Assign a name to the destination and click Continue.
If you have already configured the AWS credentials in your RudderStack setup via the environment credentials or by following these steps, specifying only S3 Bucket Name and Prefix (optional but recommended) is sufficient to set up your S3 destination.
S3 Bucket Name: Enter your S3 bucket name.
Prefix: If specified, RudderStack creates a folder in the S3 bucket with this name and pushes all data within that folder. For example, s3://<bucket_name>/<prefix>/.
Role-based Authentication: This setting is enabled by default and lets you use the RudderStack IAM role for authentication.
IAM Role ARN: Enter the ARN of the IAM role.
Using Role-based Authentication is highly recommended as the access keys-based authentication method is now deprecated and will be discontinued soon.
If Role-based Authentication is disabled, enter the AWS Access Key ID and AWS Secret Access Key to authorize RudderStack to write to your S3 bucket. For more information on obtaining these credentials, see the Permissions section.
In both the role-based and access key-based authentication methods, you need to set a policy specifying the required permissions for RudderStack to write to your S3 bucket.
Enable Server Side Encryption: When you enable this setting, RudderStack adds a header x-amz-server-side-encryption with the value AES256 to the PutObject request when sending the data to the S3 bucket. See Encryption with S3 managed keys for more information.
It is recommended to create a new bucket for storing events coming from RudderStack.
To send events to S3 successfully, you need to give RudderStack the necessary permissions to write to your bucket. You can choose any of the following approaches based on your company’s security policies and setup preferences:
Option 1: Use RudderStack IAM role
It is highly recommended to use this option for setting up the required S3 bucket permissions.
Use this approach if you are going to set up the S3 destination in RudderStack using Role Based Authentication.
Replace <S3_BUCKET_NAME> with the actual bucket name.
Return to the IAM dashboard and go to Users under Access management. Then, click on the newly-created user.
Go to the Security credentials tab and scroll down to Access keys.
Click Create access key, select the use case as per your requirement, and click Next.
If required, set the Description tag value, and click Create access key.
Note and secure the Access key and Secret access key. Use these credentials to set up your S3 destination in RudderStack.
Option 3: Allow RudderStack to write into bucket
This option is applicable only if you are using RudderStack Cloud to set up your connection.
Use this approach only if you wish to allow RudderStack to write into your S3 bucket directly.
In this case, leave the role based authentication (IAM Role ARN) or access key based authentication (AWS Access Key ID and AWS Secret Access Key) fields blank while setting up your S3 destination in RudderStack.
To allow the RudderStack to write into your S3 bucket directly, add the following JSON in your bucket policy:
When you enable the Enable Server Side Encryption dashboard setting while configuring your S3 destination, RudderStack adds a x-amz-server-side-encryption header with the value AES256 to all the PutObject requests. S3 then encrypts the object with the AES256 encryption algorithm. For more information, see S3 encryption with S3 managed keys.
If you set the default encryption key type to Amazon S3 managed keys (SSE-S3), then S3 encrypts the objects that are uploaded in the bucket with AES256 encryption - irrespective of whether the Enable Server Side Encryption is enabled in the RudderStack dashboard or the presence of the x-amz-server-side-encryption header in the PutObject requests.
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
for the working of basic functionalities of the website. We also use third-party cookies that
analyze and understand how you use this website. These cookies will be stored in your browser
consent. You also have the option to opt-out of these cookies. But opting out of some of these
have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.