Media Isolation

Disclaimer : The security of your S3 bucket is solely a client responsibility, and the integrity of your data will be at risk without it. We very strongly recommend securing your S3 bucket properly.

AWS Account Creation

You can quickly create your AWS Account. You should also contact your AWS contacts to get help with your AWS account setup.

AWS CloudFormation template

It’s possible to start from the Private S3 bucket AWS CloudFormation template and customize it for your needs for a faster deployment.

Disclaimer : This template is provided as an example only. It is your responsibility to validate that running the template will result in the configuration/policy/security settings your studio requires.

  • Go the CloudFormation service in AWS Console
  • Select Template is ready
  • Set Amazon S3 URL to
  • Next
  • Set a stack name like ShotGrid-s3-bucket
  • Set your S3 bucket name and your ShotGrid site name
  • Next
  • Accept I acknowledge that AWS CloudFormation might create IAM resources
  • Next

CORS Configuration

CORS policy on your S3 bucket will be minimally configured, allowing only the required origin (your site) and methods, amongst other things.

IAM Role

The template will create an AWS Role with the following permissions on your bucket:

  • Allow ShotGrid to access your S3 bucket.
  • Allow the ShotGrid account to assume the role by setting the role Trust Relationship.

Media Isolation Activation

Please contact ShotGrid support via the dedicated Microsoft Teams channel and provide the following information:

  • ShotGrid IAM Role ARN

ShotGrid will allow your site to use your IAM role.

Media Configuration Setup

Navigate to your site’s site preferences and under the Isolation section, fill in the S3 Configuration preference with the following JSON:

   "<S3_CONFIG_NAME>": {​​​​​​​
     "region": "<BUCKET_REGION>",
     "bucket": "<BUCKET_NAME>",
     "prefix": "<BUCKET_PREFIX>",
     "aws_role_arn": "<ROLE_ARN>"

Fields description

Field Description
S3_CONFIG_NAME Unique name for the configuration. This will be selectable as a bucket later on.
BUCKET_REGION Isolation bucket’s region
BUCKET_NAME Isolation bucket’s name
BUCKET_PREFIX The S3 prefix where the media is located on the isolation bucket
ROLE_ARN AWS Role ARN that ShotGrid can use to access the bucket. This must be the same role specified in the Initial Setup
S3_INTERFACE_VPC_ENDPOINT Optional - This is only needed if Media Traffic Isolation is utilized.

Testing Media Configuration

After the configuration has been updated on your site, navigate to the /admin/speedtest route of your ShotGrid site. Select the new S3_CONFIG_NAME that was just set up previously and start the test to confirm that all the upload/download tests work as intended.

Next Steps

See Media Traffic Isolation to activate the Media Traffic Isolation feature.

See Media Replication to activate the Media Replication Isolation feature.

Go to Setup for an overview of the possible next steps.

Edit this document