All Collections
Data Warehouse Sharing
Amazon S3 Connector
Sharing Funnel data to encrypted Amazon S3 bucket
Sharing Funnel data to encrypted Amazon S3 bucket

Amazon (AWS) settings needed to share Funnel data to encrypted S3 buckets

Niclas Bångman avatar
Written by Niclas Bångman
Updated over a week ago

Alt 1 - Encryption using Amazon key (SSE-S3)

Go to your bucket Properties and find the encryption section and enable it.

The "Amazon S3 key" encryption key type option will work right away while using your own key will need another permission for the AWS KMS key (see below).

Alt 2 - Encryption using your own KMS key (SSE-KMS)

Go to your bucket Properties and find the encryption section and enable it.

Select the second "Encryption key type" option and select you KMS key or create one (the AWS managed key option is not supported).

Edit the policy of the KMS key and add the statement below and update the "Resource" with the KMS ARN.

If you are using the app.funnel.io service

{
    "Sid": "Enable funnel encrypting incoming S3 data",
    "Effect": "Allow",
    "Principal":
    {
        "AWS": "arn:aws:iam::071303700930:role/funnel-export-executor"
    },
    "Action":
    [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "arn:aws:kms:{region}:{account-id}:key/{kms-key-id}"
}

If you are using the app.eu.funnel.io service

{
    "Sid": "Enable funnel encrypting incoming S3 data",
    "Effect": "Allow",
    "Principal":
    {
        "AWS": "arn:aws:iam::924192298621:role/funnel-s3-uploader-eu"
    },
    "Action":
    [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "arn:aws:kms:{region}:{account-id}:key/{kms-key-id}"
}

kms:decrypt is needed due to the S3 export making use of multi upload when the file is over a certain size.

Did this answer your question?