> ## Documentation Index
> Fetch the complete documentation index at: https://intunedhq.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# S3 Attachment Storage

## Overview

By the end of this guide, you'll have an Intuned project that saves downloaded files directly to AWS S3. You'll:

1. Create an S3 bucket and configure AWS credentials for Intuned.
2. Configure S3 credentials in your project.
3. Use the Browser SDK to save files to S3.

## Prerequisites

Before you begin, ensure you have the following:

* An AWS account with S3 access.
* An Intuned account.

<Note>This guide assumes you have a basic understanding of Intuned Projects. If you're new to Intuned, start with the [getting started guide](/main/00-getting-started/introduction).</Note>

## When to use S3 attachment storage

Browser automations often need to download files—invoices from portals, reports from dashboards, or documents from authenticated sites. Instead of returning file content directly from your API, you can save files to S3 for better control and longer term access.

## Guide

### 1. Create an S3 bucket and access credentials

Create an S3 bucket and IAM credentials that Intuned can use to write data:

<Steps>
  <Step title="Create an S3 bucket" icon="bucket">
    1. Log in to the [AWS Management Console](https://console.aws.amazon.com/)
    2. Navigate to the S3 service
    3. Select **Create bucket**
    4. Enter a unique bucket name (e.g., `my-intuned-data`)

    <Tip>
      Choose a descriptive bucket name that makes it easy to identify its purpose (e.g., `company-intuned-production`).
    </Tip>
  </Step>

  <Step title="Configure bucket settings" icon="gear">
    When creating your bucket:

    1. **Object Ownership**: Set to "Access Control Lists (ACLs) disabled"
    2. **Block Public Access**: Keep all public access blocked (recommended for security)
    3. **Bucket Versioning**: Optional - enable if you want to keep historical versions of files
    4. **Encryption**: Optional - enable default encryption for data at rest
    5. Select **Create bucket** to finish

    <Info>
      Intuned only needs write access to your bucket, so keeping public access blocked is safe and recommended.
    </Info>
  </Step>

  <Step title="Create an IAM user for Intuned" icon="user">
    Create a dedicated IAM user with limited permissions for Intuned:

    1. Navigate to **IAM** in the AWS Console
    2. Select **Users** in the left sidebar, then **Create user**
    3. Enter a username (e.g., `intuned-s3-writer`)
    4. Select **Next**, which takes you to the permissions page

    On the permissions page:

    1. Select **Attach existing policies directly**
    2. Select **Create policy** (opens in new tab)
    3. Select the **JSON** tab and paste this policy:

    ```json theme={null}
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:PutObject"
          ],
          "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
        }
      ]
    }
    ```

    4. Replace `YOUR-BUCKET-NAME` with your actual bucket name
    5. Select **Next**, which takes you to the Review page
    6. Name the policy `IntunedS3WritePolicy`
    7. Select **Create policy**

    <Warning>
      Replace `YOUR-BUCKET-NAME` in the policy with your actual bucket name. Don't use root account credentials - always create a dedicated IAM user.
    </Warning>
  </Step>

  <Step title="Attach policy and generate access keys" icon="key">
    Back in the user creation flow:

    1. Refresh the policies list
    2. Search for `IntunedS3WritePolicy`
    3. Select the checkbox next to the policy
    4. Select **Next** to go to the Review page
    5. Select **Create user**

    Then open the newly created user page:

    1. Go to the **Security credentials** tab
    2. Select **Create access key**
    3. Choose **Application running outside AWS** and select **Next**
    4. Select **Create access key**
    5. **Copy the Access key ID** - you'll need this for Intuned
    6. **Copy the Secret access key** - you'll need this for Intuned (only shown once)
    7. Download the CSV or save these credentials securely

    <Warning>
      Store your credentials securely. The secret access key is only shown once and cannot be retrieved later. Never commit credentials to version control.
    </Warning>
  </Step>

  <Step title="Note your configuration details" icon="clipboard">
    You now have everything needed to configure S3 in Intuned. Save these details:

    * **Bucket name**: Your S3 bucket name
    * **Region**: Your AWS region (e.g., `us-west-2`)
    * **Access key ID**: From the IAM user
    * **Secret access key**: From the IAM user
  </Step>
</Steps>

You'll use these credentials in your automation code.

### 2. Configure the S3 bucket as your attachment store

<Info>
  This guide is coming soon. In the meantime, you can use the `saveFileToS3` helper from the Browser SDK to save files to S3.

  See the [saveFileToS3 documentation](/automation-sdks/intuned-sdk/typescript/helpers/functions/saveFileToS3) for usage details.
</Info>

## Related resources

<CardGroup cols={2}>
  <Card title="saveFileToS3" icon="code" href="/automation-sdks/intuned-sdk/typescript/helpers/functions/saveFileToS3">
    Browser SDK helper for saving files to S3
  </Card>

  <Card title="downloadFile" icon="download" href="/automation-sdks/intuned-sdk/typescript/helpers/functions/downloadFile">
    Browser SDK helper for downloading files
  </Card>
</CardGroup>