Amazon Web Services

ElemBio Cloud integrates with AWS as a cloud service provider. The AWS provider supports storage connections, compute activities, verified flows, and data browsing and file download.

The AWS provider supports multiple options for analysis.

Set up a verified Bases2Fastq flow with Amazon HealthOmics Ready2Run workflows, which can launch through ElemBio Cloud.
Set up custom automation with the AWS product suite.

Provider Requirements

An AWS provider must have access to an AWS account. To use ElemBio Cloud features, the account includes the following components:

An AWS Simple Storage Service (S3) bucket: The bucket stores files output from runs and analysis executions.
An Identity and Access Management (IAM) role or an IAM user: The IAM role or user is necessary to authorize ElemBio Cloud activities. AWS generates the temporary credentials for ElemBio Cloud through the IAM role or user.
An IAM policy: The policy defines the permissions that the temporary credentials grant for ElemBio Cloud activities. You must attach the IAM policy to your IAM role or user.

Tip:

For stronger security, use an IAM role.

Creating an AWS S3 Bucket

An AWS S3 bucket serves as the input and output for run and analysis activities and enables you to stream run data off the instrument. When setting up an AWS S3 bucket, Element recommends the following settings:

ACLs disabled
Public access blocked
Default encryption enabled

Consult your IT representative to confirm the appropriate settings for your lab and determine appropriate encryption. Default encryption protects the run, which includes genomic data. Bucket versioning and tags are not necessary for uploading runs. You cannot rename buckets. Selecting a region close to you increases the data transfer speed.

For more information on setting up an AWS S3 bucket, see Create Bucket Overview in the AWS Documentation.

Creating an IAM Role

As a more secure alternative to the IAM user, the IAM role serves as the credentials and permissions for ElemBio Cloud to transfer data to the AWS S3 bucket.

Give the IAM role a name that clearly indicates the access of Element instruments, such as Element-ServiceUser.
When associating the IAM role with an IAM policy, make sure to select the policy you created for ElemBio Cloud.
Set up the role for a trusted entity AWS account and enter the account ID 588258415937.
Select the option to require an external ID, and then enter the ID of your choice. The external ID can include alphanumeric characters and the special characters @:,=-./_. Spaces are not permitted.
After creating the IAM role, use the AWS Console or the following AWS CLI command to set a maximum session duration of 12 hours (43,200 seconds). Replace {RoleName} with the name of the IAM role.

aws iam update-role --role-name {RoleName} --max-session-duration 43200

For more information on IAM roles, see Creating an IAM Role in the AWS Documentation.

Creating an IAM User

Creating the IAM user enables the creation of Access Key and Secret Key credentials. The credentials grant ElemBio Cloud access to the AWS S3 bucket as the associated IAM policy permits.

Give the IAM user a name that is clearly associated with Element instruments, such as Element-ServiceUser.
When associating the IAM role with an IAM policy, select the policy you created for ElemBio Cloud.
Leave the option for AWS management console access unselected.
When you create the access key, select third-party service for the access key use case. Copy the access and secret keys to use for adding the storage connection.

For more information on IAM users, see Creating IAM Users in the AWS Documentation.

Creating an IAM Policy

Use one of the following JSON policy templates to create the IAM policy for an IAM role or an IAM user. The templates include both required and optional permissions that the temporary credentials grant to ElemBio Cloud. To limit the permissions of the IAM policy, update the template for your bucket and your planned activities in ElemBio Cloud.

For more information on JSON policies in AWS, see Creating IAM Policies in the AWS Documentation.

JSON Policy Templates

Template for IAM Role
Template for IAM User

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3ObjectWrite",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "S3ObjectRead",
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "S3ObjectListing",
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "S3BucketLevelOperations",
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation"],
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "STSOperations",
      "Effect": "Allow",
      "Action": ["sts:GetCallerIdentity"],
      "Resource": "*"
    },
    {
      "Sid": "OmicsOperations",
      "Effect": "Allow",
      "Action": ["omics:GetWorkflow", "omics:StartRun", "omics:GetRun"],
      "Resource": "*"
    },
    {
      "Sid": "OmicsPassRole",
      "Effect": "Allow",
      "Action": ["iam:PassRole"],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "omics.amazonaws.com"
        }
      }
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3ObjectWrite",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "S3ObjectListing",
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "S3BucketLevelOperations",
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation"],
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "STSOperations",
      "Effect": "Allow",
      "Action": ["sts:GetCallerIdentity", "sts:GetFederationToken"],
      "Resource": "*"
    },
    {
      "Sid": "OmicsOperations",
      "Effect": "Allow",
      "Action": ["omics:GetWorkflow", "omics:StartRun", "omics:GetRun"],
      "Resource": "*"
    },
    {
      "Sid": "OmicsPassRole",
      "Effect": "Allow",
      "Action": ["iam:PassRole"],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "omics.amazonaws.com"
        }
      }
    }
  ]
}

