S3 Setup

V7 S3 setup

S3 setup is done via Terraform. The code is located on GitHub: terraform-ace-prod / infra-v7-prod-usw2 / main.tf.

⚠️

Note: Virus scan setup is manual. See the CSS Antivirus for S3 Integration Guide to configure it.

S3 on another AWS account

When the S3 bucket lives in a different AWS account, configure the following.

Bucket policy

{
  "Version": "2012-10-17",
  "Id": "V7Access",
  "Statement": [
    {
      "Sid": "DarwinAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::258327614892:role/external_s3"
      },
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::orion-caris/*"
    }
  ]
}

Change arn:aws:s3:::orion-caris/* to your bucket ARN.

CORS policy

Add this CORS policy on the bucket:

[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET"],
    "AllowedOrigins": ["https://darwin.v7labs.com"],
    "ExposeHeaders": [],
    "MaxAgeSeconds": 3000
  }
]

KMS key policy (customer-managed key)

If the bucket is encrypted via a customer-managed key, add this to the KMS policy:

{
  "Sid": "Allow access for v7",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::258327614892:role/external_s3"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

If the bucket uses an AWS-managed key, check with V7 on which policy to use.

Workspace User Management