Amazon S3 Permissions

Qualytics calls the S3 APIs with the credentials supplied in the connection form, reading from the bucket and (for enrichment) writing back to it. The IAM identity (user or assumed role) behind the connection must have the permissions listed below.

Which identity carries those permissions depends on the authentication mode:

Authentication mode	Identity that carries the S3 permissions
Access Key	The IAM user behind the Access Key ID and Secret Access Key
IAM Role	The target role (the role ARN entered in the connection form). The dataplane identity only needs `sts:AssumeRole` against that target role. See IAM Role Authentication.

Where IAM Role is available

IAM Role authentication is offered only on AWS-hosted and local Qualytics deployments. On Azure and GCP deployments, only Access Key is available.

S3 requires both bucket-level and object-level grants to authenticate a read or write. Granting only object-level permissions (such as s3:GetObject) without the bucket-level counterparts (s3:ListBucket, s3:GetBucketLocation) is the most common cause of permission errors that look like authentication failures.

Source Datastore Permissions (Read-Only)

A read-only role lets Qualytics discover, profile, and scan files in the bucket. It cannot write anywhere.

Permission	Resource	Purpose
`s3:ListBucket`	`arn:aws:s3:::<bucket>`	List objects inside the bucket so Qualytics can discover files
`s3:GetBucketLocation`	`arn:aws:s3:::<bucket>`	Resolve the bucket region
`s3:GetObject`	`arn:aws:s3:::<bucket>/*`	Read file contents during profile and scan
`s3:ListBucketMultipartUploads`	`arn:aws:s3:::<bucket>`	Allow Qualytics to see in-progress multipart uploads when listing the bucket

Example source-only IAM policy

Replace <YOUR_BUCKET> with the bucket name configured in the URI field.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<YOUR_BUCKET>",
                "arn:aws:s3:::<YOUR_BUCKET>/*"
            ]
        }
    ]
}

Enrichment Datastore Permissions (Read-Write)

An enrichment role needs read access plus write and cleanup permissions, because Qualytics creates, updates, and deletes the metadata files it produces.

Permission	Resource	Purpose
`s3:ListBucket`	`arn:aws:s3:::<bucket>`	List objects in the bucket
`s3:GetBucketLocation`	`arn:aws:s3:::<bucket>`	Resolve the bucket region
`s3:GetObject`	`arn:aws:s3:::<bucket>/*`	Read enrichment files back when refreshing scans
`s3:PutObject`	`arn:aws:s3:::<bucket>/*`	Write anomaly records, scan results, and metadata
`s3:DeleteObject`	`arn:aws:s3:::<bucket>/*`	Remove superseded enrichment files
`s3:ListBucketMultipartUploads`	`arn:aws:s3:::<bucket>`	Allow Qualytics to track in-progress multipart uploads during writes
`s3:ListMultipartUploadParts`	`arn:aws:s3:::<bucket>/*`	List parts of an in-progress upload
`s3:AbortMultipartUpload`	`arn:aws:s3:::<bucket>/*`	Clean up incomplete multipart uploads

Example enrichment IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::<YOUR_BUCKET>",
                "arn:aws:s3:::<YOUR_BUCKET>/*"
            ]
        }
    ]
}

Encrypted buckets (SSE-KMS)

If the bucket is encrypted with a customer-managed KMS key, S3 also requires the IAM identity to have kms:Decrypt (for reads) and kms:GenerateDataKey (for writes), scoped to that key. This is enforced by AWS, not by Qualytics. Without these grants, S3 calls fail with an AccessDenied error referencing the missing KMS action even when every S3 action above is granted.

Where to find the bucket URI

The S3 URI follows the format s3://<bucket-name> for the bucket root, or s3://<bucket-name>/<prefix> for a subfolder.

Warning

Use the bucket-level URI in the connection form, not a path that points at a specific file or prefix. Use the separate Root Path field to scope the connection to a subfolder (e.g., /raw/orders/).

Open the S3 console.
Find your bucket in the bucket list. The bucket URI is s3://<bucket-name>, where <bucket-name> is the name shown.

In the Qualytics connection form, enter the bucket-level URI (s3://<bucket-name>) in the URI field and use Root Path to point at the subfolder you care about (e.g., /raw/orders/).

In the API, the same value is passed as connection.uri.