Contents x
    S3 Restricted Folder Access
    • 03 Jun 2024
    • Print
    • Dark
      Light
    • PDF
    Contents

    S3 Restricted Folder Access

    • Updated On 03 Jun 2024
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Use Case

    In a case you want to restrict the access of Dataloop to specific folder within your S3 bucket, you can easily do that.
    You can grant Dataloop access to only the specific folder you want Dataloop to work with, without worrying about accidental modifications or deletions in other parts of your S3 bucket.

    In this article, we'll walk you through the steps to limits Dataloop's access to a specific folder in your S3 bucket.

    Restrict via AWS IAM policy & Dataloop Storage Driver

    You'll need to create a specific IAM policy and specific Storage driver, so when creating an integration follow this article IAM policy and storage driver creation

    Create Any Type of Integration

    Example - AWS Cross Account integration

    Create an IAM Policy

    1. Log in to the AWS Management Console.
    2. Go to Services and click All services. A list of services is displayed.
    3. Select the IAM service from the list.
    4. Click on Policies from the left navigation panel.
    5. Click Create policy. The Create Policy page is displayed.
    6. Select the JSON tab.
    7. Define the policy document in JSON format as follows:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBucketListAccessWithPrefix",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<DataLoopBucketName>"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": "<DataLoopFolderName>/"
                }
            }
        },
        {
            "Sid": "AllowBucketGetPutDelete",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<DataLoopBucketName>/<DataLoopFolderName>/*"
            ]
        }
    ]
}
    1. Click Next to Review the policy.
    2. Provide a meaningful name for the policy and an optional description.
    3. Click the Create policy to finish.
    Note:

    a. s3:DeleteObject action allows Dataloop platform to delete dataset items - please see downstream
    a. Replace <DataLoopBucketName> with the name of the desired S3 bucket.
    c. Replace <DataLoopFolderName> with the name of the desired folder you would like to restrict the access to.

    For a step-by-step guide on creating an IAM policy in AWS, read AWS documentation.
    For a step-by-step guide on condition key examples in AWS, read AWS documentation.

    Create an Integration

    Create the relevant integration you'd like as mentioned in the documentation of each AWS integration type.

    Create S3 Storage Service on the Dataloop Platform

    For more information, see the Create AWS S3 Storage Driver on the Dataloop Platform topic.

    What's Next