1. Support
  2. Knowledge base
  3. 100032260

Important Update: Cohesity Products Knowledge Base Articles

All Cohesity Knowledge Base Articles are now managed via the Cohesity Support Portal: https://support.cohesity.com/s/searchunify. The Knowledge Base articles available here will not reflect the latest information or may no longer be accessible.

Required permissions for an IAM user to work properly with Amazon Simple Storage Service (S3) API migrator in Enterprise Vault.

Article: 100032260
Last Published: 2026-01-07
Ratings: 0 1
Product(s): Enterprise Vault

Problem

When using Enterprise Vault (EV) and the Amazon (S3) storage migrator administrators may want to create an IAM user specifically for (EV) migrations as they may have buckets for other applications in use by other departments in the organization. The purpose being to specifically restrict the access of the IAM user to the bucket used by the (EV) application.

Solution

To use the Amazon (S3) migrator with an IAM user with access limited to a specific bucket it is recommended to use a Bucket policy in conjunction with an inline user policy for the IAM user. For the purposes of this article the IAM user will listed as 'vaultadmin' and the bucket will be listed as 'veritasbucket'.

For the bucket policy apply the following permissions:

{
                      "Version": "2012-10-17",
                      "Statement": [
                                     {
                                                "Sid": "statement1",
                                                "Effect": "Allow",
                                                "Principal": {
                       "AWS": "arn:aws:iam::690246178796:user/vaultadmin"
                                                   },
                                                  "Action": [
                                                               "s3:*"
                                                  ],
                                                 "Resource": "arn:aws:s3:::veritasbucket"
                                      },
                                     {
                                                 "Sid": "statement2",
                                                 "Effect": "Allow",
                                                 "Principal": {
                        "AWS": "arn:aws:iam::690246178796:user/vaultadmin"
                                                    },
                                                   "Action": "s3:*",
                                                  "Resource": "arn:aws:s3:::veritasbucket/*"
                                       }
                          ]
}

For the IAM user inline policy apply the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionForObjectOperations",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::veritasbucket/*"
            ]
        },
        {
            "Sid": "ListAllBuckets",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
 

References

Etrack : 3874781

Was this content helpful?

Article Languages