๐ŸชฃAWS S3 External Storage

AWS S3 External Storage

Store your call recordings and voicemails in your own AWS S3 bucket instead of Twilio's servers. This gives you full ownership of your audio data, faster playback, and enables HIPAA-compliant workflows for healthcare organizations.

Your Data, Your Bucket: When you enable S3 storage, Ring Tonic migrates recordings from Twilio to your S3 bucket and then removes them from Twilio. Once migrated, audio streams directly from your bucket via secure signed URLs.

Why Use Your Own S3 Bucket?

Benefit
Description

Faster Playback

Audio streams directly from S3 to your browser via signed URLsโ€”no middleman

Lower Storage Costs

S3 costs $0.023/GB vs Twilio's $0.0005/min ($0.03/GB at typical bitrates)

Data Ownership

You own the raw audio files in your own AWS account

HIPAA Compliance

Required for healthcareโ€”keeps PHI off third-party servers

Flexible Archival

Use S3 Lifecycle Rules to automatically move old recordings to cheaper storage

Performance Boost: With S3, the audio player loads recordings directly from your bucket using signed URLs. This is faster than streaming through Twilio's servers because it eliminates an extra network hop.

How It Works

  1. Call comes in โ†’ Twilio records the conversation

  2. Recording ready โ†’ Twilio notifies Ring Tonic when recording is available

  3. Migration โ†’ Ring Tonic downloads from Twilio and uploads to your S3 bucket

  4. Cleanup โ†’ After successful upload, Twilio recording is deleted to avoid double storage costs

  5. You play recordings โ†’ Audio streams directly from S3 via secure signed URLs

Setup Guide

1

Create an S3 Bucket

Create a S3 bucket

  1. Log in to AWS Console

  2. Go to S3 โ†’ Create bucket (If you cannot find S3, search using the header search bar)

  3. Enter a bucket name (e.g., yourcompany-call-recordings)

  4. Select your preferred region (e.g., us-east-1)

  5. Keep Block all public access enabled

  6. Click Create bucket

Keep it private. Your bucket should NOT be public. Ring Tonic uses secure signed URLs that expire after 60 minutes.

2

Create an IAM Policy

First, create a policy that grants access to your bucket.

  1. Go to IAM โ†’ Policies โ†’ Create policy

  2. Select a service: S3

  1. Click the JSON tab and paste:

DeleteObject Permission: This allows Ring Tonic to clean up S3 recordings when call logs are deleted (if enabled in workspace settings).

  1. Replace YOUR-BUCKET-NAME with your actual bucket name that you created in step 1

  2. Click Next โ†’ Name it RingTonicS3Access โ†’ Create policy

3

Create an IAM User

Now create a user and attach the policy.

  1. Go to IAM โ†’ Users โ†’ Create user

  2. Enter a name: ringtonic-s3-access โ†’ Click Next

  3. Select Attach policies directly

  4. Search for RingTonicS3Access and check the box

  5. Click Next โ†’ Create user

  6. Open the user โ†’ Security credentials tab

  7. Click Create access key โ†’ Select Third-party service

  8. Click Create access key โ†’ Save both keys

Save your keys now. The Secret Access Key is only shown once. Store it in a password manager.

4

Configure Ring Tonic

Setup Storage in Ring Tonic

  1. Go to Workspace Settings โ†’ Storage tab

  2. Enable S3 External Storage

  3. Enter your credentials:

    • Access Key ID: From IAM user

    • Secret Access Key: From IAM user

    • Bucket Name: Your S3 bucket name

    • Region: Must match your bucket (e.g., us-east-1)

4. Click Test Connection

5. Click Save

Automatic Setup: When you test the connection, Ring Tonic automatically configures CORS on your bucket so recordings can play in the browser.

5

Migrate Existing Recordings (Optional)

If you have existing recordings stored in Twilio:

  1. Go to Workspace Settings โ†’ Storage tab

  2. Click Migrate Existing Recordings

  3. Migration runs in the backgroundโ€”large accounts may take several hours

HIPAA Compliance

For healthcare organizations handling Protected Health Information (PHI), Ring Tonic's architecture supports HIPAA-compliant workflows.

How We Handle Compliance

Area
How It's Protected

Telephony (BAA)

You connect your own Twilio account and execute a BAA directly with Twilio. The transmission layer stays under your legal umbrella.

Call Recordings & Voicemails

With S3 External Storage, recordings are migrated from Twilio to your bucket. After migration, audio is stored only in your S3 bucket.

Database

All call logs and metadata are encrypted at rest.

The Key Difference: Because of our "Bring Your Own Key" architecture, you retain full legal ownership of raw call data. After migration, we only store metadata and referencesโ€”recordings live exclusively in your S3 bucket.

Need a BAA? Contact Twilio Sales and AWS to execute Business Associate Agreements if you handle PHI.

Storage Costs & Lifecycle Rules

S3 storage is billed directly by AWS.

Storage Class
Cost
Retrieval
Best For

S3 Standard

~$0.023/GB/month

Instant

Recent recordings (< 90 days)

S3 Glacier Instant

~$0.004/GB/month

Instant

Older recordings (90+ days)

S3 Glacier Deep Archive

~$0.00099/GB/month

12-48 hours

Long-term archival (1+ years)

What Are Lifecycle Rules?

S3 Lifecycle Rules automatically move files to cheaper storage classes as they age. For example:

  • Day 0-90: Recording stays in S3 Standard (fast access)

  • Day 91-365: Automatically moves to Glacier Instant (80% cheaper, still instant access)

  • After 1 year: Moves to Deep Archive (95% cheaper, slower retrieval)

This saves money without manual interventionโ€”old recordings you rarely access cost almost nothing to store.

Example: 1,000 calls/month ร— 3 min average ร— 1 MB/min = 3 GB/month. With lifecycle rules, annual storage costs under $5.

Common Questions

Do I need S3 for Ring Tonic to work?

No. S3 storage is optional. By default, recordings and voicemails are stored in Twilio. S3 is recommended for faster playback, HIPAA compliance, or cost optimization at scale.

How long does Twilio store recordings?

Twilio stores recordings indefinitely unless you delete them. The first 10,000 minutes are free; after that, Twilio charges $0.0005 per minute per month. With S3, you pay AWS directly at typically lower rates.

Are recordings encrypted in S3?

Yes. Enable S3 Server-Side Encryption (SSE-S3 or SSE-KMS) on your bucket. Data in transit is always encrypted via HTTPS.

How long are signed URLs valid?

60 minutes. Each time you play a recording, a fresh signed URL is generated. This prevents sharing via leaked URLs.

Can I use other S3-compatible storage?

Yes. Enter the custom endpoint URL in the Endpoint field. Ring Tonic supports MinIO, DigitalOcean Spaces, and other S3-compatible providers.

What happens if I disable S3 storage later?

Existing S3 recordings remain accessible. New recordings will be stored in Twilio. You can re-enable S3 anytime.

Are S3 recordings deleted when I delete call logs?

Yes, if enabled. In Workspace Settings โ†’ Storage, you can enable "Delete S3 recordings when call logs are deleted." When enabled, deleting a call log (individually, via campaign deletion, or workspace deletion) will also remove the corresponding recording from your S3 bucket. If disabled, recordings remain in S3 even after call log deletion.

What happens to Twilio recordings after migration?

After a recording is successfully uploaded to your S3 bucket, Ring Tonic automatically deletes the original recording from Twilio. This prevents paying for duplicate storage. If the Twilio deletion fails, the migration still completes successfullyโ€”your recording is safely in S3.

PreviousHow to Ensure 100% Attribution AccuracyNextPrivacy Policy

Last updated