Capture - AWS S3 Configuration Guide

Overview

This guide provides an overview of the configuration requirements for Nuclei customers exporting data to Nuclei via Amazon S3. Customers are able to provide their own S3 resources, or to use S3 resources provided by Nuclei directly. 

Prerequisites

• Amazon S3
• AWS Identity and Access Management (AWS IAM)

Scope

Amazon S3 (Customer Provided)

The following resources are required for customer's hosting their own S3 resources:

• AWS S3 Bucket
• AWS IAM Policy
  • Actions
    • s3:GetBucketLocation
    • s3:GetBucketNotification
    • s3:GetEncryptionConfiguration
    • s3:GetObject
    • s3:ListBucket
  • Resources
    • Bucket Name
    • Bucket Name/*
• AWS IAM Role (option 1) (documentation here)
  • AWS Account ID (Nuclei provided)
  • AWS External ID(Nuclei provided)
• AWS IAM User (option 2)
  • Access Key ID
  • Secret Access Key

Afterwards, Nuclei will utilize the provided IAM credentials to retrieve and archive content from the customer hosted S3 resources. 

Example IAM Policy

The following IAM policy demonstrates correct configuration of all required scopes and resources: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetBucketNotification",
                "s3:GetEncryptionConfiguration",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

The IAM policy must provide access to both of the following resources:

• arn:aws:s3:::bucket-name (provides access to the bucket itself and it's metadata)

• arn:aws:s3:::bucket-name/* (provides access to the objects inside the bucket)

Both resources must be included in the policy to enable retrieval of of data from the bucket. 

Amazon S3 (Nuclei Provided)

The following information will be provided to customers who are using Nuclei hosted S3 resources: 

• AWS S3 Bucket Name
• AWS IAM Role (option 1)
  • AWS Account ID (customer provided)
  • AWS External ID(customer provided)
• AWS IAM User  (option 2)
  • Access Key ID 
  • Secret Access Key

Afterwards, the customer's IT administrator is responsible for configuring the provided credentials into the source system that will be writing new content into the Nuclei provided S3 resources.  

Related Resources

AWS Documentation > Identity and Access Management in Amazon S3

AWS Documentation > Actions, resources, and condition keys for Amazon S3

AWS Documentation > Using IAM user policies with Amazon S3

AWS Documentation > How to use an external ID when granting access to your AWS resources

More Information

For more information on configuring AWS S3 based integrations with Nuclei please contact our support team team at hello@nuclei.ai.