S3 storage device security

You can use an S3 storage device in an advanced storage area with these security considerations.

In preparation of creating an S3 storage device on Content Platform Engine, the following security requirements must be met:

• For Content Platform Engine, an S3 storage device supports only the latest AWS Signature Version 4 algorithm.
• For successful authentication, always keep the Content Platform Engine server clock and the S3 system clock in sync.

  With an Amazon S3 storage device, for example, the Content Platform Engine server time that is included in an authenticated request must be within 15 minutes of the Amazon S3 system time.

• The S3 storage device implementation for Content Platform Engine does not set an ACL when creating an object or content element in the S3 bucket.
• The following permissions are the minimum set required for the user account:

  Table 1. Minimum required permissions for S3

  Permissions	S3 operations and P8 actions
  S3: ListBucket	HEAD bucket
  S3: GetObject	GET Object, HEAD Object (on a version-enabled bucket, you always get the latest version data)
  S3: PutObject	PUT Object, POST Object, Initiate Multipart Upload, Upload Part, Complete Multipart Upload PUT Object
  S3: DeleteObject	DELETE Object
  S3: ListMultipartUpload-Parts	List Parts
  S3: AbortMultipartUpload	Abort Multipart Upload

An S3 storage device can also be used as a S3 fixed content device. If you need the fixed content storage area to be in aligned mode, the S3 bucket must be object lock enabled. If working with an object lock enabled bucket in aligned mode or in not-aligned mode with default retention set, the user account also needs the following permissions:

-Dhttps.protocols=TLSv1.1,TLSv1.2