Setting up your own (AWS) S3 bucket for storage

SyncSketch enables customers on Enterprise and Education Plus Accounts to use their own S3 bucket for added security and convenience

To use your own bucket you need to:

  1. Upgrade to an Enterprise or Education Plus plan
  2. Create your own bucket
  3. Set CORS settings
  4. Set up an IAM role to access the bucket

1. Create your own bucket:

Please create a bucket in your AWS console. You can find all the information on how to set up a bucket here: 

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-bucket.html

Make sure that the bucket is private by blocking all public access, which is the default. We also recommend turning on the encryption option for your S3 bucket as well as the logging. 

2. Set CORS settings

Once you have created a bucket you need to enable Cross Origin Resource Sharing (CORS) so SyncSketch can access the files. Don't worry - we are creating signed URLs to access data in your S3 bucket which have an expiration time and a unique hash which gets regenerated every time. To set this up, please follow the instructions to enable CORS:

 https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-cors-configuration.html 

Use the following settings: 

[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*.syncsketch.com",
"https://syncsketch.com",
"syncsketch.com"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 7200
}
]

3. Set up an IAM role to give SyncSketch access to the bucket

SyncSketch needs limited read and write access to your bucket to upload and read your items. When accessing the bucket, we take advantage of the AWS "assume role" feature. Using this method our server IAM will assume a role you've created to interact with your bucket. This will ensure that no access credentials need to be stored and rotated. 

Please create the IAM role with the following permissions.

Replace "BUCKET" twice after the Resource header in the below JSON with the name of the bucket you just created.

{
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET",
"arn:aws:s3:::BUCKET/*"
]
}
],
"Version": "2012-10-17"
}

Once the role is created, please edit the Trust Relationship using our role ARN as follows. We will provide you our role ARN upon request.

Replace "SYNCSKETCH_ARN_ROLE_UPON_REQUEST" after the AWS header in the below JSON with our role ARN.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "SYNCSKETCH_ARN_ROLE_UPON_REQUEST"
},
"Action": "sts:AssumeRole"
}
]
}

Once everything is setup we just need the following info from you:

{
"region": "BUCKET_REGION",
"aws_assume_role": "YOUR_ROLE_ARN",
"bucket_name": "YOUR_BUCKET_NAME",
}

That's it. Once we have everything installed, all your information will be stored directly in your bucket and be under your control. If you have any other questions regarding the setup of the S3 bucket, please send us an email at support@syncsketch.com.