Skip to main content
Version: v4.13

Enable the S3 File Browser


For full instructions showing how to protect S3 buckets with Cyral, see Track an S3 storage location.

The Cyral S3 File Browser lets data users read from and write to S3 buckets. Data users launch the S3 File Browser from the Cyral Access Portal.


To make the S3 File Browser available, you must configure the following:

  1. Deploy your sidecar with a DNS CNAME and TLS certificate. These are required when using S3 Browser.
  2. Provide AWS permissions for the Cyral S3 Browser
  3. Track the S3 location as a repository in Cyral and bind the Cyral sidecar to it. Make sure you set the S3 browser port.
  4. Choose the Access Gateway for your S3 repository. See Enable the Cyral Access Portal for a repository.

Deploy sidecar for use with S3 Browser


For instructions on how to configure the parameters of a Cyral Template to work with the S3 Browser, check the Cyral Quickstart guide for the specific deployment option of your choice.


In order to support the Cyral S3 Browser, the sidecar must meet the following requirements. Ideally you will configure these when you deploy the sidecar, but you can also add them later.

  • A custom DNS CNAME that you provide. This is the address your data users will use to connect to data locations protected by the sidecar. Cyral recommends configuring this at sidecar deployment time, but you can also configure it later. See Add a CNAME or A record for the sidecar for setup steps.

  • A valid TLS certificate covering the sidecar's custom DNS CNAME. The certificate must be present in AWS Certificate Manager (CM). You can directly issue the certificate using AWS Certificate Manager, or you can manually import a valid certificate to the AWS CM. See the Cyral documentation about TLS with AWS Certificate Manager


The DNS CNAME and TLS certificate are only required for sidecars that will support the Cyral S3 browser. To give users Cyral-protected access without the Cyral S3 Browser, have them connect via another S3 client such as a CLI tool.

Examples of how to configure CNAME and TLS at deployment time

The examples below assume the following:

See also the Cyral simplified documentation for Snowflake which can be used for S3 as well: Integration Guide: Protecting Snowflake with Cyral + G Suite

Example of how to configure CNAME and TLS after sidecar deployment


Add a CNAME or A record for the sidecar (Cyral Docs)


A certificate needs to be attached to the load balancer in order to support TLS connectivity for S3 support. In Terraform and CloudFormation, this can be achieved by providing a certificate ARN to the template parameters load_balancer_certificate_arn and LoadBalancerCertificateArn respectively.

For Helm-deployed sidecars, you may need to manually modify the load balancer and enable TLS support for the desired sidecar port. For an AWS load balancer, use the instructions to Update a listener for your Network Load Balancer, changing the protocol to TLS and assigning the appropriate SSL certificate from ACM (AWS Certificate Manager) to the listeners that corresponds to the S3 ports.

AWS permissions for the Cyral S3 Browser

The Cyral S3 Browser, by default, tries to list all buckets associated with a given IAM role. In order for this operation to succeed, the IAM role should have an IAM policy allowing it to list buckets.

For example, let's look at the two IAM roles below:


These should have the AWS List Bucket permission. This allows the user to list the buckets (this is the entry point for browsing) in the S3 Browser.

If the IAM role does not have the permission to List Buckets, users will receive an error message when opening the S3 Browser. In this case, users can still access a specific location by explicitly adding its bucket name in the S3 Browser URL.

For example, if the user wants to access the bucket: finance-data-company, then she can type the following URL to connect to it:


Permission to list all buckets

The AWS permission to list all buckets are:

  • ListAllMyBuckets and
  • GetBucketLocation

For more information, see the AWS documentation on S3 bucket access.

Next steps