Version: eXtendFiles 1.8.4 and above

Audience: NetSuite Administrator, AWS Administrator

Overview

To use eXtendFiles with Amazon S3, you must configure settings in both NetSuite and Amazon Web Services (AWS). This configuration requires a user with Administrator privileges in NetSuite and with Administrator access to AWS.

Configuration

AWS Configuration (choose one authentication method)

To use Amazon S3 with eXtendFiles, you must create an IAM Policy (required) and then choose one authentication method:

Option A: IAM User (Access Key ID + Secret Access Key)
Option B: IAM Role (Role ARN)

After that, you will attach the IAM policy to the IAM user or role you created.

AWS Prerequisites

Ensure you have created an S3 bucket with the following settings:

Set "Object Ownership" to "ACLs enabled".

Uncheck all "block public access" options on the bucket. When you disable blocking public access keep in mind the following:

Public files with non-expiring S3 links that can be shared outside of NetSuite indefinitely. Note that private files can only be shared using S3 signed links, which expire after 7 days. For more details, see Understanding Amazon S3 Signed Links.
Public thumbnails for rendering in the eXtendOrders File Picker.

1. Create IAM Policy

Follow Amazon's Create Policies documentation to create a new IAM policy. Make sure to include the policy information below in your IAM policy:

In the sample IAM policy below, there are TWO different areas where you must replace the sample "netsuite-assets" bucket name with your bucket name. Replace netsuite-assets with your bucket name in the sample below.

Sample IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions",
                "s3:GetBucketVersioning",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::netsuite-assets"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:DeleteObjectVersion",
                "s3:PutObjectVersionAcl",
                "s3:RestoreObject",
                "s3:GetObjectVersionAcl",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetLifecycleConfiguration",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketTagging",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration",
                "s3:GetBucketLogging",
                "s3:GetBucketCORS",
                "s3:PutBucketAcl",
                "s3:GetBucketVersioning",
                "s3:PutBucketCORS",
                "s3:GetBucketAcl",
                "s3:PutBucketVersioning",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::netsuite-assets/*"
            ]
        }
    ]
}

If you are configuring multiple buckets, add them using the format shown below (see netsuite-assets2, netsuite-assets3 in the example below) and add additional buckets in similar way.

            "Resource": [
                "arn:aws:s3:::netsuite-assets",
                "arn:aws:s3:::netsuite-assets2",
                "arn:aws:s3:::netsuite-assets3"
            ]

If your S3 bucket is enabled with SSE-KMS (Server-Side Encryption with AWS Key Management Service) encryption, you will need to grant access to generate keys to the IAM user used for eXtendFiles. Below is a sample permission JSON. Replace "KMS-KEY-ARN" with your KMS key.

{
   "Sid": "AllowUseOfKMSKey",
   "Effect": "Allow",
   "Action": [
     "kms:GenerateDataKey"
   ],
   "Resource": KMS-KEY-ARN
}

Note that using SSE-KMS encryption removes the ability to permanently share files externally and that temporary access to files is only available using signed links.

2. Choose an authentication method

You only need to complete 2A or 2B.

2A. Create IAM User (Access Key + Secret Key)

Follow Amazon's Create IAM Users documentation to create a new IAM user. When creating access keys for your user, use the "Third-party service" option:

2B. Create IAM Role (Role ARN)

To grant eXtendFiles access to your S3 bucket using an IAM role, you'll need to create a role with a trust relationship that allows eXtendTech's AWS account to assume it. Follow Amazon's IAM role creation documentation for guidance on IAM Role creation.

Use "AWS Service" as the Trusted entity type
Set "S3" as the Use case
Attach your IAM Policy from step 1 for the role's permissions

Add the trust policy below to allow eXtendFiles to assume the role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::576320464346:role/extendFiles"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

3. Attach the IAM Policy

After creating your IAM policy (step 1) and your IAM user/role (step 2), attach the policy to:

Your IAM User (if you follow 2A), or
Your IAM Role (if you followed 2B)

NetSuite Configuration

The configuration steps below will be performed from within your NetSuite account.

Go to eXtendTech → eXtendFiles → eXtendFiles Configuration.
In Storage Settings → General, select the "Amazon S3" Storage Type.
Define the fields below with the information from your S3 account.

Field	Description
Primary Bucket	Specify the S3 bucket name where files will be stored.
AWS Region	Specify your S3 bucket's AWS Region.
Access Key ID	If you used IAM User, enter the access key for your IAM User in S3.
Secret Access Key	If you used IAM User, enter the secret access key for your IAM User in S3.
Role ARN	If you used IAM Role, enter the Role's ARN.
Additional Buckets	Specify the names of any additional S3 buckets which you want to use. These buckets can belong to different AWS regions and need not fall into same AWS Region as specified in the AWS Region field. Note: Make sure the buckets specified are included in the IAM Policy created in the "AWS S3 Configuration" section above.

Versioning & Additional Settings

Versioning

To enable file versioning, turn on the "Versioning" preference.

Delete Files From Storage

To delete files from S3 when all related eXtendFiles records are deleted in NetSuite, turn on the "Delete Files From Storage" preference.

Direct Upload (Highly recommended)

After configuration in S3, turn this on to enable Direct Upload and improve file upload performance. Configure eXtendFiles for Direct Upload to Amazon S3.

Recommendation: We highly recommend configuring Direct Upload for S3 storage. It significantly improves upload performance and reliability, especially for larger files.

Common Configuration Errors

"Access Denied" when Uploading File with Amazon S3

Amazon S3 "Access Denied" Error when Opening a File's URL

What happens if I change the Amazon S3 bucket on the eXtendFiles Setup?

Frequently Asked Questions (FAQs)

Q: Which Amazon S3 Object Storage Classes are supported?

A: Currently, eXtendFiles supports the Amazon S3 Standard (S3 Standard) storage class.

Knowledge Base

Configure eXtendFiles for Storage with Amazon S3