Setting up your own S3 bucket (AWS)

SyncSketch enables you to use your own S3 bucket for added security and convenience for Enterprise Accounts.  

To use your own bucket you need to:

  1. Create your own bucket
  2. Set CORS settings
  3. Set up an IAM role to access the bucket

1. Create your own bucket:

Please create a bucket in your AWS console. You can find all the information on how to set up a bucket here: 

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html

Make sure that the bucket is private by blocking all public access, which is the default. We also recommend turning on the encryption option for your S3 bucket as well as the logging. 

2. Set CORS settings

Once you have created a bucket you need to enable Cross Origin Resource Sharing (CORS) so SyncSketch can access the files. Don't worry - we are creating signed URLs to access data in your S3 bucket which have an expiration time and a unique hash which gets regenerated every time. To enable CORS please follow the instructions to enable CORS:

 https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-cors-configuration.html 

and use the following settings: 

<CORSRule>
<AllowedOrigin>*.syncsketch.com</AllowedOrigin>
<AllowedOrigin>https://syncsketch.com</AllowedOrigin>
<AllowedOrigin>syncsketch.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
</CORSRule>

3. Set up an IAM role to give SyncSketch access to the bucket

SyncSketch needs limited read and write access to your bucket to upload and read your items. When accessing the bucket, we take advantage of AWS "assume role" feature. Using this method our server IAM will assume a role you've created to interact with your bucket. This will ensure that no access credentials need to be stored and rotated. 

Please create the IAM role with the following permissions.

{
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET",
"arn:aws:s3:::BUCKET/*"
]
}
],
"Version": "2012-10-17"
}

Once the role is created, please edit the Trust Relationship using our role ARN as follows. We will provide you our role ARN upon request.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "SYNCSKETCH_ARN_ROLE_UPON_REQUEST"
},
"Action": "sts:AssumeRole"
}
]
}

The sts:ExternalId is an extra security feature and optional. You can set a random string. The ExternalId will be posted with every call and checked. 

Once everything is setup we just need the following info from you:

{
"region": "BUCKET_REGION",
"aws_assume_role": "YOUR_ROLE_ARN",
"bucket_name": "YOUR_BUCKET_NAME",
}

That's it. Once we have everything installed, all your information will be stored directly in your bucket and be under your control. If you have any other questions regarding the setup of the S3 bucket, please send us an email at support@syncsketch.com.