Amazon Simple Storage Service (S3)

About Amazon Simple Storage Service (S3)

The Amazon S3 connector inventories bucket configuration: policies, encryption, versioning, logging, notifications, public-access blocks, and related settings without reading object payloads. Iru assumes an IAM role you create in your account (sts:AssumeRole with an external ID). This keeps evidence focused on how buckets are configured, not on stored file contents.

How It Works

Iru runs in its own AWS account. To inventory S3 bucket configuration (not object payloads by default), you create an IAM role whose trust policy references Iru’s AWS principal and mandates the External ID from the wizard, and whose permissions policy grants only the metadata reads your team approves. Prefer the inline policy below instead of AmazonS3ReadOnlyAccess alone. The managed policy includes s3:GetObject, which many teams disallow for metadata-only integrations. Paste the role’s ARN back into Iru.

Detail	Value
Category	Object storage
Authentication	Cross-account IAM role

References: S3 user guide, Access management.

Prerequisites

IAM rights to create roles and attach inline policies.
The live principal + external ID pair from your connector - not necessarily the sample IDs printed in older screenshots.

Connect Amazon S3 to Iru

Iru Compliance
AWS

Start here: open the source wizard and copy the trust policy (and note the external ID). When you are ready to create the role in AWS, switch to the AWS tab and follow Create the IAM role in AWS. After you have the Role ARN, return to the Iru Compliance tab and complete Submit the role ARN in Iru below.

Get the trust policy from Iru

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.

Left navigation: Compliance expanded, Sources selected

Turn on AWS S3

Find AWS S3 (use Category or Search by name or description). On that card, turn on the toggle. Leave the Iru is requesting access to external services wizard tab open.

Copy the trust policy JSON

The wizard shows the trust policy JSON your IAM role must use (Principal and sts:ExternalId). Below is an example of the structure; copy the live JSON from your wizard so the account, principal ARN, and external ID match exactly.

copy=false

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Switch to AWS to create the role

Keep the Iru wizard tab open for reference, then switch to the AWS tab and follow Create the IAM role in AWS.

Submit the role ARN in Iru

Finish the AWS tab first (through Create the IAM role in AWS) so you have the Role ARN from the new role.

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN where the connector prompts for it.

Finish the connection

Click Submit Role. When the connection succeeds, the wizard shows Connection Configured.

Confirm the source is Active

Close the Iru is requesting access to external services browser tab, then return to Compliance → Sources and confirm the AWS S3 card is Active.

Complete Get the trust policy from Iru on the Iru Compliance tab before you create this role. Use the external ID and trust policy from the live wizard when you configure Trusted entity.

Create the IAM role in AWS

Start the Create role workflow

Open IAM → Roles → Create role.

Configure trusted entity

Choose AWS account → Another AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the value from Iru.

Skip broad managed policy (optional)

Advance past the managed policy picker without attaching AmazonS3ReadOnlyAccess if you plan to use the metadata-only inline policy in the next step.

Create the metadata-only inline policy

Create the role with a placeholder name if required, then open the role → Permissions → Create inline policy → JSON editor. Paste:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketPolicy",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketAcl",
        "s3:GetBucketVersioning",
        "s3:GetBucketTagging",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetEncryptionConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetReplicationConfiguration",
        "s3:GetBucketCORS",
        "s3:GetBucketWebsite",
        "s3:GetBucketObjectLockConfiguration"
      ],
      "Resource": "*"
    }
  ]
}

Save the inline policy.

This policy intentionally excludes s3:GetObject and related object-read APIs so Iru cannot pull object bodies - only bucket-level metadata.

Copy the role ARN

Copy the role ARN from the role summary page. Switch back to the Iru Compliance tab and complete Submit the role ARN in Iru.

Verify the trust relationship

Open Trust relationships and confirm the JSON matches the wizard - external ID typos are the usual cause of AssumeRole failures.

Continue on the Iru Compliance tab to paste the Role ARN and finish the wizard (Submit the role ARN in Iru).

Troubleshooting

Nothing opens when you turn the source on

Check pop-up blocker settings for the Iru site and try again.

AssumeRole denied

External ID mismatch - re-copy from Iru without stray spaces.

Missing bucket policy rows

Bucket resource policies can deny cross-account reads even when IAM allows them.

Encryption settings absent

Confirm s3:GetEncryptionConfiguration stayed in the inline policy.

Considerations

Buckets are regional, but ListAllMyBuckets is…

Buckets are regional, but ListAllMyBuckets is global - expect multi-Region follow-up calls during inventory.

Explicit Deny statements in bucket policies block…

Explicit Deny statements in bucket policies block reads regardless of IAM allows - document expectations with auditors.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.

​About Amazon Simple Storage Service (S3)

​How It Works

​Prerequisites

​Connect Amazon S3 to Iru

​Get the trust policy from Iru

​Submit the role ARN in Iru

​Create the IAM role in AWS

​Troubleshooting

​Considerations

Buckets are regional, but ListAllMyBuckets is…

Explicit Deny statements in bucket policies block…

​Related Articles

Sources Management

Getting Started With Compliance

Iru Overview

Artifacts Management

About Amazon Simple Storage Service (S3)

How It Works

Prerequisites

Connect Amazon S3 to Iru

Get the trust policy from Iru

Submit the role ARN in Iru

Create the IAM role in AWS

Troubleshooting

Considerations

Related Articles