Currently, the official documentation for connecting CloudWorks to Amazon S3 provides a broad IAM policy example that includes s3:DeleteObject.
Connect to Amazon S3 | Anapedia
However, from a security governance and "Principle of Least Privilege" perspective, many organizations require more granular control over these permissions.
For instance, when an organization only uses CloudWorks to import data from S3 to Anaplan, granting PutObject or DeleteObject permissions creates unnecessary security risks.
I propose that Anaplan explicitly defines and documents the minimum required permissions separately for Import and Export processes.
Proposed Technical Breakdown:
1. For Import Processes (S3 → Anaplan)
The following permissions should be sufficient for reading data without write/delete access:
s3:ListBucket: To locate objects within the bucket.s3:GetObject: To retrieve the data file.- (Note:
s3:PutObject and s3:DeleteObject should be excluded.)
2. For Export Processes (Anaplan → S3)
The following permissions should be sufficient for writing data:
s3:ListBucket: To verify the destination.s3:PutObject: To upload/overwrite the data file.- (
s3:DeleteObject is generally not required for standard overwrites using PutObject.)
Expected Benefits:
- Enhanced Security: Enables security teams to approve CloudWorks integration by following the principle of least privilege.
- Clearer Documentation: Provides ready-to-use JSON policy templates for different use cases (Import-only, Export-only, or Full-access).
- Risk Mitigation: Prevents accidental deletion or unauthorized modification of data in S3 buckets.
