How Can We Help?

Amazon S3Amazon S3

The Amazon S3 connector can be used to store files uploaded to Pure in a S3 bucket. This connector is capable of being the default storage location.

Client configuration

Bucket

The name of the S3 bucket to use.

Region

The region where the S3 bucket resides. If Default Region is selected, the connector will use the region configured in the environment.

Access keys

The credentials by the connector to access the S3 bucket. If no keys are specified in the configuration, the connector will try to obtain the credentials from the environment.

Encryption

Server side encryption

When uploading files Pure can request that the files uploaded to S3 are stored encrypted to protect the data at rest.

The following options are available:

Encryption	Description
None	No encryption is specified when uploading files. If the bucket is configured with a default encryption it will be used.
SSE-S3	Use Amazon S3 managed encryption keys to protect the data.
SSE-KMS	Encrypt data with a KSM-Managed key.

Obtaining connector configuration from the environment

Instead of configuring the access keys and region directly in the configuration, they can instead be configured outside Pure.

See Working with AWS Credentials for information on how to set up the environment.

Amazon S3 configuration

The S3 bucked should have versioning enabled.

To avoid wasting space on deleted files we recommend setting up a lifecycle rule to permanently delete previous versions of files after a number of days (for example 180 days).

In order to function properly the S3 user needs permission to perform the following operations:

Object policy:

  s3:PutObject, s3:GetObject, s3:DeleteObject, s3:GetObjectVersion

Bucket policy:

  s3:ListBucket, s3:GetBucketVersioning, s3:ListBucketVersions

Below is an example bucket policy configuration that grants the minimum required permissions to the pure user.

{
    "Version": "2012-10-17",
    "Id": "PureAccessPolicy",
    "Statement": [
        {
            "Sid": "ObjectPolicy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/pure"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::<BUCKET>/files/*"
        },
        {
            "Sid": "BucketPolicy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:user/pure"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:ListBucketVersions"
            ],
            "Resource": "arn:aws:s3:::<BUCKET>"
        }
    ]
}

Updated at July 27, 2024