---
title: Setting up an Amazon S3 deployment package store
description: Follow these procedures to create and configure a S3 bucket that you can publish deployment packages to from the Policy Editor.
component: pingauthorize
version: 11.0
page_id: pingauthorize:pingauthorize_server_administration_guide:paz_amazon_deployment_store_setup
canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_amazon_deployment_store_setup.html
revdate: November 25, 2025
page_aliases: ["amazon_deployment_store_setup.adoc"]
section_ids:
  creating-an-s3-bucket: Creating an S3 bucket
  steps: Steps
  amazon_store_user_policy: Configuring the IAM user policy
  steps-2: Steps
  create_amazon_iam_user: Configuring the IAM user
  steps-3: Steps
---

# Setting up an Amazon S3 deployment package store

Create and configure an Amazon Simple Storage Service (S3) bucket to allow the PingAuthorize Server to periodically retrieve deployment packages from the Policy Editor.

|   |                                                                                                                                                                                    |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To configure an end-to-end deployment package store in embedded policy decision point (PDP) mode, follow the steps in [Using the Deployment Manager](paz_deployment_manager.html). |

## Creating an S3 bucket

To store your deployment packages, create a new S3 bucket in the S3 dashboard of Amazon Web Services (AWS) Management Console.

### Steps

1. In the AWS Management Console, on the [S3 dashboard](https://s3.console.aws.amazon.com/s3/), click **Create bucket**.

   ![Screen capture of the AWS S3 Buckets page, with the Create bucket button highlighted](_images/paz_create_s3_bucket.png)

2. Configure the bucket.

   Learn more in [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the AWS documentation.

## Configuring the IAM user policy

To manage your deployment package store, configure a new identity and access management (IAM) policy in the IAM dashboard of the AWS Management Console.

### Steps

1. In the AWS Management Console, on the [IAM dashboard](https://console.aws.amazon.com/iam/home), go to **Access Management > Policies** and click **Create policy**.

   ![Screen capture of the Policies page with the Create policy button in the IAM dashboard of AWS Management Console](_images/paz_create_aws_iam_policy.png)

2. In the **Policy editor** section, click the **JSON** tab and enter these permissions:

   ```json
   {
       "Version": "<policy_creation_date>",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "s3:PutObject",
                   "s3:GetObject",
                   "s3:ListBucket"
               ],
               "Resource": "*"
           }
       ]
   }
   ```

   Replace the asterisk wildcard character to restrict the access scope of the previous policy.

   |   |                                                                                                                                                                                                                                                                                                                           |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can manage S3 bucket access in multiple ways, including IAM policies, S3 policies, or S3 access control lists (ACLs). We provide a working IAM policy example, but you should be aware of current AWS best practices, industry best practices, and your organization's conventions when configuring S3 bucket access. |

3. Click **Next**.

4. On the **Review and create** confirmation page, review your policy configuration and click **Create policy**.

## Configuring the IAM user

To publish to your AWS deployment package store from the Policy Editor, configure a new IAM user to access the S3 bucket in accordance with the policy that you created in [Configuring the IAM user policy](#amazon_store_user_policy).

### Steps

1. In the AWS Management Console, on to the [IAM dashboard](https://console.aws.amazon.com/iam/home), go to **Access Management > Users** and click **Create user**.

![Screen capture of the Users page with the Add users button in the IAM dashboard of AWS Management Console](_images/mzn1666656830575.png)

1. Define a username and click **Next**.

2. On the **Set permissions** page, select **Attach policies directly**, and then select the policy you created in [Configuring the IAM user policy](#amazon_store_user_policy).

   1. (Optional) Select **Create policy** to configure a different user policy.

3. Click **Next**.

4. On the **Review and create** confirmation page, review your configurations and click **Create user** to create the IAM user.

5. On the **Users** page, search for and click on the newly created user.

6. On the **Security credentials** tab, in the **Access keys** section, click **Create access key**.

7. Click **Application running outside AWS**. Click **Next**.

8. (Optional) In the **Description tag value** field, enter a description for the access key and click **Create access key**.

9. Copy both the **Access key ID** and **Secret access key** values to a secure location. Click **Done**.

   These values will be used when configuring connections to the Policy Editor and PingAuthorize server.

   |   |                                                      |
   | - | ---------------------------------------------------- |
   |   | You can't recover these credentials at a later time. |