Confidencial Documentation
HomepageLog In
  • Getting Started
    • Sending secure PDFs with Confidencial
    • Viewing secure PDFs with Confidencial
    • Sending secure Word docs with Confidencial
    • Viewing secure Word docs with Confidencial
    • Sending secure Excel workbooks with Confidencial
    • Viewing secure Excel workbooks with Confidencial
    • Sending secure images with Confidencial
    • Viewing secure images with Confidencial
    • Sending secure messages with Confidencial
    • Viewing secure messages with Confidencial
    • Protecting content with Confidencial
    • Re-encrypting and changing who can see protected content
  • General
    • How Confidencial Works
      • What is End-to-End Protection
      • In-doc encryption
      • The Confidencial Public Key Registry
      • The Confidencial Private Key Server
      • The Confidencial Log Server
    • Account types
      • Individual
      • Organization
      • Organization administrator
    • File types
    • Key types
      • Cloud-stored keys
      • Device-stored keys
      • Temporary keys
      • Enterprise keys
      • Recovery keys
    • Logging in to the desktop or web app
    • Logging in to Confidencial
    • Encryption policies
    • Selecting encryption recipients
    • Inviting other users to Confidencial
    • Accepting an invite to Confidencial
    • Creating a Confidencial individual account
    • Re-encrypting and changing who can see protected content
    • Confidencial organizations
  • Web App
    • Encrypting a message
    • Decrypting a message
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
    • Re-encrypting a Confidencial-protected file or file bundle and changing who can see them
  • Desktop App
    • Installing the desktop app
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
  • Microsoft Office Add-ins
    • Installing the Microsoft Office add-ins
    • Opening the task pane
    • Logging in from an Office application
    • Encrypting an entire Word document
    • Encrypting parts of a Word document
    • Decrypting a Word document
    • Re-encrypting a Word document and changing who can see protected content
    • Installing Microsoft Add-ins via the Admin Center
  • Advanced Features
    • Storing keys on your device
    • Loading a key from your device
    • Creating a machine token
    • Obtaining public-private key pairs for use with the Confidencial SDK
  • How to Use Secure Document Request (SDR)
  • Secure Document Send
    • Sending Documents with Secure Document Send
    • Viewing Historical Document Sends
    • Creating a Persistent Share Link
    • Receiving a Persistent Share Link
  • Cloud Protector
    • Connecting AWS S3
    • Connecting Box
    • Connecting Dropbox
    • Connecting Google Cloud
    • Connecting Google Drive
    • Connecting Microsoft Azure Blob
    • Connecting Microsoft OneDrive
    • Connecting Microsoft SharePoint
    • Connecting Server Message Block
    • Connecting Wasabi
    • Connecting On-Premises Storage
  • Enterprise Deployment
    • Connecting your identity provider to Confidencial
    • Creating an S3 bucket for document requests
    • Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    • Deploying the Confidencial Key Server in your environment
      • Configuring an AWS Elastic Container Service (ESC) instance
    • Running a database migration
    • Pushing a container image to your AWS container registry
    • Connecting your identity provider to the Confidencial Key Server
    • Deploying the Confidencial Desktop App to your enterprise users
    • Deploying the Confidencial Office Add-ins to your enterprise users
    • Setting up Microsoft Entra to use an Exchange account to send email notifications
  • Organization Administration
    • Adding members to an organization
    • Pre-loading members into your organization
    • Designating a member as an administrator
    • Creating a recovery key for an organization
    • Monitoring Confidencial usage within an organization
    • Organization-level policies
    • Administrator permissions
  • Command-Line Interface (CLI)
  • Software Development Kit (SDK)
  • Contact Us
  • System Requirements
  • Legal/Licensing
  • How to Access Confidencial Documents for First Time Recipients
Powered by GitBook
On this page
  • Creating the S3 bucket
  • Setting up Confidencial bucket upload-only access via access key (no download access via key)
  • Setting up Confidencial user bucket download access through your enterprise IDP
  • Setting up Confidencial bucket upload and download access via access key
  • Creating an access key for Confidencial bucket access
  • Connecting the bucket in Confidencial
Export as PDF
  1. Enterprise Deployment

Creating an S3 bucket for document requests

PreviousConnecting your identity provider to ConfidencialNextCreating a Cognito user pool to enable S3 bucket access via IDP credentials

Last updated 5 days ago

ℹ️ This page describes how to create an AWS S3 bucket to store information and files that are securely transmitted to your enterprise from external users via Confidencial’s feature

🔒 While this document recommends specific values for configuration options, administrators that are comfortable with AWS S3 may opt to choose different configuration options. Please consult with an AWS security expert and/or Confidencial technical staff If deviating from the options prescribed below.

Creating the S3 bucket

  1. Log in to your enterprise’s AWS web console and open S3

  2. Click Create bucket

  3. Enter new bucket settings

    1. Enter a bucket name and select a region

      🗒️ Make note of the bucket name and region that you use, as these will need to be communicated to your Confidencial technical contact to complete the set up process

    2. Other settings can be adjusted in accordance with your enterprise’s security policies, though depending on the mode in which you configure Confidencial software to connect to your bucket, an access key with PUT and in some cases GET permissions may be required (see subsequent steps in this guide)

  4. Click Create bucket

  5. Click on the bucket you just created and under Permissions / Cross-origin resource sharing (CORS), click Edit

  6. Paste in the JSON below and click Save changes

    [
        {
            "AllowedHeaders": ["*"],
            "AllowedMethods": [
                "GET",
                "PUT",
                "POST",
                "DELETE",
                "HEAD"
            ],
            "AllowedOrigins": [
                "https://my.confidencial.io"
            ],
            "ExposeHeaders": ["ETag"]
        }
    ]

    ⚠️ The value for `AllowedOrigins` in the JSON above will be different for sandbox deployments. Your Confidencial technical contact will provide the correct value in these cases.

