Assign a name to the destination and click Continue.
In the Connection Settings page, enter the following settings to configure the S3 destination:
S3 Bucket Name: Enter your S3 bucket name.
Prefix: If specified, RudderStack creates a folder in the bucket with this name and pushes all data within that folder. For example, s3://<bucket_name>/<prefix>/.
Role-based Authentication: Enable this setting to use the RudderStack IAM role for authentication. For more information on creating an AWS IAM role for RudderStack, refer to this guide.
IAM Role ARN: Enter the ARN of the IAM role.
It is highly recommended to enable this setting as the access keys-based authentication method is now deprecated.
If Role-based Authentication is disabled, you need to enter the AWS Access Key ID and AWS Secret Access Key to authorize RudderStack to write to your S3 bucket.
In both the role-based and access key-based authentication methods, you need to set a policy specifying the required permissions for RudderStack to write to your S3 bucket. Refer to the Permissions section for more information. If you’re using your S3 bucket as an intermediary object storage for a warehouse destination, then refer to the S3 permissions for warehouse destinations section.
Enable Server Side Encryption: When this setting is enabled, RudderStack adds a header x-amz-server-side-encryption with the value AES256 to the PutObject request when sending the data to the S3 bucket.
If the AWS credentials are already configured in your RudderStack setup via the environment credentials or by following these steps, you can skip adding the credentials in this step. Only the S3 Bucket Name is required to set up the destination.
Amazon S3 provides encryption at rest. The object gets encrypted while saving it to the S3 bucket and is decrypted before downloading from S3.
S3 provides a way to set the default encryption behavior for a bucket. You can set the default encryption on a bucket from its properties. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) customer managed keys (CMKs):
Server-side encryption using AWS KMS (SSE-KMS)
RudderStack can write to S3 buckets when the default encryption is set to AWS-KMS. The objects are encrypted using the customer managed keys (CMK) when uploaded to the bucket. A CMK can be created in your AWS Key Management Service (KMS).
Follow the steps below to enable encryption using the AWS KMS-managed keys:
Create a new customer-managed key in AWS Key Management Services (KMS) and add your IAM user in the Key Usage Permission section. This will allow the IAM user to use the key for the cryptographic operations.
Select the above-created CMK when you set the AWS-KMS option in the default encryption property for the bucket, as seen above.
Server-side encryption using Amazon S3-managed Keys (SSE-S3)
When the Enable Server Side Encryption is enabled in the S3 destination settings, RudderStack adds a header x-amz-server-side-encryption with the value AES256 to the PutObject request. S3 then encrypts the object with the AES256 encryption algorithm.
You can set the default encryption property to AES-256 for your bucket as seen in the Encryption section above.
S3 will then encrypt the object when it is uploaded in the bucket, irrespective of whether the Enable Server Side Encryption is enabled in the RudderStack dashboard, or the header x-amz-server-side-encryption is present.
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
for the working of basic functionalities of the website. We also use third-party cookies that
analyze and understand how you use this website. These cookies will be stored in your browser
consent. You also have the option to opt-out of these cookies. But opting out of some of these
have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.