AWS S3

If you use AWS S3 to store data you can send attachments as https: or http: URLs. You can also send attachments as s3: protocol URIs which look like s3://bucket/key.

To access private s3 objects, We use Cross-account Access.

Cross-account Access

We will fetch attachments from your S3 bucket, using AWS account ID 475757276268 (canonical ID d4b5723a54db6f9da8a68f4c24233880793bf1d68dd11e7e2b4989bd2c71c59a). You will need to grant access to Playment using bucket policies or on set permissions on objects using ACLs.

We suggest setting a Bucket Policy that shares the bucket's contents with Playment's account.

Here's a sample bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

Replace YOUR_BUCKET_NAME with the name of your bucket, leaving the /* as shown or replacing it with a more specific bucket path to further restrict access.

If you are using ACLs (Access Control Lists), you need to update the ACL individually for each object to grant read access to our account, as Bucket ACLs can't grant read permissions to nested objects.

Granting access to an S3 bucket encrypted with KMS Key

If your S3 bucket uses Customer managed KMS keys for encryption(SSE-KMS), there's an additional step to grant Playment the necessary permissions:

  1. IAM Policy on KMS Key: In addition to the bucket policy or ACLs, you need to modify the policy attached to the Customer KMS key used for encryption. This policy needs to allow Playment's IAM user to perform the following actions:

    1. kms:GenerateDataKey: This grants Playment permission to generate data keys for encrypting/decrypting objects within your bucket.

    2. kms:Decrypt: This allows Playment to decrypt objects retrieved from your S3 bucket.

Steps to update the KMS key policy:

  1. Navigate to the AWS KMS console and select the KMS key used for your S3 bucket encryption.

  2. Go to the "Key policy" section.

  3. Edit the existing policy or create a new one.

  4. Add the following :

{
    "Version": "2012-10-17",
    "Id": "kms-policy",
    "Statement": [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
    ]
}

Last updated