Use your own S3 Bucket

What is BYO S3 and why would I want it?

Files uploaded to Paperform on forms are by default available via a unique, public URL. This URL gives access to the uploaded file to anyone who has it - so customers must treat the security of this URL as you would the security of the file itself.

Customers who are capturing sensitive information can opt to use their own S3 bucket to store files in, which can be configured to store files privately. This ensures that uploaded files can't accidentally be shared outside of Paperform. However, using a private S3 bucket may impact the expected behavior of other features like accessing files via email, submission exports or integrations with third parties.

Setup bucket

This feature is exclusively available with selected pricing plans.

1. Login to AWS and setup a new S3 bucket.

2. Configure your public access settings to allow public access. If you would like objects created in your bucket to be private we can configure that when we enable your bucket.

   Public access requirements for S3 bucket

3. Configure your ACL settings as shown below.

   ACL requirements for S3 bucket

4. Under Permissions → CORS Configuration, click Edit and add the following:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "GET"
        ],
        "AllowedOrigins": [
            "https://*.paperform.co"
        ],
        "ExposeHeaders": [
            "ETag"
        ]
    }
]

Additional step for custom domains

If you use custom domains on Paperform then you will need to add additional AllowedOrigins to give your custom domain permission to upload files to your S3 bucket.

For example, if you had a custom domain forms.mysite.com then your allowed origins should be:

[
  "https://*.paperform.co",
  "https://forms.mysite.com"
]

Setup IAM User with permissions

1. Go to IAM in AWS.

2. Create a new user with "programmatic access".

3. Under "Set Permissions" select Attach existing policies directly → Create policy.

4. In the policy creator, select the "JSON" tab and paste the below policy.

   {
   "Version": "2012-10-17",
   "Statement": [
       {
       "Effect": "Allow",
       "Action": ["s3:ListBucket"],
       "Resource": ["arn:aws:s3:::BUCKETNAME"]
       },
       {
       "Sid": "Stmt1466908203000",
       "Effect": "Allow",
       "Action": [
           "s3:AbortMultipartUpload",
           "s3:GetBucketAcl",
           "s3:GetBucketCORS",
           "s3:GetObject",
           "s3:GetObjectAcl",
           "s3:ListBucket",
           "s3:ListBucketMultipartUploads",
           "s3:ListMultipartUploadParts",
           "s3:PutObject",
           "s3:PutObjectAcl",
           "s3:PutObjectVersionAcl"
       ],
       "Resource": ["arn:aws:s3:::BUCKETNAME/*"]
       }
   ]
   }
   

   Note that you should replace the BUCKETNAME with the name you choose for your S3 bucket.

5. Save the policy under any name you like.

6. Go back to the user setup.

7. Select the newly created policy (you may need to refresh the listing to search for the policy).

8. Complete user setup and ensure you download credentials.csv.

Give credentials to Paperform for setup

Generate an Access Key for the user you created and fill out https://byo-s3-setup.paperform.co to give Paperform the relevant information to setup the S3 bucket as the upload location for your forms. Paperform will complete and test the setup and get back to you within 2 business days.