docs: update the aksk guide and the sse-cmk guide

Author: YikaiHu

docs/IAM-Policy.md

@@ -0,0 +1,77 @@
+[中文](./IAM-Policy_CN.md)
+
+# Set up Credential for Amazon S3
+
+- ## Step 1: Create IAM Policy
+
+Open AWS Management Console, Go to IAM > Policy, click **Create Policy**
+
+Create a policy using below example IAM policy statement with minimum permissions. Change the `<your-bucket-name>` in the policy statement accordingly. 
+
+_Note_: If it's for S3 buckets in China regions, please make sure you also change to use `arn:aws-cn:s3:::` instead of `arn:aws:s3:::`
+
+- ### For Source Bucket
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "dth",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource":[
+                "arn:aws:s3:::<your-bucket-name>/*",
+                "arn:aws:s3:::<your-bucket-name>"
+            ]
+        }
+    ]
+}
+```
+
+
+- ### For Desination Bucket
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "dth",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:PutObjectAcl",
+                "s3:AbortMultipartUpload",
+                "s3:ListBucketMultipartUploads",
+                "s3:ListMultipartUploadParts"
+            ],
+            "Resource": [
+                "arn:aws:s3:::<your-bucket-name>/*",
+                "arn:aws:s3:::<your-bucket-name>"
+            ]
+        }
+    ]
+}
+```
+
+> Note that if you want to enable S3 Delete Event, you will need to add `"s3:DeleteObject"` permission to the policy.
+
+> Data Transfer Hub native support the S3 source bucket enabled SSE-S3 and SSE-KMS, but if your source bucket enabled *SSE-CMK*, please replace the source bucket policy with the policy in the link [for S3 SSE-KMS](./S3-SSE-KMS-Policy.md).
+
+- ## Step 2: Create User
+
+Open AWS Management Console, Go to IAM > User, click **Add User**, follow the wizard to create the user with credential.
+
+1. Specify a user name, for example *dth-user*. And for Accesss Type, select **Programmatic access** only. Click **Next: Permissions**
+1. Select **Attach existing policies directly**, search and use the policy created in Step 1, and click **Next: Tags**
+1. Add tags if needed, click **Next: Review**
+1. Review the user details, and Click **Create User**
+1. Make sure you copied/saved the credential, and then click **Close**
+
+![Create User](./images/tutortial/IAM-Policy/user.png)

docs/IAM-Policy_CN.md

@@ -0,0 +1,79 @@
+[English](./IAM-Policy.md)
+
+# 为 Amazon S3 设置凭证
+
+- ## Step 1: 创建 IAM Policy
+
+打开 AWS 管理控制台，转到 IAM > 策略，单击 **Create Policy**
+
+Create a policy using below example IAM policy statement with minimum permissions. Change the `<your-bucket-name>` in the policy statement accordingly. 
+
+使用以下示例 IAM 策略语句以最低权限创建策略。 请相应地更改策略声明中的 `<your-bucket-name>`。
+
+_Note_: 如果是针对中国地区的 S3 存储桶，请确保您更改为使用 `arn:aws-cn:s3::::` 而不是 `arn:aws:s3:::`
+
+- ### 对于源存储桶
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "dth",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource":[
+                "arn:aws:s3:::<your-bucket-name>/*",
+                "arn:aws:s3:::<your-bucket-name>"
+            ]
+        }
+    ]
+}
+```
+
+
+- ### 对于目标存储桶
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "dth",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:PutObjectAcl",
+                "s3:AbortMultipartUpload",
+                "s3:ListBucketMultipartUploads",
+                "s3:ListMultipartUploadParts"
+            ],
+            "Resource": [
+                "arn:aws:s3:::<your-bucket-name>/*",
+                "arn:aws:s3:::<your-bucket-name>"
+            ]
+        }
+    ]
+}
+```
+
+> 请注意，如果要启用 S3 删除事件，则需要向策略添加 `"s3:DeleteObject"` 权限。
+
+> Data Transfer Hub 原生支持使用 SSE-S3 和 SSE-KMS 的数据源，但如果您的源存储桶启用了 *SSE-CMK*，请将源存储桶策略替换为链接 [for S3 SSE-CMK](./S3-SSE-KMS-Policy_CN.md)中的策略。
+
+- ## Step 2: 创建 User
+
+打开 AWS 管理控制台，转至 IAM > 用户，单击 **添加用户**，按照向导创建具有凭证的用户。
+
+1. 指定用户名，例如 *dth-user*。 对于 Accesss Type，仅选择 **Programmatic access**。 单击**下一步：权限**
+1. 选择**直接附加现有策略**，搜索并使用在步骤 1 中创建的策略，然后单击**下一步：标签**
+1. 如果需要，添加标签，单击**下一步：Review**
+1. 查看用户详细信息，然后单击**创建用户**
+1. 确保您复制/保存了凭据，然后单击**关闭**
+
+![Create User](./images/tutortial/IAM-Policy/user.png)

