Attach an AWS S3 bucket

Edit online

You can attach an existing AWS S3 storage to your AoC organization. Once attached, you can make the bucket and its contents available to your AoC users.

Use this procedure when you have an existing AWS S3 and want to make it (or content from it) accessible to users in your AoC workspaces. If you already have an existing Aspera transfer node (which can be on-prem or in the cloud, and managed by you or by Aspera) with its Node URL and password, see Tether Your Aspera Transfer Server to Aspera on Cloud.

AWS storage classes

When you attach an AWS bucket to your Aspera on Cloud organization, you select an AWS storage class. You can attach AWS buckets with these storage classes to AoC:

Standard
Intelligent Tiering
Standard Infrequent Access
One-zone Infrequent Access
Glacier Instant Retrieval
Glacier Flexible Retrieval
Glacier Deep Archive

In a workspace configured on nodes with storage class Glacier Flexible Retrieval and Glacier Deep Archive, note the following:

The Packages app is not available due to extended AWS retrieval times.
Files app users:
- Can view files and folders. Files are marked with the label "Glacier storage". Folders are not labeled.
- Can share folders.
- Can upload files and folders. These items appear in the Files view after some time, depending on the duration required by AWS processing.
- Cannot download, move, copy, or rename files. If a user downloads a folder from such a workspace, the folder appears in the expected download location but remains empty.

AoC access keys

Once you attach the AWS S3 bucket, you can give various users access to specifically designated parts of the storage using AoC access keys. Distinct from the AWS S3 bucket access keys, these native AoC access keys are an additional layer of security that allow you to securely access the bucket through AoC and other Aspera client applications. You can create multiple AoC access keys to the same AWS S3 bucket to partition access to specific areas of the storage. For details, see the articles in Access keys.

Note: Once you attach the S3 bucket, you can use the Aspera GUI to transfer to your cloud storage; see Transfer to cloud with Desktop Client, HST Server, or HST Endpoint GUI.

Prerequisites

Edit online

You must have transfer service administrator (ATS admin) access to Aspera on Cloud.
You must have administrative access to the AWS S3 configuration portal.
The AWS S3 bucket must be in a region that is supported by the Aspera transfer service. To view the supported regions, to see IP addresses for whitelisting in your firewall configuration, and to retrieve your transfer service server URL, follow this link: https://ats.aspera.io/pub/v1/servers/AWS.
You must have an AWS S3 IAM Role to use for trust relationship policies. You need to add this role in the AWS portal Trust relationships tab. Note the role name so you can add it in the following procedure; for example, "Aspera-Role". To create an IAM role, see Create an AWS S3 IAM role and policy.
To provide extra security for your environment, see the procedure below called "Enhance Access Security for an AWS S3 Bucket".

Procedure: How to attach the bucket to AoC

Edit online

This procedure requires you to use both the Aspera on Cloud Admin interface and the AWS portal interface.

In the Aspera on Cloud Admin app, do the following:
1. Go to Nodes and storage > Nodes > Create new.
2. Click Attach my cloud storage.
  If this option does not appear at the top of the page, you do not have transfer service admin (ATS admin) privileges. You must ask a user who has ATS admin privileges to add this privilege to your user profile. The transfer service admin should go to Users, filter for your user name, then click the row to open your user record; then, in the Admin roles section, click the check box labeled ATS admin, then Save.
3. Enter a Node name for the transfer service node; this name refers to the AWS S3 storage.
4. If a pre-configured network policy is required for this node, click the Network policy field and select the intended policy.
  For details, see Creating Network Policies.
5. If a pre-configured node configuration policy is required for this node, click the Configuration policy field and select the intended policy.
  For details, see Creating Node Configuration Policies.
6. In the Storage field, select Amazon S3.
7. In the Region field, select the Amazon region that contains the S3 bucket.
8. In the Storage class field, select the desired setting.
9. In the Amazon S3 Server-side encryption field, select the desired encryption type, if any.
  
  Note: You can enable encryption only on nodes that are not configured for watermarking. See this article for details.
10. If you selected AWS KMS in the previous field, enter the KMS key ID ARN or key alias ARN in the KMS key ID or key alias ARN field.
  KMS key ID ARN:
  
  Syntax: arn:aws:kms:<region>:<account_number>:key/<encryption_key_id>
  
  Example: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  
  KMS key alias ARN:
  
  Syntax: arn:aws:kms:<region>:<account_number>:alias/<encryption_key_alias>
  
  Example: "arn:aws:kms:us-west-2:111122223333:alias/my_key_alias"
  Note: Be sure to include the AWS bucket region in the ARN.
11. Copy the contents of the Trust relationship policy field. If necessary, you can edit the policy before you copy it.
  Important: The trust relationship JSON updates with each page load.
  - Before you copy the trust policy, be sure that you have correctly configured the region (step 1g above).
  - After you copy the trust relationship, be sure to save the configuration or otherwise verify the page is not reloaded.
  If the page reloads after you copy the trust relationship, there will be a mismatch between the trust relationship in AoC and the trust relationship in the AWS console.
Log in to the AWS portal and do the following:
1. Go to Services > IAM > Roles. Find the IAM role you created for the trust relationship policy; for example, "Aspera-Role".
2. Click to select the role and go to the Trust relationships tab.
3. Click Edit trust relationship.
4. Paste the policy you copied from the Aspera on Cloud Trust relationship policy field in step 1h. Be sure the paste operation replaces all existing text.
5. Click Update Trust Relationship.
6. Copy the role ARN (Amazon Resource Name) for this role.
Return to the Aspera on Cloud Nodes > Create new > Attach my cloud storage window and do the following:
1. Paste the role ARN that you copied from the AWS portal in the AoC IAM Role ARN field.
2. Complete the form with the S3 bucket and path.
  - To grant access to the entire bucket, enter / (that is, a slash character).
  - To grant access to a specific directory in the bucket, enter /<path_name> (that is, slash+path_name).
3. Click Save.
  
