| At line 3 changed one line |
| The __Amazon S3 REST API__ provides a comprehensive set of HTTP operations for managing and interacting with objects and buckets in Amazon S3. [Amazon S3 API Reference Link|https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html]\\ |
| The __Amazon S3 REST API__ provides a comprehensive set of HTTPS operations for managing and interacting with objects and buckets in Amazon S3. [Amazon S3 API Reference Link|https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html]\\ |
| At line 11 added 5 lines |
| \\ |
| Amazon S3 can be configured in CrushFTP using __Access Key Authentication__ [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.1AccessKeyAuthentication], __EC2 IAM Authentication__ [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.2AmazonEC2IAMAuthenticationSupport], or __Assume Role__ authentication [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-2.AccessAmazonS3UsingAssumeRole].\\ |
| \\ |
| !1.1 Access Key Authentication\\ |
| \\ |
| At line 17 changed one line |
| }}} |
| }}}\\ |
| At line 19 changed 3 lines |
| !1.1 Access Key Authentication\\ |
| \\ |
| To authenticate using standard Amazon S3 credentials:\\ |
| To access S3, you must authenticate using standard AWS credentials:\\ |
| At line 34 added 2 lines |
| Ensure that your __S3 permissions are correctly configured__ as described in [1.3 Required S3 IAM Policy Permissions|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.3RequiredS3IAMPolicyPermissions], and then configure the S3 Remote VFS item as described in [1.4 S3 Remote VFS Settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.4S3RemoteVFSSettings].\\ |
| \\ |
| At line 34 changed 2 lines |
| • Set the S3 Username to: __iam_lookup__\\ |
| • Set the S3 Password to: __lookup__\\ |
| • Set the S3 Remote [VFS] -> Username to: __iam_lookup__\\ |
| • Set the S3 Remote [VFS] -> Password to: __lookup__\\ |
| At line 41 changed one line |
| • __Enable IMDSv2__: IMDS (Instance Metadata Service) v2 is the more secure version of the metadata endpoint used by EC2 instances to retrieve IAM role credentials. Enabling this option ensures that CrushFTP uses token-based access to the metadata service, protecting against SSRF attacks and adhering to AWS security best practices. ⚠️ Always enable IMDSv2 unless your instance or security policies require legacy IMDSv1.\\ |
| • __Enable IMDSv2__: __IMDS (Instance Metadata Service) V2__ is the more secure version of the metadata endpoint used by EC2 instances to retrieve IAM role credentials. Enabling this option ensures that CrushFTP uses token-based access to the metadata service, protecting against SSRF attacks and adhering to AWS security best practices.\\ |
| __⚠️ Important:__ Always enable IMDSv2 unless your instance or security policies require legacy IMDSv1.\\ |
| At line 53 added 2 lines |
| Ensure that your __S3 permissions are correctly configured__ as described in [1.3 Required S3 IAM Policy Permissions|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.3RequiredS3IAMPolicyPermissions], and then configure the S3 Remote VFS item as described in [1.4 S3 Remote VFS Settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.4S3RemoteVFSSettings].\\ |
| \\ |
| At line 56 added 3 lines |
| ---- |
| __❗Troubleshooting__: An __AccessDenied__ error in the logs typically indicates missing permissions. Verify that all required IAM policies are correctly attached to the user or role.\\ |
| ---- |
| At line 65 changed one line |
| |s3:ListAllMyBuckets|Lists all buckets owned by the requester.|Needed if the application dynamically lists available buckets.\\ |
| |s3:ListAllMyBuckets|Lists all buckets owned by the requester.|Required for bucket verification.\\ |
| At line 69 changed one line |
| |s3:AbortMultipartUpload|Cancels an in-progress multipart upload.|Used to clean up failed or cancelled large file uploads.\\ |
| |s3:AbortMultipartUpload|Cancels an in-progress multipart upload.|Used to clean up failed or canceled large file uploads.\\ |
| At line 81 changed one line |
| __Server:__ The base domain of the S3-compatible server (s3.us-east-1.amazonaws.com for Amazon S3). This can be replaced with endpoints for non-Amazon providers.\\ |
| __Server:__ The base domain of the S3-compatible server (s3.us-east-1.amazonaws.com for Amazon S3). To use a non-Amazon provider, enter the provider’s endpoint hostname in the __URL__ field. |
| \\ |
| At line 85 changed one line |
| __Accelerate__: (For AWS only) Enables S3 Transfer Acceleration — faster uploads/downloads using AWS edge locations.\\ |
| __Accelerate__: (For AWS only) Enables S3 Transfer Acceleration — faster uploads/downloads using AWS edge locations. [Amazon S3 Transfer Acceleration – AWS Docs Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html]\\ |
| At line 89 changed one line |
| __Use Bucket in Path__: Includes the bucket name as part of the S3 object key/path. This is typically not required unless working with a non-standard or custom S3-compatible backend that expects this behavior.// |
| __Use Bucket in Path__: Includes the bucket name as part of the S3 object key/path. This is typically not required unless working with a non-standard or custom S3-compatible backend that expects this behavior.\\ |
| At line 93 changed 2 lines |
| __User Name__: Your S3 Access Key ID\\ |
| __Password__: Your Secret Access Key\\ |
| __User Name__: Your S3 Access Key ID or for Amazon EC2 IAM Authentication: __iam_lookup__.\\ |
| __Password__: Your Secret Access Key or for Amazon EC2 IAM Authentication: __lookup__\\ |
| At line 96 changed one line |
