Skip to content

AWS S3 Bucket Integration

This guide describes how to configure AWS IAM access when a customer wants EPMware to upload files to an AWS S3 bucket.

Overview

When customers want EPMware to upload files to their Amazon S3 bucket, IAM permissions must be configured between the customer AWS account and the EPMware AWS account.

Two approaches are supported.

Approach Description Recommended
Standard Approach Customer creates an IAM Role in their AWS account and grants account permissions to the EPMware AWS Account. For this, EPMWARE will need to provide you with an AWS Account ID of EPMWARE. Customers will then share the Role ARN and bucket details with EPMWARE team. ✅ Yes
Alternative Approach EPMWARE team will create a role in AWS account, but since the bucket is in customer account, customers will need to update their bucket policy to allow that EPMWARE Roles to upload files. Supported

Standard Approach (Recommended)

  1. Customer creates an IAM Role in their AWS account.
  2. EPMware provides its AWS Account ID.
  3. Customer grants trust to the EPMware AWS Account.
  4. Customer shares:
  5. Role ARN
  6. Bucket Name
  7. Bucket Region
  8. EPMware assumes the customer role and uploads files to the S3 bucket.

Alternative Approach

In this approach, EPMware creates an IAM Role in its AWS account and the customer updates the S3 bucket policy to allow that role access.

Step 1 – Create IAM Role

  1. Log in to the EPMware AWS Account.
  2. Navigate to IAM → Roles
    Step1
  3. Click Create Role to creare new role.
    Step1
  4. Use default options for Permissions ( do not select any)
  5. Assign Role name. Assign an appropriate name so as to identify the customer name and environment.
    For Example, <CustomerName>_IAM_AWS_S3_PROD
    Step1
  6. Create Permissions Policy (Customer Inline Policy)
    Step1
  7. Select JSON format to add policy details (This can be done after the customer provides their details).
    Example
    Step1
  8. Provide a name to the policy. Like roles, assign a name that designates customer name and environment.
    Step6
  9. Provide EPMWARE ARN.
    Step7

Information Required from Customer

The customer should provide:

  • S3 Bucket Name
  • AWS Region
  • Bucket Policy requirements
  • (Optional) Folder/Prefix restrictions

Information Shared by EPMware

EPMware provides:

  • AWS Account ID (Standard Approach)
  • IAM Role ARN (Alternative Approach)

Best Practices

  • Use separate IAM Roles for DEV, TEST, and PROD.
  • Follow least-privilege access.
  • Avoid wildcard permissions where possible.
  • Use descriptive naming conventions.
  • Review IAM permissions periodically.

Summary

The Standard Approach is recommended because customers retain ownership of IAM roles while allowing EPMware to assume the required permissions.

The Alternative Approach should be used only when customer policies require EPMware to manage the IAM Role and the customer is able to update their S3 Bucket Policy accordingly.