  Note: If you see the error message, "Unable to create ATS access key and secret", see Trouble creating a new access key for a troubleshooting procedure.
4. Download or copy and save the Aspera on Cloud access key and secret according to local site practice. These credentials allow you to access this node for content management and configuration activities. If you download, Aspera generates a text file with the default name KeySecret.txt. Aspera recommends that you rename this file to make it easier to track and manage.
  
  Important: Aspera on Cloud does not store the secret. Once you complete this step, you can no longer retrieve the secret. You must track these credentials according to your own local site security practices.
5. To protect content in this bucket with Aspera encryption at rest, do one of the following:
  - To use Aspera's native key management capabilities, see Use Aspera-managed keys for server-side encryption at rest.
  - To use your own key management service (KMS), see Bring your own key for server-side encryption at rest
6. Click Save to complete creation of the new transfer service node. See this new node in the list of nodes by going to Nodes and storage > Nodes.

This storage can now be used to support a workspace.

To share a folder in the bucket with members of an existing workspace, see Share a node folder with a workspace.
To create a new workspace hosted on this bucket, see Create a new workspace.
To create native AoC access keys to the bucket or a partition of the bucket, see Create a sub-access key to a cloud storage folder.

Optional: Enhance access security for an AWS S3 bucket

Edit online

You can apply an optional policy to enhance AWS S3 bucket access security. Use the procedure below to restrict access to the bucket from any IP address except those you specifically designate; this restriction is also known as whitelisting. This policy will still allow the Aspera transfer service to access the bucket for transfer operations.

In the Amazon console, go to the intended bucket, then click Permissions > Block public access.
Configure the options as shown in the following screen shot, being sure not to block cross-account access.
Go to Permissions > Bucket Policy.
Enter the same policy that you applied to the associated role.
Copy the "Principal" stanza from the trust relationship in the role to the bucket policy, as show in the screen shot below.

If desired, use this JSON example, changing the following:

Replace the sample "Principal" stanza shows below with the actual "Principal" stanza from the trust relationship in the associated role.
For the variable <region>, substitute the region for your bucket.
For the variable <bucket_name>, substitute the bucket name.
For the variable <allowed_IP_address>, substitute the allowed IP address(es), formatted in a JSON array (for example: ["192.0.2.0/24", "203.0.113.0/24"]
For the variable <ats_vpc>, substitute the AWS virtual private cloud ID or VPC endpoint ID (see list following this sample).

{
	"Version": "2012-10-17",
	"Statement": [{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::880559705280:role/atp-aws-us-<region>-ts-atc-node"
			},
			"Action": [
				"s3:AbortMultipartUpload",
				"s3:DeleteObject",
				"s3:ListMultipartUploadParts",
				"s3:PutObject"
			],
			"Resource": [
				"arn:aws:s3:::<bucket_name>/*"
			],
			"Condition": {
				"NotIpAddress": {
					"aws:SourceIp": "<allowed_IP_address>"
				},
				"StringNotEquals": {
					"aws:SourceVpc": "<ats_vpc>"
				}
			}

		},
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::880559705280:role/atp-aws-<region>-ts-atc-node"
			},
			"Action": [
				"s3:GetBucketLocation",
				"s3:ListBucket",
				"s3:ListBucketMultipartUploads"
			],
			"Resource": [
				"arn:aws:s3:::<bucket_name>"
			],
			"Condition": {
				"NotIpAddress": {
					"aws:SourceIp": "<allowed_IP_address>"
				},
				"StringNotEquals": {
					"aws:SourceVpc": "<ats_vpc>"
				}
			}

		}
	]
}

Find the required VPC ID and VPCE ID listed by AWS region below:

atp-aws-ap-northeast-1-vpc = ------------------------------------------------
  vpc name: atp-ap-northeast-1-ts-vpc
  vpc id:   vpc-ddce48b9
  vpce id:  vpce-86f431ef
atp-aws-ap-southeast-1-vpc = ------------------------------------------------
  vpc name: atp-ap-southeast-1-ts-vpc
  vpc id:   vpc-c9b884ad
  vpce id:  vpce-c25a8bab
atp-aws-ap-southeast-2-vpc = ------------------------------------------------
  vpc name: atp-ap-southeast-2-ts-vpc
  vpc id:   vpc-3cc0c758
  vpce id:  vpce-8c9c5ae5
atp-aws-eu-central-1-vpc = ------------------------------------------------
  vpc name: atp-eu-central-1-ts-vpc
  vpc id:   vpc-dac878b2
  vpce id:  vpce-bfae55d6
atp-aws-eu-west-1-vpc = ------------------------------------------------
  vpc name: atp-eu-west-1-ts-vpc
  vpc id:   vpc-00a8d564
  vpce id:  vpce-7495681d
atp-aws-sa-east-1-vpc = ------------------------------------------------
  vpc name: atp-sa-east-1-ts-vpc
  vpc id:   vpc-5c7aed3b
  vpce id:  vpce-31945458
atp-aws-us-east-1-vpc = ------------------------------------------------
  vpc name: atp-us-east-1-ts-vpc
  vpc id:   vpc-dc6a60bb
  vpce id:  vpce-4c278825
atp-aws-us-west-2-vpc = ------------------------------------------------
  vpc name: atp-us-west-2-ts-vpc
  vpc id:   vpc-b69e77d1
  vpce id:  vpce-62c1390b

For more information on bucket policies, refer to the AWS documentation.