SyncSketch enables customers on Enterprise and Education Plus Accounts to use their own S3 bucket for added security and convenience
To use your own bucket you need to:
- Contact the syncSketch team
- Upgrade to an Enterprise or Education Plus plan
- Create your own bucket
- Set CORS settings
- Set up an IAM role to access the bucket
Establish contact with a SyncSketch team member
First, reach out to SyncSketch support at support@syncsketch.com. Let us know that you want to use your own S3 for storage. Someone from our team will respond to you privately; this will be your contact for this procedure.
Create your own bucket
Please create a bucket in your AWS S3 console. You can find all the information on how to set up a bucket here:
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html
Make sure that the bucket is private by blocking all public access, which is the default. We also recommend turning on the encryption option for your S3 bucket as well as the logging.
- https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/user-guide/server-access-logging.html
Set CORS settings
Once you have created a bucket you need to enable Cross Origin Resource Sharing (CORS) so SyncSketch can access the files. Don't worry - we are creating signed URLs to access data in your S3 bucket which have an expiration time and a unique hash which gets regenerated every time.
To set this up, please follow these instructions to enable CORS, using the following settings:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*.syncsketch.com",
"https://syncsketch.com",
"syncsketch.com"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 7200
}
]
3. Set up an IAM role to give SyncSketch access to the bucket
SyncSketch needs limited read and write access to your bucket to upload and read your items. When accessing the bucket, we take advantage of the AWS "assume role" feature. Using this method our server IAM will assume a role you've created to interact with your bucket. This will ensure that no access credentials need to be stored and rotated.
Create a Policy
- Go to the left-hand action menu in your AWS IAM console and select Policies under Access management.
- Click Create policy and select the JSON tab. The JSON below will define your bucket's policy. Be sure to replace both instances of "BUCKET" in the Resource block with the name of the bucket you just created.
{
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET",
"arn:aws:s3:::BUCKET/*"
]
}
],
"Version": "2012-10-17"
}
Tags are optional.
Under Review policy, give it a Name, and make a note of the policy name. Then click Create policy.
Create an IAM Role
Open the AWS
- IAM Console.
- Under the action menu to the left, select Roles under Access management.
- Click Create Role.
- Trusted entity type should be AWS service
- Set Use case to S3 and click Next.
- In the Add permissions window that appears, tick the box next to the policy you just created and click Next.
- Give it a Role name and click Create Role.
Once the role is created, please edit the Trust Relationship using our role ARN as follows.
Your SyncSketch contact will provide you our role ARN upon request.
Replace "SYNCSKETCH_ARN_ROLE_UPON_REQUEST" after the AWS header in the below JSON with role ARN we provide privately.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "SYNCSKETCH_ARN_ROLE_UPON_REQUEST"
},
"Action": "sts:AssumeRole"
}
]
}
Click Update Policy.
Once everything is setup we just need the following info from you:
{
"region": "<BUCKET_REGION>",
"aws_assume_role": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<YOUR_ROLE_ARN>",
"bucket_name": "<YOUR_BUCKET_NAME>",
}
That's it. Once we have everything installed, all your information will be stored directly in your bucket and be under your control. If you have any other questions regarding the setup of the S3 bucket, please send us an email at support@syncsketch.com.