SendSafely Business and Enterprise customers have the option to provide their own S3 bucket for storing the encrypted data sent, received, and stored via their SendSafely portal. Please note that as these data are encrypted, you'll still need to leverage your SendSafely web portal or our API to decrypt and access them, and cannot do so directly from S3. 

This article will walk you through the necessary steps to create and configure the S3 bucket.

Related Features

By using your own S3 Bucket for storage, you will also be eligible to enable the following features within your SendSafely portal. Before requesting that these features are enabled, be sure to review their ramifications.

• Disabling File Deletion

If you disable file deletion, we recommend that you do not also disable file expiration. This recommended approach keeps the security/privacy benefits of expiration, but allows admins to come back in and unexpire/re-enable access to files if ever needed. The best of both worlds.

• Disabling Package Expiration

This is only recommended if your organization does not–and will never–send, receive, or store files containing sensitive data via SendSafely. File expiration is an important security control for preventing future unauthorized access to sensitive information.

Configuring your S3 Bucket

1. Create a new S3 bucket

The bucket can be loaded in any AWS region, however for optimal performance we recommend creating the bucket in the same region where your portal servers are located.

• For US customers, the portal servers are located in the US-EAST-1 (N. Virginia).
• For EU customers, the portal servers are located in EU-WEST-1 (Dublin)
• For AU customers, the portal servers are located in AP-SOUTHEAST-2 (Sydney)

The name of the bucket should start with "ss-self-hosted-" and should allow you to easily identify it later. 

2. Enable "Transfer Acceleration"

The Transfer Acceleration option is located under the Bucket Properties section of the S3 console. 

3. Add a custom CORS policy 

The CORS policy can be added under the bucket permissions screen. The policy should include the following: 

[
  {
    "AllowedHeaders": [
      "*"
    ],
    "AllowedMethods": [
      "GET",
      "PUT"
    ],
    "AllowedOrigins": [
      "*"
    ],
    "ExposeHeaders": [
      "ETag"
    ],
    "MaxAgeSeconds": 3000
  }
]

4. Create an Amazon S3 Bucket Policy for Cross-account Role Access 

Use this bucket policy to grant our service role access to your custom S3 bucket. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SendSafelyRule1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::371444783282:role/SendSafely-EFE-EC2-Server-Role"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::ss-self-hosted-customer-bucket-name",
                "arn:aws:s3:::ss-self-hosted-customer-bucket-name/*"
            ]
        }
    ]
}

5. Submit a Migration Request to SendSafely Support 

The final step is to submit the request to the SendSafely Help Desk to have your custom S3 bucket enabled for your SendSafely enterprise portal. For security and identity verification purposes, the request must be made by your organization’s SendSafely administrator and submitted as a SendSafely secure message from the administrator’s SendSafely account. Please follow these steps:

• Log into SendSafely with an Enterprise Administrator account
• Click the "Send" link, then "Add Message", and type a secure message that includes the name of the S3 bucket
• Add support@sendsafely.com as a recipient
• Click the green Submit button, copy the secure link into an email with the subject "Request to enable custom S3 bucket", and send to support@sendsafely.com 

6. Request optional Data Retention Features

After your S3 bucket has been enabled, you can then choose to have our support team enable the following features within your SendSafely portal:

• Disabling File Deletion
• Disabling Package Expiration

Please review each of these features, and if required submit a ticket to the SendSafely support team following the process outlined in each linked article. 

Additional Considerations for using a Custom S3 Bucket with SendSafely

• Setting up Cross-region Replication to another s3 Bucket

Some customers may opt to set up cross-region replication of their custom bucket to another "backup" bucket to provide additional resiliency in the event of a sustained regional S3 outage. If cross-region replication to another bucket is enabled, you should enable the "Bucket owner enforced" option to ensure that S3 is able to automatically copy files between both buckets. More information on this option is available here: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/. 

• Enable S3 Object Versioning to allow recovery of deleted files

Some customers may opt to enable S3 Object Versioning to allow for recovery of files that get deleted by SendSafely (either manually by a user or indirectly due to your SendSafely expiration policies). More information on how to enable this option can be found here: https://aws.amazon.com/premiumsupport/knowledge-center/s3-undelete-configuration/

If you enable S3 Object Versioning on your custom S3 bucket, we recommend coupling that with a Lifecycle rule that uses NoncurrentVersionExpiration to permanently delete previous file versions (ie deleted files) after a certain number of days. Not doing so will result in deleted files being stored in S3 permanently. More information on how to enable NoncurrentVersionExpiration can be found here: https://docs.aws.amazon.com/AmazonS3/latest/API/API_NoncurrentVersionExpiration.html