AWS Cloud Connector
Deploy the Trusted Signatures AWS Cloud Connector in your own account so PDFs stay in S3 while Lambda handles digesting, sealing, and sealed-PDF output.
- AWS Lambda deployment
- S3 source and destination buckets
- Digest-only request to Trusted Signatures
AWS proof
Use Lambda and S3 for connector speed, scale, and account-scoped control
The documented AWS pattern uses Lambda for invocation, S3 for document movement, and AWS-native IAM and secrets controls so teams can run sealing workflows inside their own account.
S3
speed path
Source and destination buckets let applications hand off PDFs and retrieve sealed output through the same storage workflow.
Lambda
scale model
The connector runs as a Lambda function, fitting bursty or event-driven document jobs without managing long-lived servers.
IAM
security controls
Least-privilege roles, bucket policies, and Secrets Manager guidance scope access to documents and credentials.
SHA-256
data boundary
Only the document digest and signing metadata are sent to Trusted Signatures while PDFs stay in S3.
AWS Cloud Connector Docs
Use these guides to deploy and operate the Trusted Signatures AWS Cloud Connector inside your own AWS account.
Start here
- Deployment guide: create the Lambda, assign IAM, and validate health.
- API reference: request shape, endpoints, and end-to-end invocation flow.
- S3 setup: source and destination buckets, policies, and lifecycle guidance.
- Secrets Manager setup: secure API key handling in client applications.
Operating model
- PDFs stay in your S3 buckets.
- Lambda retrieves the PDF, computes the digest, requests the signature, and writes the sealed PDF back to S3.
- Only the SHA-256 digest and signing metadata are sent to Trusted Signatures.
Need architectural review?
Book a technical walkthrough
For enterprise rollout, we can review trust model, controls, and integration patterns with your team.