AWS S3 Setup for Custom Binary Backends
This comprehensive guide walks you through setting up Amazon S3 as a custom binary backend for Peridio, enabling you to store and distribute firmware binaries using your own AWS infrastructure.
Prerequisites
Before beginning the setup process, ensure you have:
- AWS Account with administrative access or sufficient IAM permissions
- Peridio Organization properly configured and active
- AWS CLI installed and configured (optional but recommended)
- Basic AWS Knowledge of S3, IAM, and resource management
- Billing Setup with appropriate cost monitoring in place
Step 1: S3 Bucket Configuration
Creating Your Storage Bucket
-
Navigate to S3 Console
- Log into AWS Console
- Go to S3 service dashboard
- Click "Create bucket"
-
Bucket Configuration
Bucket name: your-peridio-binaries-prod
AWS Region: us-west-2 (choose based on your needs)
Object Ownership: ACLs disabled (recommended)
Block Public Access: Keep all settings enabled
Bucket Versioning: Enable (recommended for backup)
Default Encryption: Enable with SSE-S3 -
Advanced Settings
- Lifecycle Management: Configure to transition old versions to cheaper storage
- Cross-Region Replication: Enable for disaster recovery if needed
- Monitoring: Enable CloudWatch metrics for operational visibility
Bucket Naming Best Practices
Choose a bucket name that:
- Is globally unique across all AWS accounts
- Follows your organization's naming conventions
- Indicates the purpose (e.g.,
companyname-peridio-firmware-prod
) - Includes environment designation (
prod
,staging
,dev
)
Example naming patterns:
acme-peridio-firmware-prod
acme-peridio-binaries-us-west-2
acme-iot-updates-production
Regional Considerations
Select your S3 region based on:
- Primary device locations - Choose regions closest to your device fleet
- Compliance requirements - Data residency and regulatory constraints
- Cost optimization - Regional pricing variations
- Disaster recovery - Secondary region availability
Popular region choices:
us-east-1
(N. Virginia) - Lowest cost, highest availabilityus-west-2
(Oregon) - Good balance of cost and performanceeu-west-1
(Ireland) - European data residencyap-southeast-1
(Singapore) - Asian Pacific coverage
Step 2: IAM Role Creation
Creating the Peridio Service Role
-
Navigate to IAM Console
- Go to IAM → Roles → Create role
-
Configure Trust Relationship
- Choose "AWS account" as trusted entity
- Select "This account" initially (we'll update this later)
- No conditions or external ID needed at this stage
-
Role Naming
Role name: PeridioBinaryBackendRole
Description: Allows Peridio to manage binaries in S3 bucket
Creating the IAM Policy
Create a custom policy with these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME", "arn:aws:s3:::YOUR_BUCKET_NAME/*"]
},
{
"Sid": "S3BucketLocationAccess",
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:GetBucketVersioning"],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
]
}
Important Replacements:
- Replace
YOUR_BUCKET_NAME
with your actual bucket name - Attach this policy directly to your IAM role
Enhanced Security Considerations
For production environments, consider additional restrictions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3BucketAccessWithConditions",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
},
"StringLike": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:region:account:key/key-id"
}
}
}
]
}
This adds requirements for:
- Server-side encryption on all objects
- Specific KMS key usage for enhanced security
Step 3: Peridio Registration
Information Gathering
Before contacting Peridio support, collect:
Required Information:
Bucket Name: your-peridio-binaries-prod
AWS Region: us-west-2
Role ARN: arn:aws:iam::123456789012:role/PeridioBinaryBackendRole
Role Name: prod-binary-backend (max 10 characters)
Organization ID: Your Peridio organization identifier
Optional Information:
Secondary Region: us-east-1 (for disaster recovery)
Encryption Method: SSE-S3 or SSE-KMS
Lifecycle Policies: Enabled/Disabled
Versioning: Enabled/Disabled
Cross-Region Replication: Enabled/Disabled
Contacting Support
Reach out to Peridio support with:
Subject: Custom Binary Backend Setup - AWS S3 Message Template:
Hello Peridio Support Team,
I would like to set up a custom binary backend using AWS S3 for my organization.
