Documentation

AWS Cloud Connector Deployment Guide

Deploy the Trusted Signatures AWS Cloud Connector as a Lambda-based sealing gateway in your own AWS account.

  • Lambda runtime
  • IAM least privilege
  • S3-based PDF flow
AWS Connector Overview API Reference Book Demo

AWS proof

Use Lambda and S3 for connector speed, scale, and account-scoped control

The documented AWS pattern uses Lambda for invocation, S3 for document movement, and AWS-native IAM and secrets controls so teams can run sealing workflows inside their own account.

Trust & Standards

S3

speed path

Source and destination buckets let applications hand off PDFs and retrieve sealed output through the same storage workflow.

Lambda

scale model

The connector runs as a Lambda function, fitting bursty or event-driven document jobs without managing long-lived servers.

IAM

security controls

Least-privilege roles, bucket policies, and Secrets Manager guidance scope access to documents and credentials.

SHA-256

data boundary

Only the document digest and signing metadata are sent to Trusted Signatures while PDFs stay in S3.

Deployment Guide

This is the guide for deploying the Trusted Signatures AWS Cloud Connector.

The connector provides businesses with a scalable, cost-effective API in their own infrastructure to seal even the most sensitive documents. By deploying the connector in their own AWS account, customers have assurance that none of the information in the documents can be intercepted or modified.

The AWS Cloud Connector is deployed as a Lambda function. Customers put the PDFs that they wish to seal into an S3 bucket, invoke the Lambda function, and receive the sealed PDF back in a destination bucket.

Architecture Overview

Process Flow

Prerequisites

  • AWS Account with Lambda, S3, and API Gateway permissions
  • S3 buckets for PDF storage (source and destination)
  • Valid Trusted Signatures Container Gateway license
  • Trusted Signatures API credentials

AWS Console Deployment

Step 1: Create Lambda Function

  1. Open AWS Lambda Console
  2. Click Create function
  3. Select Author from scratch
  4. Configure:
    • Function name: pdf-sealer-gateway
    • Runtime: Node.js 22.x
    • Architecture: x86_64 or arm64
  5. Click Create function

Step 2: Upload Code

  1. In the function page, go to Code tab
  2. Click Upload from.zip file
  3. Upload the entire ZIP package you downloaded
  4. Click Save

Step 3: Configure Function

  1. Go to ConfigurationGeneral configuration
  2. Click Edit and set:
    • Memory: Set based on PDF size (see Memory Requirements below)
    • Timeout: 30 seconds for small PDFs, up to 15 minutes for large PDFs
  3. Click Save

Memory Requirements

Important: Lambda processes PDFs in memory. Allocate sufficient memory:

  • Rule of thumb: PDF size × 4 = minimum Lambda memory needed
  • < 250 MB PDF: 1 GB Lambda memory
  • 500 MB PDF: 2 GB Lambda memory

Step 4: Validate the Sealing Workflow

Test the Lambda with the same flow described in the overview page: upload a PDF to S3, invoke the connector with POST /seal, and confirm the sealed PDF is written to the destination bucket.

  1. Upload a test PDF to the source bucket:
1

aws s3 cp document.pdf s3://your-source-bucket/uploads/document.pdf
  1. Save the following Lambda test event as seal-event.json:
1
2
3
4
5

{
  "httpMethod": "POST",
  "path": "/seal",
  "body": "{\"sourceBucket\":\"your-source-bucket\",\"sourceKey\":\"uploads/document.pdf\",\"destinationBucket\":\"your-destination-bucket\",\"destinationKey\":\"sealed/sealed-document.pdf\",\"apiKey\":\"your-hex-api-key\",\"apiKeyId\":\"your-key-id\",\"tsaTimestamp\":true,\"includeLtv\":true,\"limitChanges\":\"no-changes\"}"
}
  1. Invoke the Lambda with that event:
1
2
3
4

aws lambda invoke \
  --function-name pdf-sealer-gateway \
  --payload fileb://seal-event.json \
  response.json && cat response.json

Expected response:

1
2
3
4

{
  "statusCode": 200,
  "body": "{\"sealedPdfLocation\":{\"bucket\":\"your-destination-bucket\",\"key\":\"sealed/sealed-document.pdf\"}}"
}
  1. Download the sealed PDF from the destination bucket:
1

aws s3 cp s3://your-destination-bucket/sealed/sealed-document.pdf sealed-document.pdf

If the invocation succeeds and the sealed PDF downloads from S3, the connector is working as designed.

