Overview

To use eXtendFiles with Amazon S3, you must configure settings in both NetSuite and Amazon Web Services (AWS). This configuration requires a user with Administrator privileges in NetSuite and with Administrator access to AWS.

Configuration

AWS Configuration

To use Amazon S3 with eXtendFiles, you'll need to create an IAM User and an IAM Policy that grants access to your S3 bucket(s). You'll find a sample IAM Policy in the "1. Create IAM Policy" section below.

AWS Prerequisites

Ensure you have created an S3 bucket with the following settings:

Set "Object Ownership" to "ACLs enabled".

Uncheck all "block public access" options on the bucket. When you disable blocking public access keep in mind the following:

Public files with non-expiring S3 links that can be shared outside of NetSuite indefinitely. Note that private files can only be shared using S3 signed links, which expire after 7 days. For more details, see Understanding Amazon S3 Signed Links.
Public thumbnails for rendering in the eXtendOrders File Picker.

1. Create IAM Policy

Follow Amazon's Create Policies documentation to create a new IAM policy. Make sure to include the policy information below in your IAM policy:

In the sample IAM policy below, there are TWO different areas where you must replace the sample "netsuite-assets" bucket name with your bucket name. Replace netsuite-assets with your bucket name in the sample below.

Sample IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::netsuite-assets"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:DeleteObjectVersion",
                "s3:PutObjectVersionAcl",
                "s3:RestoreObject",
                "s3:GetObjectVersionAcl",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketTagging",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration",
                "s3:GetBucketLogging",
                "s3:GetBucketCORS",
                "s3:PutBucketAcl",
                "s3:GetBucketVersioning",
                "s3:PutBucketCORS",
                "s3:GetBucketAcl",
                "s3:PutBucketVersioning",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::netsuite-assets/*"
            ]
        }
    ]
}

If you are configuring multiple buckets, add them using the format shown below (see netsuite-assets2, netsuite-assets3 in the example below) and add additional buckets in similar way.

            "Resource": [
                "arn:aws:s3:::netsuite-assets",
                "arn:aws:s3:::netsuite-assets2",
                "arn:aws:s3:::netsuite-assets3"
            ]

If your S3 bucket is enabled with SSE-KMS (Server-Side Encryption with AWS Key Management Service) encryption, you will need to grant access to generate keys to the IAM user used for eXtendFiles. Below is a sample permission JSON. Replace "KMS-KEY-ARN" with your KMS key.

{
   "Sid": "AllowUseOfKMSKey",
   "Effect": "Allow",
   "Action": [
     "kms:GenerateDataKey"
   ],
   "Resource": KMS-KEY-ARN
}

Note that using SSE-KMS encryption removes the ability to permanently share files externally and that temporary access to files is only available using signed links.

2. Create IAM User

Follow Amazon's Create IAM Users documentation to create a new IAM user. When creating access keys for your user, use the "Third-party service" option:

3. Create IAM Role

To grant access to eXtendFiles using an AWS role Amazon Resource Names (ARN), first create an IAM role. Follow Amazon's IAM role creation documentation for guidance.

Create a role in your AWS account that trusts eXtendTech's Account. Add the following trust policy to your role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::576320464346:role/extendFiles"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

4. Attach the IAM Policy

After creating your IAM policy and IAM user/role, attach the policy to the user/role according to your preferred configuration method.

NetSuite Configuration

The configuration steps below will be performed from within your NetSuite account.

Go to eXtendTech → eXtendFiles → eXtendFiles Configuration.
In Storage Settings → General, select the "Amazon S3" Storage Type.
Define the fields below with the information from your S3 account.

Field	Description
Primary Bucket	Specify the S3 bucket name where files will be stored.
AWS Region	Specify your S3 bucket's AWS Region.
Access Key ID	Enter the access key for your IAM User in S3. (If using IAM User)
Secret Access Key	Enter the secret access key for your IAM User in S3. (If using IAM User)
Role ARN	Enter the role ARN. (If using IAM Role)
Additional Buckets	Specify the names of any additional S3 buckets which you want to use. These buckets can belong to different AWS regions and need not fall into same AWS Region as specified in the AWS Region field. Note: Make sure the buckets specified are included in the IAM Policy created in the "AWS S3 Configuration" section above.