➡️ Choose the next section to follow based on whether your enterprise users will download objects from your enterprise’s S3 bucket using

  1. Their enterprise IDP credentials (continue to next section); or

  2. An access key stored with Confidencial (skip next two sections)

Setting up Confidencial bucket upload-only access via access key (no download access via key)

⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP

  1. Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.

  2. Click JSON, then paste in the JSON below, replacing *<bucket-name>* with the name of the bucket you created in the previous section, then click Next

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "ConfidencialBucketAccess",
    			"Effect": "Allow",
    			"Action": [
    				"s3:putObject"
    			],
    			"Resource": [
    **				"arn:aws:s3:::*<bucket-name>*",
    				"arn:aws:s3:::*<bucket-name>*/*"
    			]
    		}
    	]
    }

    ⚠️ NOTE: Replace `aws` with `aws-us-gov` in the above policy if creating the bucket in GovCloud

  3. For Policy name, enter confidecial-bucket-put-access, then click Create policy

➡️ Continue to *Setting up Confidencial user bucket download access through your enterprise IDP*

Setting up Confidencial user bucket download access through your enterprise IDP

⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using credentials from your enterprise IDP

  1. Open the role that was created in the previous step in AWS IAM. From IAM in the AWS Web Console, select Roles from the left sidebar menu, search for the role, and then click on it. If the instructions in the link in Step 1 above were followed, the role will be called confidencial-users.

  2. Under Permissions policies, **select Add permissions > Create inline policy

  3. Under Policy editor, select JSON

  4. Paste the policy below into the Policy editor, replacing *<bucket-name>* with the name of the bucket you created in the first section

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                  "s3:getObject",
                  "s3:listBucket"
                ],
                "Resource": [
                  "arn:aws:s3:::*<bucket-name>*",
                  "arn:aws:s3:::*<bucket-name>*/*"
                ]
            }
        ]
    }
    
    ⚠️ NOTE: Replace `aws` with `aws-us-gov` in the 
    above policy if creating the bucket in GovCloud
  5. Click Next

  6. For Policy name, enter confidecial-bucket-get-access, then click Create policy

➡️ Continue to Creating an access key for Confidencial bucket access

Setting up Confidencial bucket upload and download access via access key

⚠️ Only follow the steps in this section if your enterprise users will download objects from your enterprise S3 bucket using an access key stored on Confidencial’s server

  1. Create a new policy for bucket access. From IAM, click Policies on the left sidebar menu, then click Create policy.

  2. Click JSON, then paste in the JSON below, replacing <bucket-name> with the name of the bucket you created in the previous section, then click Next

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "ConfidencialBucketAccess",
    			"Effect": "Allow",
    			"Action": [
                 "s3:getObject",
                 "s3:listBucket",
                 "s3:putObject"
    			],
    			"Resource": [
                 "arn:aws:s3:::*<bucket-name>*",
                 "arn:aws:s3:::*<bucket-name>*/*"
    			]
    		}
    	]
    }
    
    ⚠️ NOTE: Replace `aws` with `aws-us-gov` in the 
    above policy if creating the bucket in GovCloud
  3. For Policy name, enter confidecial-bucket-get-and-put-access, then click Create policy

➡️ Continue to Creating an access key for Confidencial bucket access

Creating an access key for Confidencial bucket access

  1. Create a new user for bucket access. From IAM, click Users on the left sidebar menu, then click Create user.

  2. For User name, enter confidencial-bucket-access, then click Next

  3. Under Permissions options, choose Attach policies directly, then click the checkbox next to the policy you created earlier (confidencial-bucket-...-access)

    1. If Confidencial will upload and download via this access key, attach the confidecial-bucket-get-and-put-access policy

    2. If Confidencial will only upload via this access key, attach the confidecial-bucket-put-access policy

  4. Click Next

  5. Click Create user

  6. Select the user you just created (confidencial-bucket-access) and under Security credentials / Access keys, click Create access key

  7. For Use case, select Application running outside AWS, then click Next

  8. For Description tag value, enter Confidencial bucket access, then click Create access key

    🗒️ Make note of the Access key and Secret access key. This is the only time that you will be able to see the secret key. Make sure that the secret key is stored in a secure location; this information will need to be securely transmitted to your Confidencial technical contact to complete the set up process.

  9. Click Done

✅ This completes your portion of document request S3 bucket configuration. You will now need to securely transmit the following information to your Confidencial technical contact: bucket name, bucket region, access key, and secret access key.

Connecting the bucket in Confidencial

ℹ️ NOTE: You must be an organization administrator to perform the following steps

✅ The bucket is now ready for use

If you haven’t done so already, create a user pool in AWS Cognito to enable your enterprise’s users to download directly from the S3 bucket using their enterprise IDP credentials. See .

Click Settings under Organization Options

Click + Add File Storage for the appropriate product (Request, Send, or Sign)

Enter Bucket name, Bucket region, Access key, and Secret access key for the bucket you want to connect and click Create

document request
Creating a Cognito user pool to enable S3 bucket access via IDP credentials