Documentation
The S3 Storage add-on for Concrete CMS allows you to use Amazon S3 as a file storage location.
Prerequisites
- An active AWS account.
- Your server must have the
mbstringextension installed. - For images to be edited using Concrete's built-in image editor, you must be running Concrete v5.7.5.3 or higher, and you must set the appropriate CORS policy on your S3 bucket.
Setup Instructions
To set up the add-on, you will need the following information:
- Bucket Name
- Access Key
- Access Secret
Alternatively, you can use IAM Roles if your server is running on AWS (EC2, Lambda, etc.) and has the necessary permissions.
Required Permissions
The following IAM policies are required for the add-on to function (v3.0+):
-
s3:ListBucket -
s3:GetBucketLocation -
s3:PutObject -
s3:GetObject -
s3:DeleteObject -
s3:PutObjectAcl
IAM User Policy Sample
If you are using an IAM User with an Access Key and Secret, you can use the following policy template. Replace YOUR-BUCKET-NAME with your actual bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}
Configuration Options
Core Settings
- AWS Region: You can specify an optional region for your S3 bucket.
- Link Expiry: With a properly configured bucket, you can enable file links that expire after a certain duration.
- Use IAM Role: Toggle this option if you want to use the server's IAM role for authentication instead of an Access Key and Secret.
-
Use ACL: Controls whether to apply Access Control Lists (ACLs) to uploaded objects.
Note: As of version 3.2.0, this is enabled by default to maintain compatibility with older buckets. AWS now recommends disabling ACLs and using bucket policies instead. Future versions will move away from mandatory ACL requirements.
HTTP Cache-Control
You can enable HTTP Cache-Control headers for objects uploaded to S3. This sets the Cache-Control header on the S3 objects themselves, which can improve performance for end-users by allowing their browsers (or CDNs) to cache the files.
New Features in v3.2.0
Consolidated Settings
All global settings for the S3 Storage add-on are now consolidated into a single configuration file: application/config/generated_overrides/s3_storage/settings.php. During an upgrade to v3.2.0, your existing settings from legacy locations will be automatically migrated to this new format.
Flysystem Metadata Caching
S3 operations (like checking if a file exists or getting its size) can be slow because they require API calls to AWS. Version 3.2.0 introduces support for metadata caching using Flysystem's caching mechanism.
- Global Defaults: Set default caching behavior (enabled/disabled, TTL, and prefix) on the new S3 Storage Settings page.
- Per-Location Overrides: You can enable or disable caching for each individual S3 storage location, allowing for granular control.
CloudFront Signed Cookies
If you use Amazon CloudFront to serve your S3 files, you can now use Signed Cookies to protect private files.
- Automatic Injection: When enabled, the add-on automatically injects the necessary CloudFront cookies into the user's browser session.
- Logout Handling: The add-on ensures that CloudFront cookies are cleared when a user logs out of Concrete CMS.
- Settings: Configure your CloudFront Domain, Key Pair ID, and Private Key on the dedicated CloudFront tab within the S3 Storage Settings page.
New Dashboard Settings Page
A new settings page has been added at Dashboard > System & Settings > Files > S3 Storage Settings. This page features two tabs:
- CloudFront: Manage global CloudFront signed cookie settings.
- Metadata Cache: Configure global defaults for metadata caching.
