Documentation

AWS Cloud Connector S3 Setup

Configure S3 buckets, IAM permissions, and lifecycle controls for the Trusted Signatures AWS Cloud Connector.

  • Source and destination buckets
  • Bucket policies
  • Lifecycle cleanup
AWS Connector Overview Deployment Guide Book Demo

AWS proof

Use Lambda and S3 for connector speed, scale, and account-scoped control

The documented AWS pattern uses Lambda for invocation, S3 for document movement, and AWS-native IAM and secrets controls so teams can run sealing workflows inside their own account.

Trust & Standards

S3

speed path

Source and destination buckets let applications hand off PDFs and retrieve sealed output through the same storage workflow.

Lambda

scale model

The connector runs as a Lambda function, fitting bursty or event-driven document jobs without managing long-lived servers.

IAM

security controls

Least-privilege roles, bucket policies, and Secrets Manager guidance scope access to documents and credentials.

SHA-256

data boundary

Only the document digest and signing metadata are sent to Trusted Signatures while PDFs stay in S3.

S3 Setup Guide

Overview

The AWS Cloud Connector uses S3 buckets to handle PDFs of any size. You need to configure S3 buckets and permissions before using the connector.

S3 Bucket Setup

Create Buckets

You need at least one S3 bucket (can use the same bucket for source and destination):

1
2
3
4
5

# Create source bucket
aws s3 mb s3://your-pdf-source-bucket

# Create destination bucket (optional - can use same bucket)
aws s3 mb s3://your-pdf-sealed-bucket

Bucket Policy (Optional)

Restrict access to your buckets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:role/pdf-sealer-lambda-role"
      },
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    }
  ]
}

Lambda IAM Permissions

Update your Lambda execution role with S3 permissions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::your-source-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::your-destination-bucket/*"
    }
  ]
}

Usage Workflow

1. Upload PDF to S3

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

const AWS = require("aws-sdk");
const s3 = new AWS.S3();

// Upload PDF
await s3
  .putObject({
    Bucket: "your-source-bucket",
    Key: "documents/input.pdf",
    Body: pdfBuffer,
    ContentType: "application/pdf",
  })
  .promise();

2. Invoke Lambda

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

const lambda = new AWS.Lambda();

const result = await lambda
  .invoke({
    FunctionName: "pdf-sealer-gateway",
    Payload: JSON.stringify({
      httpMethod: "POST",
      path: "/seal",
      body: JSON.stringify({
        sourceBucket: "your-source-bucket",
        sourceKey: "documents/input.pdf",
        destinationBucket: "your-destination-bucket",
        destinationKey: "sealed/output.pdf",
        apiKey: "your-hex-api-key",
        apiKeyId: "your-key-id",
        tsaTimestamp: true,
        includeLtv: true,
      }),
    }),
  })
  .promise();

3. Download Sealed PDF

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

// Get sealed PDF location from response
const response = JSON.parse(result.Payload);
const body = JSON.parse(response.body);

// Download sealed PDF
const sealedPdf = await s3
  .getObject({
    Bucket: body.sealedPdfLocation.bucket,
    Key: body.sealedPdfLocation.key,
  })
  .promise();

Presigned URLs (Optional)

For secure uploads without AWS credentials:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// Generate presigned URL for upload
const uploadUrl = s3.getSignedUrl("putObject", {
  Bucket: "your-source-bucket",
  Key: "documents/input.pdf",
  ContentType: "application/pdf",
  Expires: 3600, // 1 hour
});

// Generate presigned URL for download
const downloadUrl = s3.getSignedUrl("getObject", {
  Bucket: "your-destination-bucket",
  Key: "sealed/output.pdf",
  Expires: 3600, // 1 hour
});

Security Best Practices

Bucket Encryption

Enable server-side encryption:

1
2
3
4
5
6
7
8
9

aws s3api put-bucket-encryption \
  --bucket your-bucket-name \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      }
    }]
  }'

Lifecycle Policies

Automatically delete temporary files:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

{
  "Rules": [
    {
      "ID": "DeleteTempFiles",
      "Status": "Enabled",
      "Filter": { "Prefix": "temp/" },
      "Expiration": { "Days": 1 }
    }
  ]
}

Access Logging

Enable access logging for audit:

1
2
3
4
5
6
7
8

aws s3api put-bucket-logging \
  --bucket your-bucket-name \
  --bucket-logging-status '{
    "LoggingEnabled": {
      "TargetBucket": "your-log-bucket",
      "TargetPrefix": "access-logs/"
    }
  }'

Troubleshooting

Access Denied Errors

  • Verify Lambda execution role has correct S3 permissions
  • Check bucket policies don’t block Lambda access
  • Ensure bucket and object exist

Large File Timeouts

  • Increase Lambda timeout (max 15 minutes)
  • Consider Lambda memory allocation for large files
  • Monitor CloudWatch metrics

Cost Optimization

  • Use S3 Intelligent Tiering for infrequent access
  • Set up lifecycle policies to delete temporary files
  • Consider S3 Transfer Acceleration for large uploads

Monitoring

CloudWatch Metrics

Monitor S3 usage:

  • NumberOfObjects
  • BucketSizeBytes
  • AllRequests

Cost Tracking

  • Enable S3 cost allocation tags
  • Monitor data transfer costs
  • Track storage costs by bucket

Need architectural review?

Book a technical walkthrough

For enterprise rollout, we can review trust model, controls, and integration patterns with your team.

Book Demo See Pricing