Top
Manual

Amazon S3 Integration

Last updated: 2026/04/24

Amazon S3 integration is a feature that allows you to switch the storage destination of media such as images and videos uploaded from the microCMS management screen from the default storage of microCMS to an Amazon S3 bucket that you have prepared.
This enables you to apply security settings based on your company's policies, making it safe to use even for projects with high security requirements.

Information

There is a similar feature called "Custom Domain Settings for Media". Please note that the purpose of this feature is different from the one we will explain here.

Custom Domain Settings for Media

This feature allows you to set a custom URL for the uploaded media.
The storage location for the media remains under the management of microCMS.

This Feature (Switching Media Storage)

This feature allows you to change the storage location itself to an external storage service that you contract with.

Information: The Amazon S3 integration is a feature available to customers on the Enterprise plan. This feature is disabled by default, so please contact us if you wish to enable it. Additional fees may apply depending on your usage requirements.

For information on the features available for each plan, please visit the pricing page.

Pre-Usage Confirmation Items

To use the Amazon S3 integration feature, the following conditions must be met. All of these are important, so please make sure to check them.

The only public cloud storage that can be integrated is Amazon S3 only.
Enabling this feature will change the image delivery specifications, and the Image API will no longer be available. If you need image optimization (such as resizing or format conversion) via URL parameters, please use external services like imgix.
The configuration of this feature cannot be completed solely through the management screen. In advance, you need to prepare resources related to your account in collaboration with us. For details on the configuration, please contact us first.
Media uploaded to the external S3 bucket managed by you will be excluded from the regular storage backup that we perform regularly.

Feature Details

Typically, media (including files) uploaded to the management screen is stored in the storage managed by microCMS. With the Amazon S3 integration feature, you can save directly to an S3 bucket that you have prepared in advance.
As a result, the URL assigned to the media after upload will follow the domain defined by you in advance.
This feature also applies to media other than images (such as PDFs).

Example URL Before Configuration

Image

https://images.microcms-assets.io/assets/xxxx/yyyy/image.png

File

https://files.microcms-assets.io/assets/xxxx/yyyy/sample.pdf

Example URL After Configuration

Image

https://{bucket-name}.s3.{region-name}.amazonaws.com/media/image.png

File

https://{bucket-name}.s3.{region-name}.amazonaws.com/media/sample.pdf

※The bucket name and region name set by you will be included in the delivery URL.
※The above is an example when not using custom domain settings. For information on custom domain settings, please refer to "Setting in the microCMS Management Screen".

Information: In microCMS storage, the domain delivered varies depending on the media format, but after enabling this feature, the domain will be unified.

Upload Behavior

When this feature is enabled, the destination for media uploads will be the specified customer-managed S3 bucket.

The upload path will be target-bucket/{URL prefix}/{file name}. For file management purposes, the media will also have the following metadata attached.

x-amz-meta-upload-source: "microcms"
x-amz-meta-microcms-service: {Internal Service ID (e.g., SERVICE#xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)}
x-amz-meta-microcms-version: {Timestamp format version (e.g., 20250812154922)}
x-amz-meta-microcms-status: "public"

Information: Objects (media) uploaded to the S3 bucket do not have a Cache-Control header, so they are not cached.

If you want to utilize caching for the media being delivered, please consider integrating with a CDN such as CloudFront.
Additionally, please check the "Precautions when integrating S3 with CloudFront and other CDNs" as well.

Media URL

Once this feature is enabled, media uploaded will be accessible via the following URL:
{Custom Domain}/{URL Prefix}/{File Name}

Caution

The media URLs provided by microCMS by default contain random strings, making them difficult to guess and ensuring high security.

However, after enabling this feature, the URLs of media uploaded will be in a state that is easy to guess, as they do not include random strings. Therefore, when handling sensitive files, please ensure to include unpredictable strings in the file names.

Possible Operations on Media

For media uploaded after this feature is enabled, the following operations are possible:

Change of creator
Tagging
Setting alternative text

Additionally, the following operations will also be reflected in the files within the S3 bucket.

Deletion of media
Renaming of media (only when "URL fixation" is OFF)
Re-uploading of media (only when "URL fixation" is OFF)

Configuration Method

Configuration Flow

Generally, the configuration is carried out in the following flow.

Prepare various resources needed for the configuration (S3 bucket, IAM role, etc.)
Access the management screen "Settings" > "External Integration" > "Amazon S3 Integration" and enter the necessary configuration items
Conduct a connection test
If there are no issues with the connection test, apply the configuration

Preparation

Please prepare the AWS-related resources listed below.

Information: If you have any questions regarding the configuration of various resources, please contact our support team.

1. S3 Bucket (Required)

Please prepare one S3 bucket to store media.
Additionally, set a bucket policy that grants permissions for operations to the created bucket.

Example of Bucket Policy

If not using CloudFront with S3

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<optional>",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket-name>/<directory-name>/*"
        }
    ]
}

If using CloudFront with S3

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<optional>",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket-name>/<directory-name>/*",
            "Condition": {
                "ArnLike": {
                    "AWS:SourceArn": "arn:aws:cloudfront::<account-id (12-digit number)>:distribution/<CloudFront distribution ID>"
                }
            }
        }
    ]
}

Notes

Please select "General" for the "Bucket Type".
Please select "Disable ACL" for the "Object Owner".

