How to connect AWS S3 to Telsium Drive

This tutorial will guide you through creating an S3 bucket storage with AWS and connect it to your Telsium account to be used as a storage for Telsium Drive.¹

Difficulty: medium

We will refer to End-to-End Encryption as E2EE throughout this tutorial.

---

IMPORTANT

• Because Telsium does not manage your AWS S3 storage bucket infrastructure, you are ultimately responsible for the security or other issues that may occur with it.

• You are also responsible for the fees that AWS may charge for your storage service. You can check for AWS S3 pricing here: https://aws.amazon.com/s3/pricing/.

• You are also responsible for storing your bucket access keys in a safe place like a password manager. Actually our recommendation is to don’t store them at all, once you’ve entered them in Telsium, don’t store them yourself, as you can always generate new ones if needed following step 6 of this tutorial.

• We strongly recommend that the storage buckets you use for Telsium, use them only for Telsium.

---

IMPORTANT

• Telsium servers need access to your bucket unencrypted credentials in order to be able to sign the urls needed for secure file sharing.

• Your storage access and secret keys will be stored encrypted with Telsium managed keys.

• Telsium servers DO NOT have access to your storage files underlying data, as they are protected by E2EE.

• Telsium servers will never directly interact with your bucket, as the credentials are only used to sign urls.

---

1. Create an AWS account

Go to https://aws.amazon.com/ and create an account, you will need to enter a payment method to create an account, however you will not be charged upon account creation. AWS S3 has a free tier that you can explore. You can check the free tier limits and other info here https://aws.amazon.com/free/

2. Create an S3 bucket

Go to your AWS S3 console and click in “Create bucket”, then in the create bucket form enter your bucket name and select the following:

• In “Bucket type” select “General purpose”.

• In “Object ownership” select “ACLs disabled (recommended)“.

• In “Block Public Access settings for this bucket” select “Block all public access“.

• In “Bucket versioning” select “Disable” as file versioning is managed within Telsium.

• In “Default encryption” select “Server-side encryption with Amazon S3 managed keys (SSE-S3)“ and in “Bucket key” select enable. This is actually not required as all files in Telsium are protected with E2EE directly within Telsium, but there is no option in AWS S3 to actually disable server side encryption, if there was, our recommendation would be to disable it as there is no need for it.

• In “Advanced settings” > “Object lock” select disable.

Then click in “Create bucket”.

3. Set a CORS policy in your bucket

In your AWS S3 console under the “General purpose buckets“ tab, select the bucket you’ve just created in the previous step.

In your bucket dashboard select the following:

• In the “Permissions” tab, under “Cross-origin resource sharing (CORS)“ click “Edit”.

• In the “Edit cross-origin resource sharing (CORS)” editor enter the following (you can copy paste this):

  [
      {
          "AllowedHeaders": [
              "*"
          ],
          "AllowedMethods": [
              "GET",
              "PUT",
              "DELETE"
          ],
          "AllowedOrigins": [
              "https://app.telsium.com"
          ],
          "ExposeHeaders": [
              "Access-Control-Allow-Origin"
          ]
      }
  ]

  Then click “Save changes”.

4. Create a policy

In your AWS IAM console go to policies.

In the policies dashboard click “Create policy”, then in the create policy form select the following:

• In “Select service” enter “S3”.

• In “Actions allowed” check the following setttings.

  • Under “Read” check the “GetObject” action.

  • Under “Write” check the “DeleteObject” and “PutObject” actions.

• In “Resources” select “Specific” and click in “Add ARNs”, then in the “Specify ARNs” form add the following:

  • In “Resource bucket name” enter your bucket name like this: “my-bucket-name“ (please enter your actual bucket name and not “my-bucket-name“).

  • In “Resource object name“ select “Any object name”

• Then click in “Add ARNs”

• Then click the “Next” button in the lower right of the page.

• In the next page in “Policy details” > “Policy name” enter your policy name. It can be something like this: “my-bucket-name-policy“ (please enter your actual bucket policy name and not “my-bucket-name-policy“).

• Optional. In “Description” add a description if you want.

• Then in the lower right of page click “Create policy“.

5. Create a user

In your AWS IAM console go to users.

In the users dashboard click “Create user”, then in the create user form select the following:

• In “User details” > “User name” enter your user name. It can be something like this: “my-bucket-name-user“ (please enter your actual bucket name user and not “my-bucket-name-user“).

• In the lower right of the page click “Next”.

• In “Set permissions” > “Permissions options“ select “Attach policies directly“, then in the “Permissions policy“ search field enter policy name you created in step 4, select the policy and click “Next” in the lower right of the page.

• The in “Review and create“ click “Next” in the lower right of the page.

6. Create an access key for your user

In your AWS IAM console users dashboard, select the user you created in step 5.

In there go to the “Security credentials” tab and under “Access keys“ select “Create access key” and in the form select the following:

• In “Access key best practices & alternatives” select “Third party service” then in the “Confirmation” select “I understand the above recommendation and want to proceed to create an access key”.

• Then in the lower right click “Next“.

• In “Set description tag - optional” click “Create access key” in the lower right of the page.

• Then in the “Retrieve access keys” copy your “Access key” and your “Secret access key“ as you will need to enter them in Telsium.

7. Link your bucket to Telsium

Go to your Telsium account dashboard, you can find it clicking your avatar in top right corner of the app.

In the account dashboard, select the “Storage” item on the left (desktop) or below your avatar in mobile.

In the “Storage” settings under “Storages“ click “Add”, then in the “Add storage“ form enter your bucket credentials as it follows:

• In “Name” enter the name you want this storage to identified with, it could be whatever you want, this is in order for you to identify the storage.

• In “Storage” endpoint enter your bucket endpoint like this.

  https://s3.your-bucket-region.amazonaws.com

  You can find your “your-bucket-region“ name in your S3 dashboard > “General purpose buckets“ > “AWS Region”. It can be something like this “us-east-1” or “us-east-2” or “us-west-1“, etc.

• In “Region” enter the region you just found in previous point.

• In “Bucket name” enter the bucket name you created in step 2.

• Leave “Use bucket as path” unchecked.

• Under “Keys” enter the access key you created in step 6. Enter your “Access key” as “Access key id“.

• Then click “Test bucket credentials“.

• Optional. In “Capacity” > “Quota capacity“ enter the maximum amount of storage in GB (GigaBytes) you want to allow for this storage. Enter “0” (cero) for unlimited storage.

• Upon validation success of your credentials click “Submit“ in the lower right of the form.

8. Enjoy!

That’s it!, you’ve just created a bucket storage with AWS and linked it to your Telsium account to be used with Telsium Drive, start enjoying your files privately with absolute confidence in our E2EE architecture, with this neither AWS or us (Telsium) know what your files contain.

Enjoy true privacy, enjoy Telsium.

Get access right now at the Telsium App or visit our website.

1

An active Telsium Plus subscription is required to link your own S3 storages to Telsium Drive.