Fine Tuning

Cost Management Recommendations

S3 Infrequent Access

We recommend enabling S3 Infrequent Access to easily reduce costs without impacting performance. For the ShotGrid Cloud hosted offering, we apply a policy for all objects older than one month.

With Infrequent Access, objects are stored at a lower cost. However, if they are accessed, it will involve an additional cost. ShotGrid has observed that one month was the right policy to use globally, but you may want to adapt that policy to your studio workflows as needed.

Read more about S3 Infrequent Access and other storage classes here.

S3 Bucket policy

We recommend you restrict access to your S3 bucket to only your VPC and ShotGrid transcoding services IPs. There is an example policy, replace your_vpc_id and your_s3_bucket by your values.

We strongly recommend you test media access and media transcoding in your site right after applying the bucket policy changes to be sure your S3 bucket is still accessible from your VPC and from ShotGrid transcoders.

{
    "Version": "2012-10-17",
    "Id": "Policy1415115909152",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your_s3_bucket",
                "arn:aws:s3:::your_s3_bucket/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "Access-to-specific-VPC-only and Shotgun transcoder",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::your_s3_bucket/shotgun/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "34.200.155.69/32",
                        "34.224.232.103/32",
                        "34.202.127.170/32"
                    ]
                },
                "StringNotEquals": {
                    "aws:sourceVpc": [
                        "vpc-2fd62a56",
                        "your_vpc_id"
                    ]
                }
            }
        }
    ]
}

S3 endpoint policy

We recommend setting a VPC endpoint policy on your S3 endpoint to allow access to your S3 bucket only. See here for an example.

Application Load Balancer

  • We recommend you enable deletion protection on the S3 proxy load balancer to prevent accidental deletion.
  • We recommend you enable access logging on the S3 proxy load balancer to aid in traffic analysis and identification of security issues.

Next Steps

See Activation to migrate your production site to use the isolation features.

Go to Setup for an overview of the possible next steps.


Edit this document