Configuring your own S3 Bucket for use with SendSafely

Follow

SendSafely enterprise customers have the option to provide their own S3 bucket for storing encrypted content related to their SendSafely enterprise portal. This article will walk you through the necessary steps to create and configure the S3 bucket. 

 

1. Create a new S3 bucket

The bucket can be loaded in any AWS region, however for optimal performance we recommend creating the bucket in the same region where your portal servers are located.

  • For US customers, the portal servers are located in the US-EAST-1 (N. Virginia).
  • For EU customers, the portal servers are located in EU-WEST-1 (Dublin)

The name of the bucket does not matter but should allow you to easily identify it later. 

 

2. Enable "Transfer Acceleration"

The Transfer Acceleration option is located under the Bucket Properties section of the S3 console. 

 

3. Add a custom CORS policy under the bucket permissions screen. The policy should include the following: 

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

 

4. Create an IAM user with an API Key and API Secret for use by SendSafely 

Ideally you should create a new IAM user with no permissions and API Key access only, then attach the following custom policy to the user. Note that "customer-bucket-name" should be the name of the S3 bucket you created in Step 1. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SendSafelyRule1",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:HeadBucket"
            ],
            "Resource": "arn:aws:s3:::customer-bucket-name"
        },
        {
            "Sid": "SendSafelyRule2",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:HeadBucket"
            ],
            "Resource": "arn:aws:s3:::customer-bucket-name/*"
        }
    ]
}

 

Once the above options are configured, you should generate an API Key and API Secret and send it to your SendSafely success team member. Make sure you do not send the API Secret via email. You can use your own SendSafely account to send us the API key/secret. 

Have more questions? Submit a request