> For the complete documentation index, see [llms.txt](https://annotationdocs.telusinternational.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://annotationdocs.telusinternational.com/secure-attachment-access/attachments.md).

# AWS S3

If you use AWS S3 to store data you can send attachments as `https:` or `http:` URLs. You can also send attachments as `s3:` [protocol URIs](https://docs.aws.amazon.com/cli/latest/reference/s3/) which look like `s3://bucket/key`.

To access private s3 objects, We use **Cross-account Access**.

## **Cross-account Access**

We will fetch attachments from your S3 bucket, using AWS account ID `475757276268` (canonical ID `d4b5723a54db6f9da8a68f4c24233880793bf1d68dd11e7e2b4989bd2c71c59a`). You will need to grant access to TELUS International using [bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html) or on set permissions on objects [using ACLs](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-object-permissions.html). 

We suggest setting a **Bucket Policy** that shares the bucket's contents with the account of TELUS International.

Here's a sample bucket policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}
```

Replace `YOUR_BUCKET_NAME` with the name of your bucket, leaving the `/*` as shown or replacing it with a more specific bucket path to further restrict access.

If you are using ACLs (Access Control Lists), you need to update the ACL individually for each object to grant read access to our account, as Bucket ACLs can't grant read permissions to nested objects.

## Granting access to an S3 bucket encrypted with KMS Key

If your S3 bucket uses Customer managed KMS keys for encryption(SSE-KMS), there's an additional step to grant TELUS International the necessary permissions:

1. **IAM Policy on KMS Key:** In addition to the bucket policy or ACLs, you need to modify the policy attached to the Customer KMS key used for encryption. This policy needs to allow  IAM user of TELUS International to perform the following actions:
   1. **kms:GenerateDataKey:** This grants TELUS International permission to generate data keys for encrypting/decrypting objects within your bucket.
   2. **kms:Decrypt:** This allows TELUS International to decrypt objects retrieved from your S3 bucket.

**Steps to update the KMS key policy:**

1. Navigate to the AWS KMS console and select the KMS key used for your S3 bucket encryption.
2. Go to the "Key policy" section.
3. Edit the existing policy or create a new one.
4. Add the following :

```
{
    "Version": "2012-10-17",
    "Id": "kms-policy",
    "Statement": [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
    ]
}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://annotationdocs.telusinternational.com/secure-attachment-access/attachments.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.