Media Isolation

Media Isolation allows your studio to retain ownership and control of the media and attachments that you upload to ShotGrid. With Media Isolation, all the content that you upload to ShotGrid is stored in your studio’s private S3 Bucket. Access to the media is provided to the ShotGrid services only, using AWS AssumeRole keyless Security Token Service.


Client-Owned S3 Bucket

Storing media and attachments in an S3 bucket that you own means that you remain the legal owner of these artifacts, allowing you to comply with your company’s security and legal policies. Your studio retains control of asset storage and access, access that you can revoke at will.


More about Access

When using ShotGrid to upload and download media it is transferred directly to / from AWS S3 without transiting through Autodesk infrastructure. ShotGrid will only access media in two situations:

  1. The ShotGrid Transcoding service will get read/write access once, soon after upload, when transcoding the media. See Ephemeral Transcoding for details.
  2. When the ShotGrid service generates S3 Links to your sources and transcoded media.

This is rendered possible by leveraging AWS AssumeRole keyless Security Token Service. When setting up Media Isolation, an AWS Role allowing ShotGrid to access your media for the action listed above is created, and the ShotGrid service is allowed to assume that role.

ShotGrid Support staff do not have access to your S3 Bucket under any circumstances.


When activating Media Isolation the following costs, previously covered by Autodesk, become the responsibility of the client:

  1. S3 Costs. All the S3 storage costs will be assumed by the customer. See Media Isolation for more details about how to reduce costs.
  2. S3 Bandwidth. Bandwidth out of the S3 bucket will be assumed by the customer.

What Media Isolation is not providing

Activating Media Isolation doesn’t guarantee that the access to your ShotGrid site or media takes place within a closed network.

Edit this document