The IAM role provided in the cloudformation form must have read and write permissions to the S3 bucket and S3 path specified also in the cloudformation form to store all data created by Indexima engine.
This IAM role doesn't need to access other S3 buckets so it is recommended that you provide a IAM role that doesn't have permission to access other buckets.
Please refer to this guide for security best practices in IAM.
All customer data are stored on the S3 bucket specified in the cloudformation form. It is possible to use Amazon S3 server-side encryption, please refer to this guide for protecting data using server-side encryption with Amazon S3-managed encryption keys.
No root privileges are required to deploy or configure Indexima engine using cloudformation template.