docs/S3-SSE-KMS-Policy.md

@@ -0,0 +1,45 @@
+[中文](./S3-SSE-KMS-Policy_CN.md)
+
+# Policy for S3 Source Bucket enabled SSE-CMK
+
+Data Transfer Hub native support data source using SSE-S3 and SSE-KMS, if your source bucket enabled *SSE-CMK*, please replace the source bucket policy with the following policy, change the `<your-bucket-name>` in the policy statement accordingly. 
+
+And please change the `Resource` in kms part to your own kms key's arn.
+
+_Note_: If it's for S3 buckets in China regions, please make sure you also change to use `arn:aws-cn:s3:::` instead of `arn:aws:s3:::`
+
+- ### For Source Bucket enabled SSE-CMK
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "dth",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::<your-bucket-name>/*",
+                "arn:aws:s3:::<your-bucket-name>"
+            ]
+        },
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": [
+                "arn:aws:kms:us-west-2:123456789012:key/f5cd8cb7-476c-4322-ac9b-0c94a687700d <Please replace to your own KMS key arn>"
+            ]
+        }
+    ]
+}
+```

docs/S3-SSE-KMS-Policy_CN.md

@@ -0,0 +1,45 @@
+[English](./S3-SSE-KMS-Policy.md)
+
+# S3 源存储桶启用 SSE-CMK 的策略
+
+Data Transfer Hub 原生支持使用 SSE-S3 和 SSE-KMS 的数据源，但如果您的源存储桶启用了 *SSE-CMK*，请将源存储桶策略替换为以下策略，并更改`<your-bucket-name>` 为相应的桶名称。
+
+并且请将 kms 部分中的 `Resource` 更改为您自己的 KMS 密钥的 arn。
+
+_注意_：如果是针对中国地区的 S3 存储桶，请确保您也更改为使用 `arn:aws-cn:s3:::` 而不是 `arn:aws:s3:::`
+
+- ### 对于启用SSE-CMK的源存储桶
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "dth",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::<your-bucket-name>/*",
+                "arn:aws:s3:::<your-bucket-name>"
+            ]
+        },
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": [
+                "arn:aws:kms:us-west-2:123456789012:key/f5cd8cb7-476c-4322-ac9b-0c94a687700d <Please replace to your own KMS key arn>"
+            ]
+        }
+    ]
+}
+```

docs/UserManual.md

@@ -26,6 +26,10 @@ S3 Replication Task supports the following sources:
 
 The S3 Plugin uses credentials to replicate data from Amazon S3 in another partition or other cloud providers. Store your credentials in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
 
+
+### Create Credentials
+Please refer to the [DTH S3 Credential Setup Guide](./IAM-Policy.md).
+
 ### Configure Credentials
 
 1. Open **[Secrets Manager](https://console.aws.amazon.com/secretsmanager/home#)** console

docs/UserManual_CN.md

@@ -25,6 +25,9 @@ S3复制任务支持以下数据源：
 
 S3插件使用凭证从AWS另一个区的Amazon S3或其他云提供商中复制数据。 您的凭据将存储在 [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
 
+### 创建凭证
+请参考 [DTH S3 凭证设置教程](./IAM-Policy_CN.md).
+
 ### 配置凭证
 
 1. 打开 **[Secrets Manager](https://console.aws.amazon.com/secretsmanager/home#)** 控制台