What permissions do I need to complete the bucket registration with LegacyFlo?
A) If you want LegacyFlo to copy data from Vaultastic to your bucket, add the following the policy to the existing policies of your bucket:
{
"Version": "2012-10-17",
"Id": "BucketPolicy",
"Statement": [
{
"Sid": "LegacyfloGetBucketRegionStatement",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com",
"AWS": "arn:aws:iam::<LegacyFlo account>:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<customer S3 bucketname>",
"arn:aws:s3:::
<customer S3 bucketname>
/*"
]
}
]
}
B) If you want LegacyFlo to read from your bucket and copy to a Vaultastic Store, add the following the policy to the existing policies:
{
"Version": "2012-10-17", "Id": "BucketPolicy", "Statement": [ { "Sid": "LegacyfloGetBucketRegionStatement", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com", "AWS": "arn:aws:iam::<LegacyFlo account>:root" }, "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<customer S3 bucketname>", "arn:aws:s3:::<customer S3 bucketname>
/*" ] } ] }
C) If your bucket has server side encryption implemented using the AWS Key Management System then the policy needs to be updated to allow LegacyFlo to decrypt the content when reading and encrypt while writing. Add this to your existing policies.
{
"Sid": "AllowUseOfKeyByLegacyFlo",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<LegacyFlo account>:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
}
The steps to do so are as below:
Go to the S3 bucket and open the Properties tab.
Under Default encryption, ensure it is set to SSE-KMS, and Bucket Key is Enabled.
Click the linked KMS key name to open it in the KMS console. In the KMS key page, go to the Key policy tab and click Switch to policy view.
Click Edit, scroll to the end of the policy, and add the following statement:
{ "Sid": "AllowUseOfKeyByLegacyFlo", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<LegacyFlo account>:root" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" }
Click Save changes.
NOTES:
1. <LegacyFlo Account is the AWS account in which LegacyFlo runs> - will be provided by us. Contact us via the helpdesk
2. <Customer S3 bucket> has to be replaced by your bucket name.
Can I revoke the permissions given to LegacyFlo to access my S3 bucket?
Yes, after the migration is over you can revoke the access by removing the policies.
How do I download files from S3 bucket using AWS console?
Refer the Amazon S3 Console User Guide to know the steps.
How to download files created by LegacyFlo on my S3 bucket?
When you give access to the S3 bucket to LegacyFlo to upload files, you may not be able to download till you disable the ACL which allows LegacyFlo access to the bucket. The steps to do so are as given below.
Note: The ACLs have to be restored if more LegacyFlo requests are to be executed.
1. Go to the S3 bucket Permissions tab and edit the ACL
2. Remove the Access to other AWS accounts and save it.
3. Go to Bucket Permissions Tab and select Edit Object Ownership and choose ACLs disabled and Save Changes.
4. Now, you can able to download the S3 objects.