🪣AWS S3 External Storage

Store your call recordings and voicemails in your own AWS S3 bucket instead of Twilio's servers. This gives you full ownership of your audio data, faster playback, and enables HIPAA-compliant workflows for healthcare organizations.

Your Data, Your Bucket: When you enable S3 storage, Ring Tonic migrates recordings from Twilio to your S3 bucket and then removes them from Twilio. Once migrated, audio streams directly from your bucket via secure signed URLs.

Why Use Your Own S3 Bucket?

Benefit

Description

Faster Playback

Audio streams directly from S3 to your browser via signed URLs—no middleman

Lower Storage Costs

S3 costs $0.023/GB vs Twilio's $0.0005/min ($0.03/GB at typical bitrates)

Data Ownership

You own the raw audio files in your own AWS account

HIPAA Compliance

Required for healthcare—keeps PHI off third-party servers

Flexible Archival

Use S3 Lifecycle Rules to automatically move old recordings to cheaper storage

Performance Boost: With S3, the audio player loads recordings directly from your bucket using signed URLs. This is faster than streaming through Twilio's servers because it eliminates an extra network hop.

How It Works

┌─────────────┐      ┌─────────────┐      ┌─────────────┐      ┌─────────────┐
│  Caller     │──────│  Twilio     │──────│  Ring Tonic │──────│  Your S3    │
│  calls your │      │  records    │      │  downloads  │      │  bucket     │
│  tracking # │      │  the call   │      │  & uploads  │      │  (you own)  │
└─────────────┘      └─────────────┘      └─────────────┘      └─────────────┘
                                                 │
                                                 ▼
                                          ┌─────────────┐
                                          │  Twilio     │
                                          │  recording  │
                                          │  deleted    │
                                          └─────────────┘

Call comes in → Twilio records the conversation
Recording ready → Twilio notifies Ring Tonic when recording is available
Migration → Ring Tonic downloads from Twilio and uploads to your S3 bucket
Cleanup → After successful upload, Twilio recording is deleted to avoid double storage costs
You play recordings → Audio streams directly from S3 via secure signed URLs

Setup Guide

Create an S3 Bucket

Log in to AWS Console
Go to S3 → Create bucket (If you cannot find S3, search using the header search bar)
Enter a bucket name (e.g., yourcompany-call-recordings)
Select your preferred region (e.g., us-east-1)
Keep Block all public access enabled
Click Create bucket

Keep it private. Your bucket should NOT be public. Ring Tonic uses secure signed URLs that expire after 60 minutes.

Create an IAM Policy

First, create a policy that grants access to your bucket.

Go to IAM → Policies → Create policy
Select a service: S3

Click the JSON tab and paste:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::YOUR-BUCKET-NAME",
            "arn:aws:s3:::YOUR-BUCKET-NAME/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetBucketCors",
            "s3:PutBucketCors"
         ],
         "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
      }
   ]
}

DeleteObject Permission: This allows Ring Tonic to clean up S3 recordings when call logs are deleted (if enabled in workspace settings).

Replace YOUR-BUCKET-NAME with your actual bucket name that you created in step 1
Click Next → Name it RingTonicS3Access → Create policy

Create an IAM User

Now create a user and attach the policy.

Go to IAM → Users → Create user
Enter a name: ringtonic-s3-access → Click Next
Select Attach policies directly
Search for RingTonicS3Access and check the box
Click Next → Create user
Open the user → Security credentials tab
Click Create access key → Select Third-party service
Click Create access key → Save both keys

Save your keys now. The Secret Access Key is only shown once. Store it in a password manager.

Configure Ring Tonic

Go to Workspace Settings → Storage tab
Enable S3 External Storage
Enter your credentials:
- Access Key ID: From IAM user
- Secret Access Key: From IAM user
- Bucket Name: Your S3 bucket name
- Region: Must match your bucket (e.g., us-east-1)

4. Click Test Connection

5. Click Save

6. After saving, two Deletion Settings toggles appear at the bottom of the tab. Both default to safe values — see Deletion Settings below for what each one does.

