This guide walks you through creating an AWS Access Key and Secret and gathering the configuration needed to create an Amazon Security Lake sink integration. ## AWS Credentials Configuration Synqly supports two methods for authenticating with AWS: static credentials (IAM user access keys) and role-based access (IAM role assumption). Role-based access is recommended for production environments because it uses short-lived credentials and provides better auditability through CloudTrail. Role-Based Access ### Role-Based Access Role-Based access is recommended and is considered an [AWS best practice](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles). Role-based access uses AWS IAM roles to grant Synqly temporary credentials to access resources in your AWS account. This eliminates long-lived credentials and provides better security through the principle of least privilege. #### 1. Create an IAM Role Create a role in your AWS account with a name that starts with `SynqlyAccess` (for example, `SynqlyAccessS3Reader`). This naming convention is required. 1. In the AWS IAM console, go to **Roles** and choose **Create role**. 2. For trusted entity type, choose **Custom trust policy**. 3. Enter the following trust policy: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::733459310821:role/SynqlyIntegrationAccess" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" } } } ] } ``` Replace `YOUR_EXTERNAL_ID` with a unique identifier you generate (for example, a UUID). You will provide this External ID when configuring the integration. 1. Name the role with a `SynqlyAccess` prefix (for example, `SynqlyAccessMyIntegration`). 2. Attach the appropriate permissions policy for your use case. 3. Create the role and note its ARN. For more details, see: - [Access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) - [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) ### External ID Requirements The External ID is a security mechanism that prevents the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html). It ensures that only authorized requests from Synqly can assume your role. The External ID must contain only the following characters: - Alphanumeric characters (a-z, A-Z, 0-9) - Special characters: `+ = , . @ : / -` - Must be between 2 and 1224 characters in length ### Configuring the Integration Credentials When creating an AWS integration in Synqly, provide the following configuration values based on your chosen authentication method. | Credential Parameter | Description | | --- | --- | | Role ARN | The ARN of the IAM role you created, for example `arn:aws:iam::123456789012:role/SynqlyAccessMyIntegration`. The role name must start with `SynqlyAccess` | | External ID | The External ID you specified in the role's trust policy. This value must match exactly | | Role Session Name | **OPTIONAL:** A name for the role session. If not specified, Synqly generates a default session name | | Duration | **OPTIONAL:** The duration of the role session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration configured on your role (default is 1 hour) | Static Credentials (IAM User) ### Static Credentials (IAM User) AWS static credentials are **NOT RECOMMENDED** for production systems. See the [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles) for more details. Static credentials consist of an Access Key ID and Secret Access Key associated with an IAM user. Use this method for simpler setups. #### 1. Create an IAM User 1. In the AWS IAM console, go to **Users** and choose **Create user**. 2. Enter a user name (for example, `SynqlyIntegration`). 3. Do not enable console access; this user only needs programmatic access. 4. Under permissions, choose **Attach policies directly** and attach the appropriate policy for your use case. 5. Create the user. #### 2. Create an Access Key 1. Open the newly created user and choose **Create access key**. 2. For the use case, choose **Third-party service**. 3. Create the key and securely copy the **Access Key ID** and **Secret Access Key**. For more details, see: - [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) - [How an IAM administrator can manage IAM user access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html). ### Configuring the Integration Credentials When creating an AWS integration in Synqly, provide the following configuration values based on your chosen authentication method. | Credential Parameter | Description | | --- | --- | | Access Key ID | The Access Key ID from your IAM user's access key pair | | Secret Access Key | The Secret Access Key from your IAM user's access key pair | | Session Token | **OPTIONAL:** A temporary session token. Only required if you are using temporary credentials from AWS STS. | ## Configure the Integration Create your integration by supplying all configuration values. | Integration Parameter | Description | | --- | --- | | URL | This is your [AWS S3 bucket API URL](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTAPI.html). This will be specific to your security lake S3 bucket. | | Region (Optional) | This is the [AWS region](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html) requests should go through. If not supplied, the region is inferred from the URL provided. |