AWS S3
Cloud Storage & Messagingsystem_type: "aws_s3"Proxy S3 object uploads and downloads with ML-KEM-768 + AES-256-GCM client-side encryption.
Overview#
The AWS S3 connector wraps every object payload in a HybridCryptoEnvelope before upload, so plaintext data never reaches S3 buckets. AWS credentials are sealed in QuantaVault with ML-KEM-768 and wrapped by your tenant KMS CMK. Object metadata (size, key names) is never logged.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1An AWS IAM user or role with s3:GetObject, s3:PutObject, s3:DeleteObject permissions on the target bucket
- 2AWS Access Key ID and Secret Access Key (or IAM role ARN for assume-role)
- 3A QuantaSeal API key
Configuration#
Follow these steps to connect AWS S3 to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
Create an IAM user with a scoped S3 policy. Note the access_key_id and secret_access_key.
- 2
Seal credentials: POST /api/v2/vault/seal with credential_type: aws_credentials.
- 3
Create the integration: POST /api/v2/integrations with system_type: aws_s3, bucket name, and AWS region.
Authentication Types#
Store AWS Access Key ID and Secret Access Key as aws_credentials in QuantaVault. For production, use a dedicated IAM user scoped to the specific S3 bucket with a least-privilege policy.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
put_object | Upload an object to S3 (PQC-encrypted before write). |
get_object | Download and decrypt an S3 object. |
delete_object | Delete an S3 object. |
list_objects | List objects in a bucket prefix. |
generate_presigned_url | Generate a presigned URL for client-side access. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRS3000000001",
"operation": "put_object",
"payload": {
"key": "reports/2026/q1-financials.json",
"body": "{"revenue": 4200000, "currency": "AUD"}",
"content_type": "application/json"
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted S3 PutObject result>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
AccessDenied from S3
Verify the IAM user has s3:PutObject on arn:aws:s3:::your-bucket/* (not just the bucket ARN). Check for SCP or bucket policy restrictions.
NoSuchBucket
The bucket name or region in the integration config is incorrect. Update via PATCH /api/v2/integrations/{id}.