AWS CLI Deployment

Create Lambda Function

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

# Create IAM role
aws iam create-role \
  --role-name pdf-sealer-lambda-role \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }]
  }'

# Attach execution policy
aws iam attach-role-policy \
  --role-name pdf-sealer-lambda-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

# Create S3 access policy
aws iam put-role-policy \
  --role-name pdf-sealer-lambda-role \
  --policy-name S3Access \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": ["s3:GetObject"],
        "Resource": "arn:aws:s3:::your-source-bucket/*"
      },
      {
        "Effect": "Allow",
        "Action": ["s3:PutObject"],
        "Resource": "arn:aws:s3:::your-destination-bucket/*"
      }
    ]
  }'

# Create function
aws lambda create-function \
  --function-name pdf-sealer-gateway \
  --runtime nodejs22.x \
  --role arn:aws:iam::ACCOUNT_ID:role/pdf-sealer-lambda-role \
  --handler handler.handler \
  --zip-file fileb://lambda-package.zip \
  --memory-size 512 \
  --timeout 30

Test Function

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

# Upload a PDF to the source bucket
aws s3 cp document.pdf s3://your-source-bucket/uploads/document.pdf

# Create the seal request payload
cat > seal-event.json <<'EOF'
{
  "httpMethod": "POST",
  "path": "/seal",
  "body": "{\"sourceBucket\":\"your-source-bucket\",\"sourceKey\":\"uploads/document.pdf\",\"destinationBucket\":\"your-destination-bucket\",\"destinationKey\":\"sealed/sealed-document.pdf\",\"apiKey\":\"your-hex-api-key\",\"apiKeyId\":\"your-key-id\",\"tsaTimestamp\":true,\"includeLtv\":true,\"limitChanges\":\"no-changes\"}"
}
EOF

# Invoke the connector
aws lambda invoke \
  --function-name pdf-sealer-gateway \
  --payload fileb://seal-event.json \
  response.json

# Inspect the response and then download the sealed PDF
cat response.json
aws s3 cp s3://your-destination-bucket/sealed/sealed-document.pdf sealed-document.pdf

Expected response.json:

1
2
3
4

{
  "statusCode": 200,
  "body": "{\"sealedPdfLocation\":{\"bucket\":\"your-destination-bucket\",\"key\":\"sealed/sealed-document.pdf\"}}"
}

Security Configuration

You are responsible for securing the AWS Cloud Connector. We recommend an IAM-based, least-privilege approach for maximum security.

Access Methods

Direct Lambda Invocation (Recommended)

  • Invoke Lambda function directly using AWS SDK
  • Use IAM policies to control access
  • Most secure option

API Gateway (Optional)

  • You may create API Gateway if needed
  • Must limit access if you create one
  • Configure proper authentication and authorization

Authentication

Trusted Signatures API Keys:

Gateway Access Control:

  • Configure IAM policies for Lambda access
  • Use least-privilege principle
  • If you create API Gateway, you must limit access to it

Network Security

VPC Deployment (Recommended):

  • Deploy Lambda in private VPC subnets
  • Use NAT Gateway for outbound internet access
  • Configure security groups to allow only necessary traffic

Required Outbound Access:

  • HTTPS access to api.trusted-signatures.com
  • No other external access required
  • No access to customer infrastructure needed

Data Security:

  • Only SHA-256 digest of PDF is transmitted to Trusted Signatures
  • PDF documents never leave your AWS environment
  • Lambda requires S3 permissions:
    • s3:GetObject on source bucket(s) containing PDFs to seal
    • s3:PutObject on destination bucket(s) for sealed PDFs
  • Configure S3 bucket policies to restrict access
  • CRITICAL: Clients should store API credentials in AWS Secrets Manager, not in code
    • Lambda Gateway receives API keys in each request
    • Lambda does not need Secrets Manager access

Monitoring

CloudWatch Logs

  • Automatic logging to /aws/lambda/pdf-sealer-gateway
  • View execution details and errors

CloudWatch Metrics

Monitor:

  • Invocations
  • Duration
  • Errors
  • Throttles

Set up CloudWatch alarms for:

  • Error rate > 5%
  • Duration > 25 seconds
  • Throttle events

Updates

To update the Lambda function:

AWS Console:

  1. Go to Lambda function
  2. Upload new ZIP file
  3. Click Save

AWS CLI:

1
2
3

aws lambda update-function-code \
  --function-name pdf-sealer-gateway \
  --zip-file fileb://lambda-package.zip

Troubleshooting

Function Timeout

  • Increase timeout (max 15 minutes)
  • Check network connectivity

Memory Issues

  • Critical: Lambda processes PDFs in memory
  • Allocate memory based on PDF size: PDF size × 4 = minimum Lambda memory
  • Monitor CloudWatch metrics for memory usage

API Gateway 502 Errors

  • Check Lambda logs in CloudWatch
  • Verify function returns proper JSON response

Authentication Errors

  • Verify API credentials are correct
  • Check Trusted Signatures account status

For additional support, see the support page.

Need architectural review?

Book a technical walkthrough

For enterprise rollout, we can review trust model, controls, and integration patterns with your team.

Book Demo See Pricing