Organization Details:
- Organization ID: [YOUR_ORG_ID]
- Primary Contact: [YOUR_EMAIL]
AWS Configuration:
- S3 Bucket Name: [BUCKET_NAME]
- AWS Region: [REGION]
- IAM Role ARN: [ROLE_ARN]
- Preferred Role Name: [SHORT_NAME] (max 10 chars)
Additional Requirements:
- CDN Integration: Yes/No
- Multi-region: Yes/No
- Expected Traffic: [ESTIMATE]
- Go-live Timeline: [DATE]
Please provide the trust policy configuration and next steps.
Best regards,
[YOUR_NAME]
Step 4: Trust Policy Configuration
Applying the Trust Policy
Once Peridio provides the trust policy, apply it to your IAM role:
Example Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::PERIDIO_AWS_ACCOUNT:role/binary_backend_ORG_ID_ROLE_NAME"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_ORG_ID"
}
}
}
]
}
Verification Steps
-
Policy Validation
- Verify the trust policy is correctly applied
- Check that permission policies are attached
- Validate bucket ARNs match exactly
-
Connection Testing
- Peridio will test the connection during setup
- Monitor CloudTrail logs for successful AssumeRole calls
- Verify S3 access logs show expected activity
Step 5: Testing and Validation
Pre-Production Testing
Before going live, test your setup:
-
Upload Test
# Using AWS CLI to verify basic access
aws s3 cp test-file.bin s3://your-bucket-name/test/ -
Permission Verification
# Test all required operations
aws s3api list-objects-v2 --bucket your-bucket-name
aws s3api get-object --bucket your-bucket-name --key test/test-file.bin /tmp/download -
Cross-Region Testing (if applicable)
- Verify replication is working
- Test failover scenarios
- Validate latency from different regions
Monitoring Setup
Implement monitoring for:
CloudWatch Metrics:
NumberOfObjects
- Track storage growthBucketSizeBytes
- Monitor storage costsAllRequests
- Track usage patterns
CloudTrail Logging:
- API calls for audit trails
- AssumeRole events from Peridio
- Object access patterns
Custom Alerts:
{
"AlarmName": "PeridioS3-HighErrorRate",
"MetricName": "4xxErrors",
"Threshold": 10,
"ComparisonOperator": "GreaterThanThreshold",
"EvaluationPeriods": 2
}
Advanced Configuration
Lifecycle Management
Configure intelligent tiering for cost optimization:
{
"Rules": [
{
"ID": "PeridioFirmwareLifecycle",
"Status": "Enabled",
"Transitions": [
{
"Days": 30,
"StorageClass": "STANDARD_IA"
},
{
"Days": 90,
"StorageClass": "GLACIER"
},
{
"Days": 365,
"StorageClass": "DEEP_ARCHIVE"
}
]
}
]
}
Cross-Region Replication
For disaster recovery:
{
"Role": "arn:aws:iam::account:role/replication-role",
"Rules": [
{
"ID": "PeridioReplication",
"Status": "Enabled",
"Prefix": "",
"Destination": {
"Bucket": "arn:aws:s3:::backup-bucket-name",
"StorageClass": "STANDARD_IA"
}
}
]
}
Troubleshooting
Common Issues
Access Denied Errors:
- Verify IAM role ARN is correct
- Check trust policy external ID matches organization ID
- Ensure S3 bucket policy doesn't conflict
Slow Upload/Download:
- Check S3 Transfer Acceleration
- Verify regional proximity
- Consider multipart upload configuration
Cost Overruns:
- Review lifecycle policies
- Monitor request patterns
- Check for unnecessary GET operations
Debug Commands
# Test assume role capability
aws sts assume-role --role-arn YOUR_ROLE_ARN --role-session-name test
# Verify bucket permissions
aws s3api get-bucket-policy --bucket your-bucket-name
# Check encryption status
aws s3api get-bucket-encryption --bucket your-bucket-name
Security Best Practices
Regular Maintenance
- Quarterly access reviews - Verify role usage and permissions
- Annual key rotation - Rotate any associated KMS keys
- Security scanning - Use AWS Config for compliance checking
- Cost optimization - Regular reviews of lifecycle policies
Monitoring Security
- Set up GuardDuty for threat detection
- Enable VPC Flow Logs if using VPC endpoints
- Monitor unusual access patterns
- Implement automated responses to security events
Next Steps
With S3 configured, consider:
- CDN Integration - Set up CloudFront for global distribution
- Geographic Strategy - Plan your multi-region approach
- Cost Optimization - Implement cost management strategies
- Monitoring & Alerting - Set up comprehensive operational monitoring
Your S3 backend is now ready for integration with Peridio's device management platform!