Amazon S3
The Amazon S3 connector can be used to store files uploaded to Pure in a S3 bucket. This connector is capable of being the default storage location.
Client configuration
Bucket
The name of the S3 bucket to use.
Region
The region where the S3 bucket resides. If Default Region is selected, the connector will use the region configured in the environment.
Access keys
The credentials by the connector to access the S3 bucket. If no keys are specified in the configuration, the connector will try to obtain the credentials from the environment.
Encryption
Server side encryption
When uploading files Pure can request that the files uploaded to S3 are stored encrypted to protect the data at rest.
The following options are available:
| Encryption | Description |
|---|---|
| None | No encryption is specified when uploading files. If the bucket is configured with a default encryption it will be used. |
| SSE-S3 | Use Amazon S3 managed encryption keys to protect the data. |
| SSE-KMS | Encrypt data with a KSM-Managed key. |
Obtaining connector configuration from the environment
Instead of configuring the access keys and region directly in the configuration, they can instead be configured outside Pure.
See Working with AWS Credentials for information on how to set up the environment.
Amazon S3 configuration
The S3 bucked should have versioning enabled.
To avoid wasting space on deleted files we recommend setting up a lifecycle rule to permanently delete previous versions of files after a number of days (for example 180 days).
In order to function properly the S3 user needs permission to perform the following operations:
Object policy:
s3:PutObject, s3:GetObject, s3:DeleteObject, s3:GetObjectVersion
Bucket policy:
s3:ListBucket, s3:GetBucketVersioning, s3:ListBucketVersions
Below is an example bucket policy configuration that grants the minimum required permissions to the pure user.
{
"Version": "2012-10-17",
"Id": "PureAccessPolicy",
"Statement": [
{
"Sid": "ObjectPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/pure"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<BUCKET>/files/*"
},
{
"Sid": "BucketPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/pure"
},
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:ListBucketVersions"
],
"Resource": "arn:aws:s3:::<BUCKET>"
}
]
}