# AWS S3 URL Signing

Our AWS S3 URL signing integration allows you to securely sign URLs for content stored in your S3 buckets. We use AWS AssumeRole to temporarily access your S3 resources without requiring long-term credentials. Follow these steps:

#### **Step 1: Create an IAM Role**

1. Please reach out to our support for our AWS account ID.
2. Create a new IAM role with the following custom trust policy, make sure to replace the account ID and external ID:

   ```json
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::{AWS account ID Lasso}:root"
               },
               "Action": "sts:AssumeRole",
               "Condition": {
                   "StringEquals": {
                       "sts:ExternalId": "{random string, min 20 characters. See Lasso UI to generate external ID.}"
                   }
               }
           }
       ]
   }
   ```
3. Create a new policy and assign the following minimum policy to allow Lasso to generate signed URLs:

   ```json
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "s3:GetObject"
               ],
               "Resource": "arn:aws:s3:::{your-image-bucket}/*"
           }
       ]
   }
   ```
4. Assign the policy to the role.
5. Copy the **ARN** of the newly created role, e.g. `arn:aws:iam::1234567890987:role/LassoModerationBucketAccess`

#### **Step 2: Add Signing Information in Lasso**

1. Navigate to **Settings → Integrations** in Lasso.
2. Select **AWS S3** and fill in the following fields:
   * **Domain**: The domain where your content resides (e.g., `https://your-image-bucket.s3.amazonaws.com`).
   * **Region**: The AWS region of your bucket.
   * **Bucket**: The name of your S3 bucket. (e.g., `your-image-bucket`)
   * **Role ARN**: The **ARN** of the newly created role.
   * **External ID**: The **External ID** you used when creating the role.
   * **TTL**: The time-to-live for the signed URL (minimum 15 minutes). This is the amount of time a URL will be valid for.
   * **Example URL**: Provide an example URL to validate your credentials.

#### **Step 3: Automatic Signing for AWS S3 Content**

Once the integration is set up:

* Any content from the specified **Domain** (e.g., `https://your-image-bucket.s3.amazonaws.com`) will automatically be signed by Lasso when required.
* Lasso dynamically generates a signed URL whenever it needs to access the content, ensuring secure and temporary access.
* This signed URL is used for analyzing the content or displaying it securely in the dashboard. You do not need to update or manage URLs manually.
* If the signed URL expires, Lasso regenerates it automatically when the content is accessed again.