To export Analytics data to S3, you need to create an Output resource that defines where to write those exports ([Learn more](🔗)). When you use an S3 bucket, you need to provide the IAM Role accessing the bucket a set of permissions and a trust policy that allows bitmovin to assume the given role. This page describes the necessary bucket permissions. How to setup the trust policy is outlined in more detail [here](🔗).
# Full Access
If you want a quick solution, for example for quick evaluations or development environments, you can simply allocate the `AmazonS3FullAccess` policy will give the IAM user unrestricted access to your bucket.
# Restricted Access
For most applications, you will want to tighten permissions to the strict set required. With AWS IAM, you have granular control to create a custom policy that only defines certain permissions.
The minimum set required (and why each permission is needed) is listed below:
| Action | Resource Level | Justification |
`s3:GetBucketLocation` | Bucket | To determine the location of the bucket to resolve the correct region for mode `AUTO` |
`s3:ListBucket` | Bucket | To verify if all files are present at the output location (i.e., check if all generated files are present) |
`s3:PutObject` | Object | To write the file to the S3 Bucket |
`s3:PutObjectAcl` | Object | To update the ACL for an object on a S3 Bucket (i.e., to allow public access to a file) |
## JSON Custom Policy
You can use the following JSON payload to create your custom policy in AWS IAM.