Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About Amazon Simple Storage Service (S3)

The Amazon S3 connector inventories bucket configuration: policies, encryption, versioning, logging, notifications, public-access blocks, and related settings without reading object payloads. Iru assumes an IAM role you create in your account (sts:AssumeRole with an external ID). This keeps evidence focused on how buckets are configured, not on stored file contents.

How it works

You publish a role whose trust policy references Iru’s AWS principal and mandates the external ID string from the wizard. For permissions, prefer the inline policy below instead of AmazonS3ReadOnlyAccess alone - the managed policy includes s3:GetObject, which your security team may not want for a metadata-only integration.
DetailValue
CategoryObject storage
AuthenticationCross-account IAM role
References: S3 user guide, Access management.

Prerequisites

  • IAM rights to create roles and attach inline policies.
  • The live principal + external ID pair from your connector - not necessarily the sample IDs printed in older screenshots.

Connect Amazon S3 to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS S3

Find AWS S3 (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

Copy the JSON exactly as presented:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the value from Iru.
3

Skip broad managed policy (optional)

Advance past the managed policy picker without attaching AmazonS3ReadOnlyAccess if you plan to use the metadata-only inline policy in the next step.
4

Create the metadata-only inline policy

Create the role with a placeholder name if required, then open the role → PermissionsCreate inline policy → JSON editor. Paste:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketPolicy",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketAcl",
        "s3:GetBucketVersioning",
        "s3:GetBucketTagging",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetEncryptionConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetReplicationConfiguration",
        "s3:GetBucketCORS",
        "s3:GetBucketWebsite",
        "s3:GetBucketObjectLockConfiguration"
      ],
      "Resource": "*"
    }
  ]
}
Save the inline policy.
This policy intentionally excludes s3:GetObject and related object-read APIs so Iru cannot pull object bodies - only bucket-level metadata.
5

Copy the role ARN

Copy the role ARN from the role summary page.
6

Verify the trust relationship

Open Trust relationships and confirm the JSON matches the wizard - external ID typos are the usual cause of AssumeRole failures.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS S3 shows Active. Bucket metadata sync begins after activation.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
External ID mismatch - re-copy from Iru without stray spaces.
Bucket resource policies can deny cross-account reads even when IAM allows them.
Confirm s3:GetEncryptionConfiguration stayed in the inline policy.

Considerations

Buckets are regional, but ListAllMyBuckets is…

Buckets are regional, but ListAllMyBuckets is global - expect multi-Region follow-up calls during inventory.

Explicit Deny statements in bucket policies block…

Explicit Deny statements in bucket policies block reads regardless of IAM allows - document expectations with auditors.

See also