CloudZip Services
Sign In

Contents IAM User Setup and AMI Installation

IAM User Setup for AWS S3 Services by CloudZip

The AWS Identity and Access Management (IAM) control panel allows you to easily create new users and manage detailed credentials to access your AWS S3 buckets. AWS recommends that you use IAM credentials for applications and services, instead of using your root access keys. You may allow or restrict access for the IAM credentials depending on the policy that you create. By default new IAM users have no access until you set the policy. It may take a few minutes for IAM user policy changes to take effect.

To create IAM user credentials with a policy that allows CloudZip to access your S3 buckets, login to the AWS Identity and Access Management control panel.

  1. Under Details on the left, click the Users link. Next, at the top of the page click the Create New Users button to display the user name entry page.
  2. In the first text edit field enter a user name like "cloudzipinc", next select the checkbox for Generate an access key for each user, and click the Create button to show the access keys page.
  3. Click the Download Credentials button to save your Access and Secret keys, or click Show User Security Credentials and copy the Access and Secret keys. You need to remember the Access and Secret keys to enter into the CloudZip service forms. Next step is set a policy for the IAM user you just created.
  4. From the Users page, select the username you just created to drill into its details. In the Permissions section, under Managed Policies, click Attach Policy and select the AmazonS3FullAccess policy. Next, for Insight for Storage service integration add CloudWatchFullAccess policy.
  5. That's it, you just created a new set of keys and allow them only to access your S3 buckets and CloudWatch. Next proceed to the CloudZip service forms and enter the Access and Secret keys in the fields as needed. Note: Do not create a password, signing certificate, or multi-factor authentication for the IAM user credentials used for CloudZip.

Custom IAM User Policies for AWS S3 Services by CloudZip

In some cases you may wish to add a custom policy or edit an existing custom IAM user policy. In the IAM User details page, select the user to drill into its details, then select the Inline Policies label. Click the link to create or edit a custom policy. Select Custom Policy, enter the custom policy name and insert or paste the following configuration into the relevant policy text area to allow the IAM user to read and write to all S3 buckets. The S3 Statement Action lists below are the minimum required for CloudZip to list, read, and write files.

            "Version": "2012-10-17",
            "Statement": [
                    "Effect": "Allow",
                    "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketAcl" ],
                    "Resource": "arn:aws:s3:::*"
                    "Effect": "Allow",
                    "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectAcl", "s3:PutObjectAcl" ],
                    "Resource": "arn:aws:s3:::*/*"

Insight4Storage AWS AMI Instructions

Installation using HVM 64-bit insight4storage-hvm-r3.2xl-1.4x class AMIs

  1. Visit, search for Insight4Storage and subscribe to the latest secure AMI.
  2. From your AWS EC2 Instances console select Launch an On Demand or Spot Instance
  3. Select MarketPlace AMI, Linux 64-bit, search and select Insight4Storage
  4. Select an HVM compatible EC2 instance type suitable for your S3 footprint, we recommend a r3.2xlarge instance. The software will easily run on smaller instances, try it, use whatever instance works for your requirements. On the low end the m3.medium may be sufficient for measuring up to 10TB per bucket. This AMI will run on smaller instances depending on total number of prefixes. This AMI configuration is optimized for r3.2xlarge, enough to crawl over 20 million path prefixes per bucket, typically between 1-2PB per bucket, for 100+ buckets.
  5. In the Configure Instance Details panel, select an existing IAM Role or Create a new one
    Example IAM role selection
  6. An existing IAM role must be an EC2 Instance profile trusted service role with S3 (read, write, list) and Cloudwatch (list and read) Access :
  7. Click Next: Add Storage
  8. Click Next:Tag and add Tags if needed
  9. Click Next : Configure Security Group
  10. Launch the Instance.
  11. After the server status finishes initializing, identify the DNS name and EC2 instance id of your instance
  12. Open your browser and access the new instance over http using the DNS name and port 9000, for example :
  13. Under Configuration on the left, click the Application link
  14. Under Configuration on the left, click the Tuning link
  15. Under Configuration on the left, click the Capture link then the Start Paths Capture Now button