Creating an S3 bucket for document requests

ℹ️
This page describes how to create an AWS S3 bucket to store information and files that are securely transmitted to your enterprise from external users via Confidencial’s document request feature

Creating the S3 bucket

  1. Log in to your enterprise’s AWS web console and open S3
  1. Click Create bucket
  1. Enter new bucket settings
    1. Enter a bucket name and select a region
      1. 🗒️
        Make note of the bucket name and region that you use, as these will need to be communicated to your Confidencial technical contact to complete the set up process
    2. Other settings can be adjusted in accordance with your enterprise’s security policies, though depending on the mode in which you configure Confidencial software to connect to your bucket, an access key with PUT and in some cases GET permissions may be required (see subsequent steps in this guide)
      1. ⚠️
        Note: Object Lock is not supported by default. If you would like to use an S3 bucket with Object Lock enabled, please contact support@confidencial.io.
  1. Click Create bucket
  1. Click on the bucket you just created and under Permissions / Cross-origin resource sharing (CORS), click Edit
  1. Paste in the JSON below and click Save changes
    1. [ { "AllowedHeaders": [], "AllowedMethods": [ "GET", "PUT", "POST", "DELETE" ], "AllowedOrigins": [ "https://my.confidencial.io" ], "ExposeHeaders": [] } ]
      ⚠️
      The value for AllowedOrigins in the JSON above will be different for sandbox deployments. Your Confidencial technical contact will provide the correct value in these cases.

Setting up Confidencial bucket upload and download access via access key

⚠️
Only follow the steps in this section if you are configuring Confidencial to access your S3 bucket for both upload (PUT) and download (GET) via an access key
  1. Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.
  1. Click JSON, then paste in the JSON below, replacing <bucket-name> with the name of the bucket you created in the previous section, then click Next
    1. { "Version": "2012-10-17", "Statement": [ { "Sid": "ConfidencialBucketAccess", "Effect": "Allow", "Action": [ "s3:getObject", "s3:putObject" ], "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*" ] } ] }
  1. For Policy name, enter confidecial-bucket-access, then click Create policy

Creating an access key for Confidencial bucket access

⚠️
Only follow the steps in this section if you are configuring Confidencial to access your S3 bucket via an access key
  1. Create a new user for bucket access. From IAM, click Users on the left sidebar menu, then click Create user.
  1. For User name, enter confidencial-bucket-access, then click Next
  1. Under Permissions options, choose Attach policies directly, then click the checkbox next to the policy you created in the previous steps (confidencial-bucket-access). Click Next.
  1. Click Create user
  1. Select the user you just created (confidencial-bucket-access) and under Security credentials / Access keys, click Create access key
  1. For Use case, select Application running outside AWS, then click Next
  1. For Description tag value, enter confidencial-bucket-access, then click Create access key
    1. 🗒️
      Make note of the Access key and Secret access key. This is the only time that you will be able to see the secret key. Make sure that the secret key is stored in a secure location; this information will need to be securely transmitted to your Confidencial technical contact to complete the set up process.
  1. Click Done
    1. This completes your portion of document request S3 bucket configuration. You will now need to securely transmit the following information to your Confidencial technical contact: bucket name, bucket region, access key, and secret access key.

Setting up Confidencial user bucket access through your enterprise IDP

ℹ️
Only follow the steps in this section if you are configuring Confidencial users to access your S3 bucket directly using their enterprise IDP credentials
This documentation is coming soon