DEVELOP GUIDES
...
PUSH Pattern
AWS Cross-Account PUT
8 min
if your infrastructure is hosted on aws , please adopt this solution how to use cross account put, detailed documentation is https //docs aws amazon com/amazons3/latest/userguide/access grants cross accounts html 1\ overview to ensure seamless and secure data delivery between klavi and partners, we utilize the aws cross account s3 put method in this architecture, klavi (the source account) pushes files directly into an s3 bucket managed within the partner's aws environment (the destination account) key benefits data sovereignty data is stored directly in your infrastructure security leverages aws identity and access management (iam) without the need for exchanging long term access keys automation supports automated workflows with native aws scaling 2\ partner configuration requirements as the data recipient, the partner must configure their aws environment to permit klavi’s iam role to write objects to the designated bucket 2 1 create an s3 bucket create a dedicated s3 bucket for receiving klavi data recommended naming klavi data transfer \<partner name> region any supported aws region (please specify your choice) 2 2 configure bucket policy to allow klavi to upload files, you must attach a resource based policy to your bucket this policy grants klavi’s iam role the s3\ putobject and s3\ putobjectacl permissions replace \<your bucket name> with your actual bucket name and use the klavi iam role arn provided by our integration team { "version" "2012 10 17", "statement" \[ { "sid" "allowklavicrossaccountput", "effect" "allow", "principal" { "aws" "arn\ aws\ iam klavi account id\ role/klavidataexporterrole" }, "action" \[ "s3\ putobject", "s3\ putobjectacl" ], "resource" "arn\ aws\ s3 \<your bucket name>/ ", "condition" { "stringequals" { "s3\ x amz acl" "bucket owner full control" } } } ] } 2 3 set s3 object ownership to ensure your account gains full ownership of the files uploaded by klavi, you must enable s3 object ownership go to the permissions tab of your bucket under object ownership , select bucket owner preferred note this ensures that when klavi uploads with the bucket owner full control acl, the object ownership is automatically transferred to your account 3\ information exchange checklist to complete the integration, the following technical details must be exchanged via secure channels 3 1 from partner to klavi please provide these details to klavi’s support team parameter description example aws region the region where your bucket is hosted us east 1 s3 bucket name the exact name of the destination bucket klavi delivery acme prod s3 prefix (optional) a specific folder path within the bucket /daily sync/ kms key arn (optional) required if using a customer managed key for encryption arn\ aws\ kms\ region\ acct\ key/id 3 2 from klavi to partner klavi will provide the following identity information for your policy configuration parameter description klavi aws account id klavi’s unique aws identifier klavi iam role arn the identity that will perform the putobject operations 4\ klavi operational workflow once the partner provides the bucket details and applies the policy, klavi will provision iam permissions grant our internal export service the rights to access your external bucket configure delivery pipeline set up the daily automated transfer job connectivity validation perform a test upload file to verify permissions and encryption settings 5\ security & compliance encryption in transit all data is transferred over https using tls 1 2+ encryption at rest we support sse s3 and sse kms (aws key management service) least privilege our iam roles are strictly scoped to putobject actions only; klavi cannot list or delete other files in your bucket support for technical assistance during setup, please contact our support team at mailto\ crie\@klavi ai