This guide explains how to export Cmd data to an S3 bucket.

Outline:

  1. Configure an S3 bucket to receive data from Cmd
        - Without an IaC tool
        - With an IaC tool
        - Using AWS KMS
  2. Send the configuration information to your Cmd contact

Configure an S3 bucket to receive data 

 - Without an IaC tool

  1. First, create a new bucket following the steps in this Amazon walkthrough.  
       - Name your bucket:
         'cmd-[mycompanyname]-shared' (replace [mycompanyname] with your
         company's name).

       - The 'us-west-1' region is preferable.

       - Under 'Set permissions', enter Cmd's canonical ID:
    8d863b317735519f02c08cd534372f6ff3ddd39b571693c10a28ed6c49b0ba31

   2. Next, grant bucket write access to Cmd's AWS account by following the video tutorial below, or Amazon's documentation on managing access to S3 buckets. (The video shows both how to create a bucket and how to grant Cmd access):

 Important Notes:

  • Do not add other objects with the 'cmd_export/' key prefix to the bucket (i.e., don't put anything else in that directory). Doing so would impair data export to tools such as AWS Redshift.

  • We recommend configuring the lifecycle to delete incomplete multipart uploads after 1-2 days by following the instructions here (to help minimize storage costs).

- With an IaC tool

If you created your AWS S3 bucket through an IaC tool like Terraform or CloudFormation, use the following policy document:

{
 "Statement":[
   {
     "Effect":"Allow",
     "Principal":{"AWS":"839441773943"},
     "Action":"s3:PutObject",
     "Resource":["arn:aws:s3:::[YOURBUCKETNAME]/*"]
   },
   {
     "Effect":"Deny",
     "Principal":{"AWS":"839441773943"},
     "Action":"s3:PutObject",
     "Resource":"arn:aws:s3:::[YOURBUCKETNAME]/*",
     "Condition": {
       "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
     }
   }
 ]
}

Important details:

  • 839441773943 is the actual Account ID that Cmd uses for bucket sharing.
  • Replace the '[YOURBUCKETNAME]' string with your AWS S3 bucket name..

The above policy document provides Cmd with s3:PutObject permissions and provides the owner of the bucket full ownership of all objects, as described in Amazon's bucket policies documentation.

- Using AWS KMS

If you're managing your bucket with KMS, you will need to add an additional policy: 

{
            "Sid": "AllowAccessForExternalKeyUsers",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::839441773943:root"
            },
            "Action": [
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowAttachmentOfPersistentResourcesInExternalAccounts",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::839441773943:root"
            },
            "Action": [
                "kms:RevokeGrant",
                "kms:ListGrants",
                "kms:CreateGrant"
            ],
            "Resource": "*"
        }
}

In addition, you will need to grant Cmd permission to list objects, write objects, read bucket permissions, and write bucket permissions, as in the following screenshot: 

To learn how to grant these permissions, see Amazon's bucket permissions documentation.

After configuring the bucket, you will need to send its KMS key ID to Cmd.

Step 2: Send the configuration information to your Cmd contact

Send your Cmd contact the following information:

  1. The bucket's name (formatted as 'cmd-[mycompanyname]-shared).
  2. The bucket's region.
  3. If you are using KMS, the KMS key ID for your bucket.
  4. The name of your Cmd project (visible in the upper-right corner of the web app).
  5. A timezone (optional).

The time zone is used to timestamp the objects Cmd sends to your bucket. If you choose not to provide a time zone, timestamps will use Coordinated Universal Time (UTC).

For example:

Bucket Name: cmd-mycompanyname-shared
Region: us-west-2
Timezone: America/Los_Angeles
KMS ID: arn:aws:kms:us-east-1:938991199149:key/d8e299aa-5e6d-4ff2-9b40-1fa66f52f686

That's all you need to do — your data export will commence as soon as we can respond to your request.

Exporting for additional projects:

To export data from an additional project, just send your Cmd contact the project name.

Did this answer your question?