SendSafely enterprise customers have the option to provide their own S3 bucket for storing encrypted content related to their SendSafely enterprise portal. By using your own S3 Bucket for storage, you will also be eligible to enable the following features within your SendSafely portal:
This article will walk you through the necessary steps to create and configure the S3 bucket.
1. Create a new S3 bucket
The bucket can be loaded in any AWS region, however for optimal performance we recommend creating the bucket in the same region where your portal servers are located.
- For US customers, the portal servers are located in the US-EAST-1 (N. Virginia).
- For EU customers, the portal servers are located in EU-WEST-1 (Dublin)
- For AU customers, the portal servers are located in AP-SOUTHEAST-2 (Sydney)
The name of the bucket does not matter but should allow you to easily identify it later.
2. Enable "Transfer Acceleration"
The Transfer Acceleration option is located under the Bucket Properties section of the S3 console.
3. Add a custom CORS policy
The CORS policy can be added under the bucket permissions screen.The policy should include the following:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 3000
}
]
4. Create an IAM user with an API Key and API Secret for use by SendSafely
Ideally you should create a new IAM user with no permissions and API Key access only, then attach the following custom policy to the user. Note that "customer-bucket-name" should be the name of the S3 bucket you created in Step 1. Then generate an API Key and API Secret for the IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SendSafelyRule1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:HeadBucket"
],
"Resource": "arn:aws:s3:::customer-bucket-name"
},
{
"Sid": "SendSafelyRule2",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:HeadBucket"
],
"Resource": "arn:aws:s3:::customer-bucket-name/*"
}
]
}
5. Submit a Migration Request to SendSafely Support
The final step is to submit the request to the SendSafely Help Desk to have your custom S3 bucket enabled for your SendSafely enterprise portal. For security and identity verification purposes, the request must be made by your organization’s SendSafely administrator and submitted as a SendSafely secure message from the administrator’s SendSafely account. Please follow these steps:
- Log into SendSafely with an Enterprise Administrator account
- Click the "Send" link, then "Add Message", and type a secure message that includes the API Key, API Secret, and name of the S3 bucket
- Add support@sendsafely.com as a recipient
- Click the green Submit button, copy the secure link into an email with the subject "Request to enable custom S3 bucket", and send to support@sendsafely.com
6. Request optional Data Retention Features
After your S3 bucket has been enabled, you can then choose to have our support team enable the following features within your SendSafely portal:
Please review each of these features, and if required submit a ticket to the SendSafely support team following the process outlined in each linked article.