Overview

To use eXtendFiles with Amazon S3, you must configure settings in both NetSuite and Amazon Web Services (AWS). This configuration requires a user with Administrator privileges in NetSuite and with Administrator access to AWS.

Configuration

AWS Configuration

To use Amazon S3 with eXtendFiles, you'll need to create an IAM User and an IAM Policy that grant access to your S3 bucket(s). You'll find a sample IAM Policy in the "1. Create IAM Policy" section below.

AWS Prerequisites

Ensure you have created an S3 bucket with the following settings:

Set "Object Ownership" to "ACLs enabled".

Uncheck all "block public access" options on the bucket. When you disable blocking public access keep in mind the following:

Public files with non-expiring S3 links that can be shared outside of NetSuite indefinitely. Note that private files can only be shared using S3 signed links, which expire after 7 days. For more details, see Understanding Amazon S3 Signed Links.
Public thumbnails for rendering in the eXtendOrders File Picker.

1. Create IAM Policy

Follow Amazon's Create Policies documentation to create a new IAM policy. Make sure to include the policy information below in your IAM policy:

In the sample IAM policy below, there are THREE different areas where you must replace the sample "netsuite-assets" bucket name with your bucket name. Replace netsuite-assets with your bucket name in the sample below.

Sample IAM Policy

{
"Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::netsuite-assets"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:DeleteObjectVersion",
                "s3:PutObjectVersionAcl",
                "s3:RestoreObject",
                "s3:GetObjectVersionAcl",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::netsuite-assets/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:GetLifecycleConfiguration",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketTagging",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration",
                "s3:GetBucketLogging",
                "s3:GetBucketCORS",
                "s3:PutBucketAcl",
                "s3:GetBucketVersioning",
                "s3:PutBucketCORS",
                "s3:GetBucketAcl",
                "s3:PutBucketVersioning"
            ],
            "Resource": [
                "arn:aws:s3:::netsuite-assets/*"
            ]
        }
    ]
}

If you are configuring multiple buckets, add them using the format shown below (see netsuite-assets2, netsuite-assets3 in the example below) and add additional buckets in similar way.

            "Resource": [
                "arn:aws:s3:::netsuite-assets",
                "arn:aws:s3:::netsuite-assets2",
                "arn:aws:s3:::netsuite-assets3"
            ]

If your S3 bucket is enabled with SSE-KMS (Server-Side Encryption with AWS Key Management Service) encryption, you will need to grant access to generate keys to the IAM user used for eXtendFiles. Below is a sample permission JSON. Replace "KMS-KEY-ARN" with your KMS key.

{
   "Sid": "AllowUseOfKMSKey",
   "Effect": "Allow",
   "Action": [
     "kms:GenerateDataKey"
   ],
   "Resource": KMS-KEY-ARN
}

Note that using SSE-KMS encryption removes the ability to permanently share files externally and that temporary access to files is only available using signed links.

2. Create IAM User

Follow Amazon's Create IAM Users documentation to create a new IAM user. When creating access keys for your user, use the "Third-party service" option:

3. Attach the IAM Policy

After the creation of your IAM policy and IAM user, attach the policy to the user.

NetSuite Configuration

The configuration steps below will be performed from within your NetSuite account.

Go to eXtendTech → eXtendFiles → Setup.
Select the Amazon S3 sublist under the Storage Information subtab.
Define the fields below with the information from your S3 account.

FIELD	DESCRIPTION
S3 HOSTING TYPE	Select "Self".
BUCKET	Specify the S3 bucket name where files will be stored.
AWS REGION	Specify your bucket's AWS Region.
ADDITIONAL BUCKETS	Specify the names of any additional S3 buckets which you want to use. These buckets can belong to different AWS regions and need not fall into same AWS Region as specified in the AWS Region field. Note: Make sure the buckets specified are included in the IAM Policy created in the "AWS S3 Configuration" section above.
AWS PUBLIC KEY	Specify the AWS Public Key for the IAM user designated to read/write on the specified bucket.
AWS SECRET KEY	Specify the AWS Secret Key for the IAM user designated to read/write on the specified bucket.
DIRECT UPLOADS TO S3	Enable this preference if you want to file uploads to route directly from the user's web browser into S3. This can increase upload performance. Note: Additional configuration is necessary in S3 prior to enabling this preference. See Configure eXtendFiles for Direct Upload to Amazon S3 prior to enablement.

Common Configuration Errors

"Access Denied" when Uploading File with Amazon S3

Amazon S3 "Access Denied" Error when Opening a File's URL

What happens if I change the Amazon S3 bucket on the eXtendFiles Setup?

Knowledge Base

Configure eXtendFiles for Storage with Amazon S3