Accessing S3 Buckets

  • Published on Dec 9, 2025
  • 2 minute(s) read
Prev Next

Overview

In compliance with HIPAA requirements, Ursa Health’s security best-practices advise that a high standard of security be met in regards to the transfer of information between parties. Information transfer must be protected by strong cryptography, a clear chain of custody, traceability, and strict levels of access control.

At Ursa Health, our preferred means to achieve these requirements for flat file transfer in AWS is to have flat files sent directly into dedicated S3 buckets. The Ursa Health application is programmed to import data directly from these buckets into the database, minimizing the exposure of sensitive data.

Our S3 buckets are always strongly encrypted, and we always use a dedicated container for each customer or third party. These data are assumed to contain PHI and will be treated as Highly Sensitive, per Ursa Health policies and procedures.

Getting an Auth Key

There are several possible avenues to get an auth key, depending on your existing AWS presence and your institutional preferences.

If you don't currently have an AWS presence, the most straightforward path is for us to create an AWS IAM user on your behalf, and for us to share with you an access key and a secret key. These keys are subject to yearly rotation, per our security procedures.

If you already have an AWS presence, one option is for us to add the ARN of your AWS IAM user or role to our bucket policy, and for you to assert access to our bucket via an IAM policy. You'll have to let us know the ARN of your IAM user or role, and we'll have to let you know the bucket name.

There are several other approaches to cross-account IAM grants in this manner, and if your organization already has a preferred alternative to the bucket-policy approach outlined above, we can work with you to figure out your access.

Using the Auth Key

Once you have a means of authentication, there are various tools that you can use to perform the data transfer.

The manual approach is to install and use a desktop application like Cyberduck or WinSCP. Either of these applications can take AWS keys and provide a graphical user interface to manage file transfer.

For programmatic or automated access, AWS provides a set of options in languages such as Python, or over the command line. We are happy to advise you on options here, but you can use whatever tool you're most comfortable with.