# IAM rules

## IAM policy configuration

To increase security and eliminate the use of tokens, you can disable access/secret keys for your **AWS** buckets and use integration via IAM rules. This approach, however, has specific requirements—integrating a bucket using IAM rules involves creating an IAM policy accessible to **Amazon EC2** and designating an **EC2** instance that can communicate directly with the bucket.

Since the **Xopero** machine template is <mark style="color:red;">**not available**</mark> in **EC2**, you must create an instance using a supported operating system and install the **Xopero** worker on it.

{% hint style="warning" %}
The cloud worker <mark style="color:red;">**cannot communicate**</mark> with the bucket via IAM rules by default.
{% endhint %}

Steps for an **AWS** administrator:

1. Create an IAM role accessible to **EC2**.
2. Add a policy to the created role.
3. Assign the role to the selected **EC2** instance.
4. Install the backup worker on the **EC2** instance.

{% code title="Policy" %}

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:"
],
"Resource": [
"arn:aws:s3:::[bucket_name]",
"arn:aws:s3:::[bucket_name]/",
"arn:aws:s3:::[bucket_name]/"
]
}
]
}
```

{% endcode %}

***

## Enabling IAM authentication <a href="#enabling-iam-authentication" id="enabling-iam-authentication"></a>

In the **Xopero ONE Management Service** (**XMS**) admin panel, enable the **Use Amazon IAM** toggle and specify your **EC2** worker in the **Default worker** section at the bottom.

<figure><img src="https://319733277-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0CBTl43C3OO6ySL1DJ6k%2Fuploads%2FyGBGaVJ7lb4N6r9RN4Rz%2Fimage.png?alt=media&#x26;token=d91450aa-9b71-46d2-aab8-83551a4fde1b" alt=""><figcaption></figcaption></figure>

***

## Useful links and items

{% embed url="<https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html>" %}