Explore

Custom Storage Configuration - Memzo

Note -

Replace ‘memzo-labs’ and ‘memzo-wl’ with your specific bucket names in all policies & 988262775373 with your AWS account ID. These are the names you either shared with the Memzo team during configuration or entered in the Dashboard:

memzo-labs: S3 bucket for storing image uploads, including thumbnails, high-resolution images, and watermarked versions.

memzo-wl: S3 bucket for storing image copies shared on social media and used for large previews.

988262775373 → AWS_ACCOUNT_ID

STEP 1 -

Create Custom Policy

s3PublishToMemzo

Policy Name: s3PublishToMemzo

This custom policy is responsible for defining the permissions required to interact with SNS and S3 for your specific use case.

⁠

Policy Document:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sns:Publish",

"Resource": "arn:aws:sns:ap-south-1:708922280995:CustomS3"

{

"Effect": "Allow",

"Action": [

"s3:GetBucketNotification",

"s3:PutBucketNotification"

"Resource": "arn:aws:s3:::memzo-labs"

}

]

}

Details:

sns:Publish: Allows the IAM role or user to publish messages to the SNS topic CustomS3.

s3:GetBucketNotification & s3:PutBucketNotification: Allows the IAM role or user to retrieve and modify the notification configuration of the S3 bucket memzo-labs.

⁠

STEP 2 -

Create Custom Role

S3ToMemzoPublishPolicy

Role Name: S3ToMemzoPublishPolicy

This role allows the specified principal (usually an AWS service like S3) to assume the role and use the permissions defined within the role's policy. This is essential for interactions between S3 and other services, like SNS or Lambda.

⁠

Role Trust Policy Document:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"Service": "s3.amazonaws.com"

"Action": "sts:AssumeRole"

}

]

}

Details:

Principal: Specifies that the service s3.amazonaws.com is allowed to assume the role.

Action: The sts: AssumeRole action allows the service to assume the role and execute its permissions.

⁠

STEP 3 -

S3 Buckets Configuration

Bucket1 (Data Bucket)

This bucket is used to store the data being processed, and it requires specific permissions for reading and writing data to and from the S3 service.

⁠

Bucket Policy

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::988262775373:role/S3ToMemzoPublishPolicy"

"Action": "s3:PutObject",

"Resource": "arn:aws:s3:::memzo-labs/*"

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::708922280995:role/service-role/CustomS3_process-role-if2dlxcr"

"Action": [

"s3:GetObject",

"s3:ListBucket"

"Resource": [

"arn:aws:s3:::memzo-labs",

"arn:aws:s3:::memzo-labs/*"

]

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::708922280995:role/service-role/CustomS3_process-role-if2dlxcr"

"Action": "s3:PutObject",

"Resource": "arn:aws:s3:::memzo-labs/*"

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::memzo-labs/*"

}

]

}

Details:

PutObject: Allows the role S3ToMemzoPublishPolicy to upload objects to the memzo-labs bucket.

GetObject & ListBucket: Allows the role CustomS3_process-role-if2dlxcr to retrieve objects and list the contents of the bucket.

Public Read: The * principal with s3:GetObject grants public read access to all objects in the memzo-labs bucket.

Bucket2 (Main Bucket)

This bucket holds the image content, and it requires similar configurations as the Data Bucket but might be set up differently based on your architecture.

⁠

Bucket Policy

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::988262775373:role/S3ToMemzoPublishPolicy"

"Action": "s3:PutObject",

"Resource": "arn:aws:s3:::memzo-wl/*"

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::708922280995:role/service-role/CustomS3_process-role-if2dlxcr"

"Action": [

"s3:GetObject",

"s3:ListBucket"

"Resource": [

"arn:aws:s3:::memzo-wl",

"arn:aws:s3:::memzo-wl/*"

]

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::708922280995:role/service-role/CustomS3_process-role-if2dlxcr"

"Action": "s3:PutObject",

"Resource": "arn:aws:s3:::memzo-wl/*"

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::memzo-wl/*"

}

]

}

Details:

This policy is similar to the Data Bucket configuration, allowing the necessary roles to interact with the memzo-wl bucket for uploading, reading, and listing objects, along with public access to the objects.

⁠

STEP 4 -

Testing Access

Test SNS Publishing:

To test if the SNS publishing works as expected, use the following AWS CLI command to send a test message to the CustomS3 SNS topic.

~ $ aws sns publish \

> --topic-arn "arn:aws:sns:ap-south-1:708922280995:CustomS3" \

> --message "Test message from S3 to SNS"

{

"MessageId": "9f8c12d8-cc18-5ff5-a35c-72fd8074de15"

}

Details:

This command publishes a test message to the SNS topic CustomS3, and the response will contain a MessageId if successful.

⁠

STEP 5 -

Configure S3 Notification

Notification Settings:

Set up S3 notifications to trigger certain actions based on events in the S3 bucket (e.g., file uploads, object deletions). This step involves configuring event notifications that will trigger AWS Lambda functions, SQS queues, or SNS topics based on your use case.

⁠

Reference

⁠

This completes the setup. Once you’ve followed all the steps, your S3 buckets will be fully configured to support SNS publishing, notification handling, and public object access as required.

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.