2. IAM Policy (Required)

Please prepare one IAM policy that grants permissions for various operations on the S3 bucket.

Example of IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<optional>",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Sid": "<optional>",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/<directory-name>/*"
        }
    ]
}

3. IAM Role (Required)

Please prepare one IAM role to be assigned when creating, modifying, or deleting S3 objects (media) from microCMS.
Attach the IAM policy created above to the IAM role you created.

Notes

Please select "AWS Account" for the "Trusted Entity Type".
Please select "Another AWS Account" for the "AWS Account". Details regarding the "Account ID" will be provided to you individually during the setup process.
Optionally, check "Require External ID" and set any external ID.

4. CloudFront Distribution (Optional)

If you are using CloudFront to deliver objects in the S3 bucket, please prepare one CloudFront distribution.

Notes

After creating the distribution, it may take time to deploy, so please ensure it is complete before configuring on the microCMS side.

Settings in the microCMS Management Screen

Please enter the configuration values shown below.

Information: Only members with "Administrator" privileges can configure this feature.

Configuration Item (*) is required	Description	Example of Configuration Value
*Bucket Name ()**	Please enter the S3 bucket name where files will be uploaded.	`alpha-prod-assets`
*Region ()**	Please select the region where the bucket exists.	`ap-northeast-1`
*IAM Role ARN ()**	Please enter the IAM role you have prepared in advance. Enter it as a string that uniquely identifies it within AWS services.	`arn:aws:iam::123456789012:role/SampleRole`
*External ID ()**	Please enter the condition key required for Assume Role.	(2~1224 characters, alphanumeric without spaces. Some symbols are also allowed)
URL Prefix	Please enter the directory where files will be uploaded. Multiple levels can be specified. If not set, media will be saved in the root of S3.	`media`, `media/path`
Custom Domain	Please enter the domain you want to use for distribution. If not set, `{BucketName}.s3.{Region}.amazonaws.com` will be used as the domain for distribution.	`https://my-media.example.com`
Fix Media File Name	If enabled, re-uploading will only be possible with the same file name, and the file name cannot be changed.	OFF / ON
Notes	You can freely enter notes regarding the connection settings.	(Free input)

Restrictions / Notes

Notes on S3 Configuration and Data Management

The configuration of the linked S3 and the management and operation of the data within the bucket are the customer's responsibility.
Changes to data or settings made without using the microCMS management screen or API are not covered by support, so please be aware of this in advance.

Caution

Note on Data Integrity

If you manipulate (add, change, or delete) data directly on S3 without using the microCMS management screen or API, it may cause inconsistencies with the information on the microCMS side, potentially leading to unexpected errors such as media not displaying correctly.

Precautions When Integrating S3 with CloudFront and Other CDNs

When integrating S3 with CloudFront and other CDNs and utilizing caching, there may be cases where cached data remains even after deleting media in the microCMS management screen.

As a countermeasure, please consider the following methods:

Use media Webhooks to detect media deletion and explicitly remove the cache
Set a short TTL for the cache

In the case of the first option, depending on the use case, images may be cached with parameters appended to the URL. Therefore, when deleting the cache, please specify a wildcard at the end of the path.

Handling When Media Already Exists

If media already exists, media will be saved to the customer-managed external S3 bucket after this feature is enabled.

Additionally, if there is media uploaded to the customer-managed external S3 bucket, changes to the S3 integration settings and deletion of settings cannot be performed.

Support for WRITE API

Content API

Supports media registration via URL specification in POST / PUT / PATCH requests.

Management API

Does not support media POST and DELETE requests.

Handling in Multiple Environments

When creating multiple environments, the settings for this feature are also copied as initial settings.
Additionally, unlike the basic behavior during uploads, the upload destination path will be target-bucket/{URL prefix}/{unique value based on the service ID of the multiple environment}/{file name}.

The other specifications are as follows:

When creating an environment, media will be copied to the directory mentioned above.
When deleting an environment, all media in the directory mentioned above will be deleted.
The S3 integration settings for the production environment and the S3 integration settings for multiple environments (development and staging) do not affect each other even if changes are made in one of the environments.

Other Considerations

The media storage location is an external S3 bucket managed by the customer, so the costs for media data transfer and storage will be borne by the customer (however, there are no data transfer costs for microCMS).
In the "Data Transfer Volume" feature, reading media stored in the external S3 bucket managed by the customer will not be reflected in the graphs for "Data Transfer Volume" and "Content Retrieval Count".

Contents

Pre-Usage Confirmation Items
Feature Details
Upload Behavior
Media URL
Possible Operations on Media
Configuration Method
Configuration Flow
Preparation
Settings in the microCMS Management Screen
Restrictions / Notes
Notes on S3 Configuration and Data Management
Precautions When Integrating S3 with CloudFront and Other CDNs
Handling When Media Already Exists
Support for WRITE API
Handling in Multiple Environments
Other Considerations