To export Analytics data to S3, you need to create an Output resource that defines where to write those exports ([Learn more](🔗)). When you use an S3 bucket, you need to provide the IAM Role accessing the bucket a set of permissions and a trust policy that allows bitmovin to assume the given role. This page describes the necessary bucket permissions. How to setup the trust policy is outlined in more detail [here](🔗).

# Full Access

If you want a quick solution, for example for quick evaluations or development environments, you can simply allocate the `AmazonS3FullAccess` policy will give the IAM user unrestricted access to your bucket.

# Restricted Access

For most applications, you will want to tighten permissions to the strict set required. With AWS IAM, you have granular control to create a custom policy that only defines certain permissions.

The minimum set required (and why each permission is needed) is listed below:

ActionResource LevelJustification
`s3:GetBucketLocation`BucketTo determine the location of the bucket to resolve the correct region for mode `AUTO`
`s3:ListBucket`BucketTo verify if all files are present at the output location (i.e., check if all generated files are present)
`s3:PutObject`ObjectTo write the file to the S3 Bucket
`s3:PutObjectAcl`ObjectTo update the ACL for an object on a S3 Bucket (i.e., to allow public access to a file)

## JSON Custom Policy

You can use the following JSON payload to create your custom policy in AWS IAM.