Creating an S3 bucket for document requests
PreviousConnecting your identity provider to ConfidencialNextCreating a Cognito user pool to enable S3 bucket access via IDP credentials
Last updated
Last updated
ℹ️ This page describes how to create an AWS S3 bucket to store information and files that are securely transmitted to your enterprise from external users via Confidencial’s feature
🔒 While this document recommends specific values for configuration options, administrators that are comfortable with AWS S3 may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.
Log in to your enterprise’s AWS web console and open S3
Click Create bucket
Enter new bucket settings
Enter a bucket name and select a region
🗒️ Make note of the bucket name and region that you use, as these will need to be communicated to your Confidencial technical contact to complete the set up process
Other settings can be adjusted in accordance with your enterprise’s security policies, though depending on the mode in which you configure Confidencial software to connect to your bucket, an access key with PUT and in some cases GET permissions may be required (see subsequent steps in this guide)
Click Create bucket
Click on the bucket you just created and under Permissions / Cross-origin resource sharing (CORS), click Edit
Paste in the JSON below and click Save changes
⚠️ The value for `AllowedOrigins` in the JSON above will be different for sandbox deployments. Your Confidencial technical contact will provide the correct value in these cases.
➡️ Choose the next section to follow based on whether your enterprise users will download objects from your enterprise’s S3 bucket using
Their enterprise IDP credentials (continue to next section); or
An access key stored with Confidencial (skip next two sections)
⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP
Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.
Click JSON, then paste in the JSON below, replacing *<bucket-name>* with the name of the bucket you created in the previous section, then click Next
⚠️ NOTE: Replace `aws` with `aws-us-gov` in the above policy if creating the bucket in GovCloud
For Policy name, enter confidecial-bucket-put-access, then click Create policy
➡️ Continue to *Setting up Confidencial user bucket download access through your enterprise IDP*
⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP
Open the role that was created in the previous step in AWS IAM. From IAM in the AWS Web Console, select Roles from the left sidebar menu, search for the role, and then click on it. If the instructions in the link in Step 1 above were followed, the role will be called confidencial-users.
Under Permissions policies, **select Add permissions > Create inline policy
Under Policy editor, select JSON
Paste the policy below into the Policy editor, replacing *<bucket-name>* with the name of the bucket you created in the first section
Click Next
For Policy name, enter confidecial-bucket-get-access, then click Create policy
➡️ Continue to Creating an access key for Confidencial bucket access
⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using an access key stored on Confidencial’s server
Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.
Click JSON, then paste in the JSON below, replacing <bucket-name> with the name of the bucket you created in the previous section, then click Next
For Policy name, enter confidecial-bucket-get-and-put-access, then click Create policy
➡️ Continue to Creating an access key for Confidencial bucket access
Create a new user for bucket access. From IAM, click Users on the left sidebar menu, then click Create user.
For User name, enter confidencial-bucket-access, then click Next
Under Permissions options, choose Attach policies directly, then click the checkbox next to the policy you created earlier (confidencial-bucket-...-access)
If Confidencial will upload and download via this access key, attach the confidecial-bucket-get-and-put-access policy
If Confidencial will only upload via this access key, attach the confidecial-bucket-put-access policy
Click Next
Click Create user
Select the user you just created (confidencial-bucket-access) and under Security credentials / Access keys, click Create access key
For Use case, select Application running outside AWS, then click Next
For Description tag value, enter Confidencial bucket access, then click Create access key
🗒️ Make note of the Access key and Secret access key. This is the only time that you will be able to see the secret key. Make sure that the secret key is stored in a secure location; this information will need to be securely transmitted to your Confidencial technical contact to complete the set up process.
Click Done
✅ This completes your portion of document request S3 bucket configuration. You will now need to securely transmit the following information to your Confidencial technical contact: bucket name, bucket region, access key, and secret access key.
If you haven’t done so already, create a user pool in AWS Cognito to enable your enterprise’s users to download directly from the S3 bucket using their enterprise IDP credentials. See .