Configure Amazon S3 Bucket Policies and Permissions

Configure bucket policies, Identity and Access Management (IAM) permissions, and Virtual Private Cloud (VPC) endpoint restrictions in AWS so that your Data 360 ingestion and activation jobs can access your S3 data securely.

Task	Permission
Configure S3 bucket policies	AWS IAM administrator access
Manage KMS key policies	AWS KMS administrator access

Review and apply the Salesforce Data 360 IP address allowlist to your network configuration.
Add or edit S3 bucket policies by using the Amazon S3 console. For more information, see Adding a bucket policy by using the Amazon S3 console in the AWS documentation.

Grant your Data 360 IAM user S3 access through one of two mechanisms, not both. This decision applies to all policies described in this guide.

Resource-based access: Add an Allow statement directly in the S3 bucket policy that names the Data 360 IAM user as the principal.
Identity-based access: Attach an IAM policy to the Data 360 IAM user that grants the required S3 permissions. To manage S3 access at the IAM user level rather than in the bucket policy, attach a policy like the following to your Data 360 IAM user:

Choose whichever approach aligns with your access management practices. VPC endpoint Deny statements in the bucket policy apply regardless of which approach you use.

If your S3 bucket resides in a different AWS account than the one where the IAM user resides, the S3 bucket policy must explicitly grant access to the external account's IAM ARN.

Grant your Data 360 IAM user access to your S3 bucket so that ingestion jobs can retrieve your data.

Open the AWS console and navigate to your S3 bucket's permissions settings.
Add these permissions for your Data 360 IAM user:

Permission	Description
`s3:GetBucketLocation`	Retrieve the region of the S3 bucket
`s3:GetObject`	Retrieve objects from the S3 bucket
`s3:ListBucket`	List the contents of the S3 bucket

Apply this bucket policy:

Replace ACCOUNT_ID with your AWS account ID, data-cloud-user with the IAM username you created for Data 360, and your-bucket-name with your S3 bucket name.

Activation requires all ingestion permissions plus write and delete access.

Add these permissions for your Data 360 IAM user:

Permission	Description
`s3:DeleteObject`	Delete objects from the S3 bucket
`s3:GetBucketLocation`	Retrieve the region of the S3 bucket
`s3:GetObject`	Retrieve objects from the S3 bucket
`s3:ListBucket`	List the contents of the S3 bucket
`s3:PutObject`	Write objects to the S3 bucket

Apply this bucket policy:

Replace ACCOUNT_ID with your AWS account ID, data-cloud-user with the IAM username you created for Data 360, and your-bucket-name with your S3 bucket name.

A VPC endpoint is a private pathway that enables your AWS services to access S3 without using the public internet. You can restrict your S3 bucket so that it accepts only requests routed through a specific VPC endpoint. This restriction is a common requirement in regulated environments, such as HIPAA and FCA, where data access needs to stay within a controlled network path.

For general guidance, see Controlling Access from VPC Endpoints Using Bucket Policies in the AWS documentation.

Don't copy and paste example policies without adapting them to your environment. An overly restrictive Deny policy can lock all users, including administrators, out of the bucket. Only the AWS root account can restore access to a bucket after a lockout. Always include your bucket administrators as explicit principals in the policy. The Principal element can't reference IAM groups; add administrators on a user-by-user basis.

All VPC endpoint references in this guide refer to your organization's VPC endpoint, not a Salesforce-managed endpoint.

Add an Allow statement for your Data 360 IAM user. Use this Allow statement alongside a Deny statement (shown in step 2) that restricts access to your VPC endpoint. The policy can't accommodate groups.

Add a Deny statement that restricts access to a specific VPC endpoint. In this example, the user named user-name-1 manages the bucket. The Principal element can't accommodate IAM groups, but you can add your bucket administrator on a user-by-user basis.

For buckets that use Server-Side Encryption with AWS Key Management Service (SSE-KMS), configure three policy layers: the bucket policy, the Key Management Service (KMS) key policy, and the IAM user policy. To understand why VPC endpoint conditions must target the bucket policy rather than the KMS key policy, see Amazon S3 Bucket Policy and KMS Condition Reference.

Before you begin, confirm that you have:

VPC endpoint for S3: A gateway or interface VPC endpoint configured in your VPC, with its endpoint ID (for example, vpce-0123456789abcdef0)
Data 360 IAM user ARN: The ARN of the IAM user created for Data 360 (for example, arn:aws:iam::ACCOUNT_ID:user/data-cloud-user)
KMS key ARN: The ARN of the KMS key used for SSE-KMS encryption on your bucket
Bucket name: The name of the S3 bucket that Data 360 accesses

Add a Deny statement with an aws:SourceVpce condition that references your VPC endpoint ID. Adapt the Principal, Resource, and Condition values to coexist with your existing bucket policies and other workloads.

Replace vpce-0123456789abcdef0 with your VPC endpoint ID. You can find this ID in the AWS VPC console under Endpoints.

This statement denies any S3 request from the Data 360 IAM user that doesn't originate from your VPC endpoint. You grant the IAM user S3 access separately, either through an identity-based IAM policy or a resource-based Allow statement in the bucket policy.

Grant decrypt permissions to the Data 360 IAM user, scoped to requests made through the S3 service using the kms:ViaService condition. This condition restricts the KMS key so that only S3 in your region can use it.

Don't add VPC endpoint conditions to the KMS key policy.

Replace REGION with your S3 bucket's AWS region (for example, us-east-1).

In a KMS key policy, * refers to the key policy is attached to. In an IAM identity-based policy, you specify the KMS key ARN instead of *.

Whether you need an identity-based KMS decrypt policy on your Data 360 IAM user depends on how your KMS key policy grants access.

Scenario A: Your KMS key policy grants access directly to the IAM user. If your KMS key policy names the Data 360 IAM user's ARN directly in the Principal field, the key policy alone is sufficient. You don't need an identity-based KMS decrypt policy on the IAM user.
Scenario B: Your KMS key policy delegates to IAM via the root principal. If your KMS key policy uses the account root principal pattern ("Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:root"}), the key policy delegates access decisions to IAM policies. In this case, attach an identity-based KMS decrypt policy to the Data 360 IAM user granting kms:Decrypt and kms:GenerateDataKey on the KMS key ARN.