TrueFoundry supports integrating with multiple AWS services like S3, ECR, SSM, EKS etc. To integrate any of the above services, you simply need to add your AWS account as a provider account and add integrations for the same as shown below:
Share access with users, teams or everyone in your TrueFoundry account As shown in the previous slides, you can share access of each integration with users, teams or everyone in your TrueFoundry account. This would allow them to view and use the integration. Only tenant-admins can edit the integrations. Generate Access Key or Assumed Role You might have the IAM role for TrueFoundry already created with the name - tfy-<short-region-name>-<name>-platform-role-<xxxyyyzzz>, if not then create a new one as explained below. You can add the required permissions to that role. Please refer to the next sections for the permissions required for each integration. You can also create a user with the required permissions, generate an access key and secret key to add integration. Create an IAM role with assume role The role should have following trust policy added. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
To create this IAM role, you must first save this trust policy in your local system as a JSON file. You can then use the following commands to create the role. 
aws iam create-role --role-name {{tfy-<short-region-name
  >-<name
    >-platform-role-<xxxyyyzzz
      >}} --assume-role-policy-document {{JSON_FILE_FULL_PATH}}</xxxyyyzzz
    ></name
  ></short-region-name
>

Policies required for S3 Integration

[Pre-requisite] Create a S3 Bucket with following config
  1. Make sure the bucket has lifecycle configuration to abort multipart upload set for 7 days.
  2. Make sure CORS is applied on the bucket with the below configuration:
[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET", "POST", "PUT"],
    "AllowedOrigins": ["*"],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3000
  }
]
Required Policies 
{
  "Sid": "S3",
  "Effect": "Allow",
  "Action": ["s3:*"],
  "Resource": [
    "arn:aws:s3:::<YOUR_S3_BUCKET_NAME>",
    "arn:aws:s3:::<YOUR_S3_BUCKET_NAME>/*"
  ]
}

Policies required for ECR Integration

[
  {
    "Sid": "ECR",
    "Effect": "Allow",
    "Action": [
      "ecr:GetRegistryPolicy",
      "ecr:DescribeImageScanFindings",
      "ecr:GetLifecyclePolicyPreview",
      "ecr:CreateRepository",
      "ecr:GetDownloadUrlForLayer",
      "ecr:DescribeImageReplicationStatus",
      "ecr:ListTagsForResource",
      "ecr:BatchGetRepositoryScanningConfiguration",
      "ecr:GetRegistryScanningConfiguration",
      "ecr:PutImage",
      "ecr:BatchGetImage",
      "ecr:DescribeRepositories",
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetRepositoryPolicy",
      "ecr:GetLifecyclePolicy",
      "ecr:ListImages",
      "ecr:InitiateLayerUpload",
      "ecr:CompleteLayerUpload",
      "ecr:DescribeImages",
      "ecr:DeleteRepository",
      "ecr:UploadLayerPart"
    ],
    "Resource": ["arn:aws:ecr:AWS_REGION:ACCOUNT_ID:repository/tfy-*"]
  },
  {
    "Sid": "ECR",
    "Effect": "Allow",
    "Action": [
      "ecr:DescribeRegistry",
      "ecr:GetAuthorizationToken",
      "sts:GetServiceBearerToken"
    ],
    "Resource": ["*"]
  }
]

Policies required for SSM Integration

{
  "Sid": "SSM",
  "Effect": "Allow",
  "Action": [
    "ssm:GetParameter",
    "ssm:GetParameters",
    "ssm:PutParameter",
    "ssm:DeleteParameter",
    "ssm:DeleteParameters",
    "ssm:GetParameterHistory"
  ],
  "Resource": ["arn:aws:ssm:AWS_REGION:ACCOUNT_ID:parameter/tfy-secret/*"]
}

Policies required for Bedrock Integration

The following policy grants permission to invoke any foundation model available on Bedrock in your available regions (To check the list of available regions for different models, refer to AWS Bedrock). You can configure Resource list to control which models can be accessed through the AI Gateway. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Sid": "InvokeAllModels",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": ["arn:aws:bedrock:*::foundation-model/*"]
    }
  ]
}