Amazon Web Services (S3)

This guide covers setting up an AWS S3 connector in Slim.io using cross-account IAM role assumption.

Prerequisites

An AWS account with S3 buckets you want to scan
IAM permissions to create roles and policies in the target AWS account
The Slim.io AWS Account ID (provided in the connector wizard)

IAM Role Setup

Step 1: Create the Trust Policy

In your AWS account, create a new IAM Role with the following trust policy. Replace SLIM_IO_ACCOUNT_ID with the value shown in the Slim.io connector wizard:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SLIM_IO_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

Always use the External ID condition. Slim.io generates a unique External ID per connector to prevent the confused deputy problem. This value is shown in the connector wizard.

Step 2: Attach the Permission Policy

Attach the following inline policy to the role. This grants read-only access to S3:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

To grant access to multiple buckets, add additional resource ARNs. For organization-wide access, use arn:aws:s3:::* (not recommended for production — prefer explicit bucket lists).

Step 3: Copy the Role ARN

After creating the role, copy its ARN. It follows the format:


arn:aws:iam::123456789012:role/SlimIOScannerRole

Connector Configuration in Slim.io

Navigate to Connectors > Add Connector in the Customer Dashboard.
Select Amazon Web Services.
Enter the Role ARN you created.
Enter the External ID (auto-generated, matches the trust policy).
Select the AWS Region where your buckets are located.
Optionally, configure bucket filters and prefix scope.
Click Test Connection.

If the test succeeds, the connector status changes to Active and you can trigger your first scan.

Region Configuration

Slim.io needs to know which AWS region your buckets reside in to make efficient API calls. If your buckets span multiple regions, create one connector per region for optimal performance.

Setting	Description
Primary Region	The region where the majority of target buckets are located
Cross-Region Access	Enabled by default — allows scanning buckets outside the primary region (with higher latency)

Troubleshooting

”Access Denied” on Test Connection

Verify the Role ARN is correct and the role exists
Confirm the trust policy includes the correct Slim.io Account ID
Check that the External ID matches exactly
Ensure the permission policy includes s3:ListBucket on the bucket resource (not just objects)

“Bucket Not Found” During Scan

Verify the bucket name is correct and the bucket exists
Check that the bucket is in the configured region
Ensure the IAM role has s3:GetBucketLocation permission

Slow Scan Performance

Create region-specific connectors instead of using cross-region access
Check if the bucket has request rate limits or S3 Transfer Acceleration configured
Review your scan tier limits — parallel worker count may be constrained

Next Steps

Run Your First Scan — Trigger a scan on this connector
Event-Driven Scanning — Set up automatic scans on S3 PutObject events