Skip to main content
Version: v1.7.0

Configuring and Accessing a Client-Owned S3 Bucket Using a CMK

Objective: Configure an AWS S3 bucket for encryption with a customer-managed CMK and set permissions for AlphaSense access.

Prerequisites

  • An AWS account with an existing CMK.
  • Familiarity with AWS S3 and AWS KMS.

Workflow Diagram

BYOB Workflow

Detailed Steps

1. Create a Customer Master Key (CMK)

2. Select or Create an AWS S3 Bucket

  • Navigate to the S3 management console.
  • Choose region: you must use same region as for your key
  • Create a new bucket or select an existing one to configure for AlphaSense usage

3. Enable Bucket Encryption

Enable encryption in the bucket configuration using your CMK. Use default values for other settings:

  • General Configuration
    • Bucket type: General purpose
  • Object Ownership
    • ACLs disabled
  • Block Public Access settings for this bucket
    • Block all public access
  • Bucket Versioning
    • disable
  • Default encryption
    • Server-side encryption with AWS Key Management Service keys (SSE-KMS)
    • Select your previously created CMK

4. Configure Bucket and Key Access Policies

  • In the Amazon S3 console: select your bucket and go to "Permissions" tab
  • Click edit bucket policy
  • Example Bucket Policy is listed below. AlphaSense will provide you the exact policy including the complete ARN. The policy will allow AlphaSense system to save, get, list and delete objects in the bucket.
  • Saved objects include original customer uploaded files, as well as all derived files that are needed to process and display customer content on AlphaSense system.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::[AlphaSense-Account-ID]:role/[customer-facing-role-name]"},
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:RestoreObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::[Your-Bucket-Name]/*"
    }
  ]
}

Further Reading: Using Bucket Policies and User Policies

5. Transmit ARNs to AlphaSense

  • Provide the ARNs & Region for both the bucket and the CMK to AlphaSense securely.

6. Security Considerations

  • Enable bucket logging to monitor access and actions performed.
  • Regularly review your security settings and policies to ensure they meet your organization's requirements.