your data flow requirements and select the minimum permissions needed:

• For reading data: s3:GetObject, s3:ListBucket

  • Required when Nexla needs to read files from your S3 buckets

• For writing data: s3:PutObject, s3:DeleteObject, s3:ListBucket

  • Required when Nexla needs to write files to your S3 buckets

• For bucket management: s3:CreateBucket, s3:DeleteBucket

  • Required only if Nexla needs to create or delete buckets (rarely needed)

Follow the principle of least privilege: only grant the permissions your specific use case requires. This helps maintain security by limiting access to the minimum necessary.

Configure Permissions

1. Sign in to the AWS Management Console, and navigate to the IAM service.

2. Select Users from the left navigation pane.

3. Choose the user you want to configure permissions for.

4. Click the Permissions tab.

5. Click Add permissions, and select Attach policies directly.

6. Choose one of the following approaches:

   Option A: Attach an Existing S3 Policy

   1. In the search box, type "S3" to filter policies.

   2. Select one of the following policies based on your needs:

      • AmazonS3ReadOnlyAccess: For read-only access to S3 buckets
      • AmazonS3FullAccess: For full read/write access to S3 buckets
      • AmazonS3BucketPolicyFullAccess: For bucket management operations

   3. Click Next to review the policy.

   4. Click Add permissions to attach the policy.

   Option B: Create a Custom Policy

   1. Click Create policy to open the policy editor.

   2. Click the JSON tab to edit the policy directly.

   3. Replace the default policy with your custom policy JSON.

   4. Click Next to review the policy.

   5. Enter a name and description for your custom policy.

   6. Click Create policy.

   7. Return to the user permissions page and attach your newly created policy.

For detailed information about S3 permissions, see the AWS S3 User Guide.

Access Key Creation

1. Sign in to the AWS Management Console, and navigate to the IAM service.

2. Select Users from the left navigation pane.

3. Choose the user you want to create access keys for.

4. Click the Security credentials tab.

5. Scroll down to the Access keys section, and click Create access key.

6. Select Application running outside AWS as the use case.

7. Click Next, and, optionally, add a description tag.

8. Click Create access key.

9. Important: Download the CSV file or copy the access key ID and secret access key immediately, as you won't be able to view the secret key again.

For more detailed instructions, see the AWS IAM User Guide.

Create a Amazon S3 Credential

• To create a new Amazon S3 credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

Credential Name & Description

1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

   Resource descriptions are recommended but are not required. They should be used to provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.

Authentication Method Configuration

2. Select your preferred authentication method from the Authenticate Using dropdown. Amazon S3 supports three authentication methods:

Configure Authentication Settings

Access Key

Authenticate with Amazon S3 using AWS Access and Secret keys

1. Enter the access key ID that will be used for authentication in the AWS Access Key field. Information about creating and locating your AWS access key is available in AWS IAM documentation.
2. Enter the secret access key that will be used for authentication in the AWS Secret Key field.

ARN & External ID

Authenticate with Amazon S3 using IAM ARN – used to coordinate third-party access to Amazon S3 and other AWS resources

• Enter the IAM Amazon Resource Name (ARN) that these permissions are applicable for in the IAM ARN field. This should be entered in the format arn:partition:service:region:account:resource.
• Enter the external ID assigned for accessing the Amazon S3 account in the External ID field. This is the ID assigned to your user role created by the AWS account owner in the AWS IAM console.

Instance Role

Authenticate using IAM instance role – used to provide temporary access to Amazon S3 and other AWS resources

• No additional settings are required to authenticate using an IAM instance role. Ensure that your AWS infrastructure has the appropriate IAM role assigned with the necessary S3 permissions.

Advanced Credential Configuration

These optional settings provide additional security and access control features for your Amazon S3 credential. Configure these settings based on your organization's security requirements and data handling needs.

S3 Path Access Restriction

If your AWS administrator has restricted access to only specific buckets or folders, you can limit Nexla's access to those locations.

3. (Optional) S3 Path Access Restriction: Enter the restricted path in the S3 Path list access is limited to field. Set this property to <bucket-name> or <bucket-name>/<folder-name> to limit access to specific locations.

Client Side Encryption Configuration

Client-side encryption encrypts data before it's uploaded to S3, providing an additional layer of security for sensitive data.

4. Client Side Encryption Configuration: If your S3 objects require client-side encryption using AWS Key Management System (KMS), enable the Enable Client Side Encryption? option and configure the following:

   • Client Side Encryption Mode: Select the type of KMS encryption mode (Encryption Only, Authenticated Encryption, or Strict Authenticated Encryption)
   • Amazon KMS Key for Encryption: Enter the KMS Key ARN used for encrypting/decrypting objects

Server Side Encryption Configuration

Server-side encryption encrypts data at rest in S3, ensuring data security even if unauthorized access occurs.

5. Server Side Encryption Configuration: If your S3 objects require server-side encryption, enable the Enable Server Side Encryption? option and optionally specify:

   • Key ARN for SSE with KMS: Enter the Key ARN if you want server-side encryption via AWS Key Management System, or leave blank to use Amazon S3-managed encryption keys

File Encryption Configuration

File encryption handles PGP-encrypted files for secure data exchange with external partners.

6. File Encryption Configuration:

   If you need to process encrypted files (where sources decrypt files before scanning and destinations encrypt files before uploading), enable the Handle File Encryption/Decryption? option.

   File encryption is typically used when exchanging sensitive data with external partners who require PGP-encrypted files. This ensures data remains secure during transmission and storage.

   When File Encryption is Needed:

   • Exchanging sensitive data with external partners
   • Compliance requirements for encrypted data transmission
   • Processing files that are already encrypted by external systems

   Configure PGP Encryption Settings:

   • File Encryption Protocol: Select PGP as the encryption protocol

     • PGP (Pretty Good Privacy) is a widely-used encryption standard for secure file transmission

   • External User ID: Enter the ID of the user whose public key is used for encryption/decryption

     • This identifies the external party who will decrypt files you encrypt

   • External User's Public Key: Enter the public key of the external user

     • Obtain this from your external partner - it's used to encrypt files for them

   • Your User ID for Private Key: Enter your user ID used for generating the PGP private key

     • This identifies you as the sender/recipient of encrypted files

   • Your Password for Private Key: Enter the password for your user ID

     • This password protects your private key

   • Your Private Key: Enter your PGP private key

     • This key is used to decrypt files sent to you and sign files you send
   For complete information about PGP encryption and key management, see the PGP User's Guide. You'll need to generate PGP keys or obtain them from your external partners before configuring this setting.

Save the Credential

7. Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential.

8. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.