Creating an S3 bucket for document requests

ℹ️
This page describes how to create an AWS S3 bucket to store information and files that are securely transmitted to your enterprise from external users via Confidencial’s document request feature
🔒
While this document recommends specific values for configuration options, administrators that are comfortable with AWS S3 may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.

Creating the S3 bucket

  1. Log in to your enterprise’s AWS web console and open S3
  1. Click Create bucket
  1. Enter new bucket settings
    1. Enter a bucket name and select a region
      1. 🗒️
        Make note of the bucket name and region that you use, as these will need to be communicated to your Confidencial technical contact to complete the set up process
    2. Other settings can be adjusted in accordance with your enterprise’s security policies, though depending on the mode in which you configure Confidencial software to connect to your bucket, an access key with PUT and in some cases GET permissions may be required (see subsequent steps in this guide)
  1. Click Create bucket
  1. Click on the bucket you just created and under Permissions / Cross-origin resource sharing (CORS), click Edit
  1. Paste in the JSON below and click Save changes
    1. [ { "AllowedHeaders": ["*"], "AllowedMethods": [ "GET", "PUT", "POST", "DELETE", "HEAD" ], "AllowedOrigins": [ "https://my.confidencial.io" ], "ExposeHeaders": ["ETag"] } ]
      ⚠️
      The value for AllowedOrigins in the JSON above will be different for sandbox deployments. Your Confidencial technical contact will provide the correct value in these cases.
➡️
Choose the next section to follow based on whether your enterprise users will download objects from your enterprise’s S3 bucket using
  1. their enterprise IDP credentials (continue to next section); or
  1. an access key stored with Confidencial (skip next two sections)

Setting up Confidencial bucket upload-only access via access key (no download access via key)

⚠️
Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP
  1. Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.
  1. Click JSON, then paste in the JSON below, replacing <bucket-name> with the name of the bucket you created in the previous section, then click Next
    1. { "Version": "2012-10-17", "Statement": [ { "Sid": "ConfidencialBucketAccess", "Effect": "Allow", "Action": [ "s3:putObject" ], "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*" ] } ] }
      ⚠️
      NOTE: Replace aws with aws-us-gov in the above policy if creating the bucket in GovCloud
  1. For Policy name, enter confidecial-bucket-put-access, then click Create policy
➡️
Continue to Setting up Confidencial user bucket download access through your enterprise IDP

Setting up Confidencial user bucket download access through your enterprise IDP

⚠️
Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP
  1. If you haven’t done so already, create a user pool in AWS Cognito to enable your enterprise’s users to download directly from the S3 bucket using their enterprise IDP credentials. See
    🥸
    Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    .
  1. Open the role that was created in the previous step in AWS IAM. From IAM in the AWS Web Console, select Roles from the left sidebar menu, search for the role, and then click on it. If the instructions in the link in Step 1 above were followed, the role will be called confidencial-users.
  1. Under Permissions policies select Add permissions > Create inline policy
  1. Under Policy editor, select JSON
  1. Paste the policy below into the Policy editor, replacing <bucket-name> with the name of the bucket you created in the first section
    1. { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:getObject", "s3:listBucket" ], "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*" ] } ] }
      ⚠️
      NOTE: Replace aws with aws-us-gov in the above policy if creating the bucket in GovCloud
  1. Click Next
  1. For Policy name, enter confidecial-bucket-get-access, then click Create policy
➡️
Continue to Creating an access key for Confidencial bucket access

Setting up Confidencial bucket upload and download access via access key

⚠️
Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using an access key stored on Confidencial’s server
  1. Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.
  1. Click JSON, then paste in the JSON below, replacing <bucket-name> with the name of the bucket you created in the previous section, then click Next
    1. { "Version": "2012-10-17", "Statement": [ { "Sid": "ConfidencialBucketAccess", "Effect": "Allow", "Action": [ "s3:getObject", "s3:listBucket", "s3:putObject" ], "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*" ] } ] }
      ⚠️
      NOTE: Replace aws with aws-us-gov in the above policy if creating the bucket in GovCloud
  1. For Policy name, enter confidecial-bucket-get-and-put-access, then click Create policy
➡️
Continue to Creating an access key for Confidencial bucket access

Creating an access key for Confidencial bucket access

  1. Create a new user for bucket access. From IAM, click Users on the left sidebar menu, then click Create user.
  1. For User name, enter confidencial-bucket-access, then click Next
  1. Under Permissions options, choose Attach policies directly, then click the checkbox next to the policy you created earlier (confidencial-bucket-...-access)
    1. If Confidencial will upload and download via this access key, attach the confidecial-bucket-get-and-put-access policy
    2. If Confidencial will only upload via this access key, attach the confidecial-bucket-put-access policy
  1. Click Next
  1. Click Create user
  1. Select the user you just created (confidencial-bucket-access) and under Security credentials / Access keys, click Create access key
  1. For Use case, select Application running outside AWS, then click Next
  1. For Description tag value, enter Confidencial bucket access, then click Create access key
    1. 🗒️
      Make note of the Access key and Secret access key. This is the only time that you will be able to see the secret key. Make sure that the secret key is stored in a secure location; this information will need to be securely transmitted to your Confidencial technical contact to complete the set up process.
  1. Click Done
    1. This completes your portion of document request S3 bucket configuration. You will now need to securely transmit the following information to your Confidencial technical contact: bucket name, bucket region, access key, and secret access key.