Configure Secure Equipment Access to use an Amazon S3 external integration

Configure Secure Equipment Access (SEA) to integrate with Amazon S3 by using an external integration.

SEA supports the following authentication methods for Amazon S3 integrations:

  • Access Credential: SEA connects to Amazon S3 by using stored AWS access keys.
  • Assume Role: SEA connects to Amazon S3 by using temporary credentials through the AWS Security Token Service (STS).

Before you begin

Make sure that the following requirements are met:

Shared prerequisites

  • Create an Amazon S3 bucket for the integration.
  • Make sure that you know the S3 bucket name and the AWS Region where the bucket is hosted.

Access Credential

  • Obtain an AWS access key ID for an IAM user or service account that has access to the target bucket.
  • Obtain the corresponding secret access key.
  • Make sure that the IAM user or service account has the required S3 permissions for the target bucket. For the permissions that SEA typically requires, see the "AWS S3 permissions for account added via external integrations" section in Record Inline Sessions.

Assume Role

  • Create an AWS IAM role that SEA can assume.
  • Make sure that the IAM role uses the predefined role-name prefix. The default prefix is SEA_ext_access_. To confirm the prefix required for your deployment, hover over the Role ARN info icon in the SEA UI.
  • Configure the IAM role trust policy to allow the SEA gateway role to perform sts:AssumeRole and to include the required external ID.
  • Make sure that the IAM role has the required S3 permissions for the target bucket. SEA workflows typically require s3:PutObject, s3:GetObject, s3:ListBucket, and, when session metadata is needed, s3:GetObjectTagging.
  • In the IAM permissions policy, specify the bucket ARN in the Resource element for bucket-level access, and specify the object ARN with /* for objects in the bucket.
  • If the S3 bucket uses AWS KMS encryption, make sure that the IAM role also includes kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey permissions for the KMS key used by the bucket.
  • Obtain the role ARN and external ID from your AWS administrator.
  • For more information, see the AWS documentation for creating an IAM role and creating a role using custom trust policies.

Example IAM role trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<SEA-GATEWAY-ROLE>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<unique-external-id>"
        }
      }
    }
  ]
}

Example IAM permissions policy for the target bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3Access",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectTagging",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::<s3-bucket-name>",
        "arn:aws:s3:::<s3-bucket-name>/*"
      ]
    },
    {
      "Sid": "KmsAccess",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:<region>:<account-id>:key/<key-id>"
    }
  ]
}

Remove the KmsAccess statement if the bucket does not use AWS KMS encryption.

Procedure

  1. In the IoT Operations Dashboard, choose System Management.
  2. Click the External Integrations tab.
  3. Click + Add External Integration.
  4. In the Add External Integration panel, enter the basic details:
    • Integration Type: Select S3.
    • Name: Enter a name for the integration.
    • Description: Enter a description if needed.
  5. In Inline Monitoring Settings, enter the S3 details:
    • Region: Enter the AWS Region.
    • Bucket: Enter the S3 bucket name.
  6. In Credential Details, select the authentication method you want to use.
  7. If you selected Access Credential, enter the following values:
    • Access Key: Enter the AWS access key ID.
    • Secret Access Key: Enter the AWS secret access key.
  8. If you selected Assume Role, enter the following values:
    • Role ARN: Enter the ARN of the IAM role that SEA will assume. When you create this IAM role in AWS, use the required predefined role-name prefix. The default prefix is SEA_ext_access_. You can confirm the exact prefix by hovering over the Role ARN info icon in the SEA UI.
    • External ID: Enter the external ID configured in the IAM role trust policy.
  9. Click Add.

Result

The integration is added to System Management > External Integrations with the selected S3 authentication method. Verify that the integration appears with the expected type, and activate it if your workflow requires an active integration.

What to do next

Validate the workflow that depends on the S3 integration in your SEA environment.