BLAM AWS Service Permissions
BLAM requires certain IAM and ARN permissions in order to interact with AWS Services on your AWS account. Policies should be applied by User group permissions directly on the IAM user account set up specifically for use by BLAM. Some services require Role ARNs in addition to group permissions to order to perform additional actions such send requests to other services on your behalf such S3 or SNS.
BLAM automatically calls the correct Amazon Region based on which S3 Region the source media is held on. Service calls are regionally locked meaning both input and output locations must be located in the same Amazon Region. An exemption is made when transferring files between AWS Accounts and similarly, a dedicated BLidget is provided for copying S3 Objects between Amazon Regions within the same AWS Account to reduce the risk of unintentional data egress charges.
IAM Group Permissions
- AmazonS3FullAccess (AWS Managed Policy) – gives BLAM access to all S3 operations to fully orchestrate S3 storage from within BLAM
- Cross-Account Bucket Policy (Custom Policy) – required to allow transferring S3 Objects between AWS Accounts e.g. delivering media to a third party