diff --git a/crowdsec-docs/docs/log_processor/data_sources/s3.md b/crowdsec-docs/docs/log_processor/data_sources/s3.md
index 99a58a50..8b0772ae 100644
--- a/crowdsec-docs/docs/log_processor/data_sources/s3.md
+++ b/crowdsec-docs/docs/log_processor/data_sources/s3.md
@@ -134,3 +134,40 @@ crowdsec -type syslog -dsn s3://my_bucket/my_prefix/foo.log?log_level=debug
 ```
 
 AWS SDK behaviour can be configured with the standard AWS environment variables.
+
+
+## IAM Permissions
+
+Because the component needs to interact with AWS resources, it need the proper permissions.
+
+Here is the set of required permissions:
+```json
+{
+    "Statement": [
+        {
+            "Action": [
+                "sqs:ReceiveMessage",
+                "sqs:DeleteMessage",
+                "sqs:GetQueueAttributes",
+                "sqs:GetQueueUrl",
+                "sqs:ListDeadLetterSourceQueues",
+                "sqs:ListQueues"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:sqs:::test-sqs-s3-acquis"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:DescribeJob",
+                "s3:Get*",
+                "s3:List*"
+            ],
+            "Resource": "arn:aws:s3:::my_bucket:*"
+        }
+    ],
+    "Version": "2012-10-17"
+}
+```
+
+For the permissions, we recommend to restrict the S3 permissions to read only operations, to avoid the ability to destroy logs from the CrowdSec agent. If you are using S3 polling, the SQS part of the permissions can be omitted.