To export Analytics data to S3, you need to create an Output resource that defines where to write those exports ([Learn more](🔗)). When you use an S3 bucket, you need to provide the IAM Role accessing the bucket a set of permissions and a trust policy that allows bitmovin to assume the given role. This page describes the necessary bucket permissions. How to setup the trust policy is outlined in more detail [here](🔗).
# Full Access
If you want a quick solution, for example for quick evaluations or development environments, you can simply allocate the `
AmazonS3FullAccess` policy will give the IAM user unrestricted access to your bucket.
# Restricted Access
For most applications, you will want to tighten permissions to the strict set required. With AWS IAM, you have granular control to create a custom policy that only defines certain permissions.
The minimum set required (and why each permission is needed) is listed below:
|`||Bucket||To determine the location of the bucket to resolve the correct region for mode `|
|`||Bucket||To verify if all files are present at the output location (i.e., check if all generated files are present)|
|`||Object||To write the file to the S3 Bucket|
|`||Object||To update the ACL for an object on a S3 Bucket (i.e., to allow public access to a file)|
## JSON Custom Policy
You can use the following JSON payload to create your custom policy in AWS IAM.