# IAM rules

## IAM policy configuration

To increase security and eliminate the use of tokens, you can disable access/secret keys for your **AWS** buckets and use integration via IAM rules. This approach, however, has specific requirements— integrating a bucket using IAM rules involves creating an IAM policy accessible to **Amazon EC2** and designating an **EC2** instance that can communicate directly with the bucket.

Since the **GitProtect** machine template is not available in **EC2**, you must create an instance using a supported operating system and install the **GitProtect worker** on it.

{% hint style="warning" %}
The **cloud worker** cannot communicate with the bucket via IAM rules by default.
{% endhint %}

Steps for an **AWS** administrator:

1. Create an IAM role accessible to **EC2**.
2. Add a policy to the created role.
3. Assign the role to the selected **EC2** instance.
4. Install the backup worker on the **EC2** instance.

{% code title="Policy" %}

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:"
],
"Resource": [
"arn:aws:s3:::[bucket_name]",
"arn:aws:s3:::[bucket_name]/",
"arn:aws:s3:::[bucket_name]/"
]
}
]
}
```

{% endcode %}

***

## Enabling IAM authentication <a href="#enabling-iam-authentication" id="enabling-iam-authentication"></a>

In the **GitProtect Management Service** admin panel, enable the **Use Amazon IAM** toggle and specify your **EC2** worker in the **Default worker** section at the bottom.

<figure><img src="https://696332517-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtsE6XtJyUIEKVdSxPlS3%2Fuploads%2Fgit-blob-aa28ba58b53520e88d4350255a0d5a1194a906f4%2Fimage%20(375).png?alt=media" alt=""><figcaption></figcaption></figure>

***

## Useful links and items

{% embed url="<https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html>" %}