Update the JSON Policy Template

Copy the template policy into the JSON section when creating an IAM policy.
In all "Resource" sections, replace BUCKET_NAME with your bucket name. Make sure to keep /* after the bucket names for the S3ObjectWrite and S3ObjectRead permissions.
If your bucket uses a prefix, make the following additional updates to the policy:
1. For the S3ObjectWrite and S3ObjectRead permissions, add the prefix to the bucket name in both "Resource" sections, as in the following example:
```
    "Resource": "arn:aws:s3:::BUCKET_NAME/OPTIONAL_PREFIX/*"
```
1. After the "Resource" for the S3ObjectListing permission, add a comma and the following "Condition". Replace OPTIONAL_PREFIX with the prefix.
```
    "Condition": {
            "StringLike": {
                "s3:prefix": [
                    "OPTIONAL_PREFIX/*"
                ]
            }
        }
```
If you do not want to include optional permissions, remove them from the template.

JSON Policy Permissions

Permission	Requirement	Purpose	Required For
`S3:GetBucketLocation`	Required	Determines the region where a bucket resides	Data uploads from an instrument
`S3:GetObject`	Optional	Allows for the retrieval of objects from the data browser in AWS	Use of presigned URLs for file downloads from data browsing in ElemBio Cloud
`S3:ListBucket`	Required	Lists objects in the bucket as needed by the upload mechanism	Data uploads from an instrument and data browsing in ElemBio Cloud
`S3:PutObject`	Required	Performs single and multipart uploads	Data uploads from an instrument
`STS:GetCallerIdentity`	Required	Verifies credentials using the current user or role name	Data uploads from an instrument
`STS:GetFederationToken`	Required	Allows for the creation of limited temporary credentials for an IAM user	Data uploads from an instrument and the creation of temporary credentials for the AWS CLI
`omics:GetWorkflow`	Optional	Retrieves the details of a HealthOmics Ready2Run workflow	Creation and use of an AWS HealthOmics verified Bases2Fastq flow
`omics:StartRun`	Optional	Enables the start a HealthOmics Ready2Run workflow	Creation and use of an AWS HealthOmics verified Bases2Fastq flow
`iam:PassRole`	Optional	Passes the execution role to the HealthOmics Ready2Run workflow commands for execution permissions	Creation and use of an AWS HealthOmics verified Bases2Fastq flow
`omics:GetRun`	Optional	Retrieves details of a HealthOmics run	Creation and use of an AWS HealthOmics verified Bases2Fastq flow

NOTE

Using an IAM user requires the STS:GetFederationToken permission as a security measure.

Add an AWS Provider

Review the requirements for an AWS provider.
On the Providers page, select Amazon Web Services.
Enter a unique name.
In the Region drop-down menu, select the region associated with the bucket. If you do not see the region you need, contact Element Technical Support.
Select the applicable credential type.
- For Role, enter the role Amazon Resource Name (ARN) and external ID.
- For Access Keys, enter the access key and secret key.
Select Save.

Amazon HealthOmics Requirements

A verified flow that uses Amazon HealthOmics requires additional components beyond the AWS Provider requirements.

The IAM policy associated with the IAM role or user for the provider must include all optional policy permissions for Amazon HealthOmics.
You must create an execution role, a separate IAM role.
- The execution role uses a different IAM policy than the policy for the provider.
- In addition to the permissions policy, the execution role uses a trust relationship policy.

Creating an Execution Role

To integrate a verified flow with Amazon HealthOmics, you must create an additional IAM role known as the service role or execution role. When setting up a verified flow, enter the ARN for the execution role.

While creating the execution role, complete the following requirements:

Associate the execution role with the following IAM policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LogsAndECR",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "ecr:GetDownloadUrlForLayer",
        "logs:*",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    },
    {
      "Sid": "S3",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObjectAcl",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObjectAcl"
      ],
      "Resource": ["arn:aws:s3:::BUCKET_NAME/*", "arn:aws:s3:::BUCKET_NAME"]
    }
  ]
}

Associate the execution role with the following Trust Relationship policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "omics.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Provider Requirements​

Creating an AWS S3 Bucket​

Creating an IAM Role​

Creating an IAM User​

Creating an IAM Policy​

JSON Policy Templates​

Update the JSON Policy Template​

JSON Policy Permissions​

Add an AWS Provider​

Amazon HealthOmics Requirements​

Creating an Execution Role​