| __Server Side Encrypt?__: When checked, files uploaded to S3 will use Amazon S3 Server-Side Encryption (SSE-S3). This tells S3 to encrypt objects at rest using AWS-managed keys. If you want to use KMS keys instead, leave this unchecked and provide a key in the KMS Key Id field.\\ |
| __Server Side Encrypt?__: When checked, files uploaded to S3 will use Amazon S3 Server-Side Encryption (SSE-S3). This tells S3 to encrypt objects at rest using AWS-managed keys. If you want to use KMS keys instead, leave this unchecked and provide a key in the KMS Key Id field. See the [Using Server-Side Encryption with Amazon S3 Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html]\\ |
| At line 98 changed 4 lines |
| __Canned ACL__: Sets default Access Control for uploaded files: private, public-read, authenticated-read\\ |
| __Storage Class__: S3 storage tier. Like: STANDARD, GLACIER, INTELLIGENT_TIERING\\ |
| __KMS Key Id__: Optional: If using AWS KMS encryption, provide the full ARN of the key here.\\ |
| __Assume Role ARN__: Optional. For cross-account access using IAM Role with sts:AssumeRole.\\ |
| __Canned ACL__: Sets default Access Control for uploaded files: private, public-read, authenticated-read See the [Canned ACLs – Amazon S3 Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl]\\ |
| __Storage Class__: S3 storage tier. Like: STANDARD, GLACIER, INTELLIGENT_TIERING See the [Storage Classes – Amazon S3 Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html]\\ |
| __KMS Key Id__: Optional: If using AWS KMS encryption, provide the full ARN of the key here. See the [ Using Server-Side Encryption with AWS KMS (SSE-KMS) Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html]\\ |
| __Assume Role ARN__: Optional. For cross-account access using IAM Role with sts:AssumeRole. See the [3. Assume role Access Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-3.AssumeRoleAccess]\\ |
| At line 104 changed one line |
| __Multithreaded S3 Uploads?__, __Multithreaded S3 Downloads?__: Configure parallel upload/download parts for large files. Genera settings: Admin -> Preferences -> Misc -> S3 Configuration\\ |
| __Multithreaded S3 Uploads?__, __Multithreaded S3 Downloads?__: Configure parallel upload/download parts for large files. Default settings: Admin -> Preferences -> Misc -> S3 Configuration\\ |
| __Add meta data: MD5 and uploaded by user__: If enabled, CrushFTP will automatically add two pieces of metadata to each uploaded file:\\ |
| • md5 – The MD5 checksum of the file content (used for integrity verification).\\ |
| • uploaded_by – The username of the CrushFTP user who uploaded the file.\\ |
| At line 108 changed 6 lines |
| !2. Access other cloud storage through S3 REST API\\ |
| Google Cloud - [Google Cloud Storage Access Through S3 REST API | https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Google%20Cloud%20Storage%20Integration#section-Google+Cloud+Storage+Integration-2.AccessThroughS3RESTAPI] \\ |
| BackBlaze(b2) - [BackBlaze(b2) Access Through S3 REST API| https://www.crushftp.com/crush11wiki/Wiki.jsp?page=BackBlaze%28b2%29%20integration#section-BackBlaze_28b2_29+integration-2.AccessThroughS3RESTAPI]\\ |
| ---- |
| !3. Assume Role access\\ |
| You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts. (for more info see: [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html], and [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html])\\ |
| !2. Access Amazon S3 using Assume Role\\ |
| IAM roles in AWS allow you to delegate access to resources without sharing credentials. Instead of hardcoding access keys, you can configure trusted entities to assume a role with specific permissions. (Official Docs for Deeper Understanding: [Amazon ID Roles Create for User Link|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html], and [Amazon API Assume Role Link|https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html] )\\ |
| At line 125 changed one line |
| Add permission policy to the specified user. This policy will use the above-created assume role.\\ |
| Attach a permission policy to the specified user that allows assuming the previously created IAM role.\\ |
| At line 143 changed one line |
| Use the specified user's Access key and Secret along with the Assume Role ARN to obtain S3 access.\\ |
| Use the specified user’s __Access Key__ and __Secret Key__ together with the __Assume Role ARN__ to obtain credentials for accessing S3.\\ |
| At line 158 added 10 lines |
| Ensure that your __S3 permissions are correctly configured__ as described in [1.3 Required S3 IAM Policy Permissions|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.3RequiredS3IAMPolicyPermissions], and then configure the S3 Remote VFS item as described in [1.4 S3 Remote VFS Settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.4S3RemoteVFSSettings].\\ |
| ---- |
| !3. Access other cloud storage through S3 REST API\\ |
| \\ |
| __Google Cloud__ - __⚠️ Important__: Check the __SHA256 enabled on signing (Signing Version 4)__ flag. [Google Cloud Storage Access Through S3 REST API | https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Google%20Cloud%20Storage%20Integration#section-Google+Cloud+Storage+Integration-2.AccessThroughS3RESTAPI] \\ |
| \\ |
| __BackBlaze(b2)__ - __⚠️ Important__: __SHA256 enabled on signing (Signing Version 4)__ and __Include SHA256 to request headers (Signing Version 4 related)__ flags must be checked. [BackBlaze(b2) Access Through S3 REST API| https://www.crushftp.com/crush11wiki/Wiki.jsp?page=BackBlaze%28b2%29%20integration#section-BackBlaze_28b2_29+integration-2.AccessThroughS3RESTAPI]\\ |
| \\ |
| __Yandex__ - __⚠️ Important__: Ensure that the __Server Side Encryption__ option is unchecked.\\ |
| ---- |