Automatic Setup: When you test the connection, Ring Tonic automatically configures CORS on your bucket so recordings can play in the browser.

Migrate Existing Recordings (Optional)

If you have existing recordings stored in Twilio:

Go to Workspace Settings → Storage tab
Click Migrate Existing Recordings
Migration runs in the background—large accounts may take several hours

Twilio cleanup is automatic. As each recording is uploaded to S3, the original copy on Twilio is deleted in the background (unless you've turned that off in Deletion Settings). You don't need to do anything else to avoid double storage costs.

Deletion Settings

Once S3 is configured, two independent toggles appear at the bottom of the Storage tab. They control different things — make sure you know which is which.

Delete Twilio copy after migration

Default: ON. Controls what happens to the original Twilio recording once Ring Tonic finishes copying it to your S3 bucket.

Setting

What happens

ON (recommended)

After a recording is safely on S3, the Twilio copy is deleted. You only pay for storage in one place.

OFF

The recording lives in both Twilio and your S3 bucket. You'll be billed for storage on both sides.

Most people want this ON — it's the whole point of bringing your own bucket. Turn it OFF only if you have a specific reason to keep redundant copies on Twilio (e.g. a compliance policy that mandates dual storage).

Safe by design. Deletion is retried up to 3 times with backoff if Twilio is temporarily unreachable, and the link to the Twilio recording in Ring Tonic's database is only cleared after Twilio confirms the deletion. A transient failure won't orphan your recording.

Delete S3 files when call logs are deleted

Default: OFF. Controls what happens to the S3 file when you delete a call log inside Ring Tonic.

Setting

What happens

OFF (default)

Deleting a call log removes it from Ring Tonic only. The recording stays in your S3 bucket — you can still access it directly via AWS.

Deleting a call log also removes the corresponding audio file from your S3 bucket. Files cannot be recovered.

This is unrelated to the toggle above. It's a separate question: "when I delete a call log in my dashboard, should the S3 file go too?" The answer depends on whether you treat S3 as an archive (keep it OFF) or as the single source of truth tied to your dashboard (turn it ON).

Turning this ON makes call-log deletion permanent. If you also use the API or bulk-delete tools to clean up call logs, those deletions will erase the corresponding S3 files too.

HIPAA Compliance

For healthcare organizations handling Protected Health Information (PHI), Ring Tonic's architecture supports HIPAA-compliant workflows.

How We Handle Compliance

Area

How It's Protected

Telephony (BAA)

You connect your own Twilio account and execute a BAA directly with Twilio. The transmission layer stays under your legal umbrella.

Call Recordings & Voicemails

With S3 External Storage, recordings are migrated from Twilio to your bucket. After migration, audio is stored only in your S3 bucket.

Database

All call logs and metadata are encrypted at rest.

The Key Difference: Because of our "Bring Your Own Key" architecture, you retain full legal ownership of raw call data. After migration, we only store metadata and references—recordings live exclusively in your S3 bucket.

Need a BAA? Contact Twilio Sales and AWS to execute Business Associate Agreements if you handle PHI.

Storage Costs & Lifecycle Rules

S3 storage is billed directly by AWS.

Storage Class

Cost

Retrieval

Best For

S3 Standard

~$0.023/GB/month

Instant

Recent recordings (< 90 days)

S3 Glacier Instant

~$0.004/GB/month

Instant

Older recordings (90+ days)

S3 Glacier Deep Archive

~$0.00099/GB/month

12-48 hours

Long-term archival (1+ years)

What Are Lifecycle Rules?

S3 Lifecycle Rules automatically move files to cheaper storage classes as they age. For example:

Day 0-90: Recording stays in S3 Standard (fast access)
Day 91-365: Automatically moves to Glacier Instant (80% cheaper, still instant access)
After 1 year: Moves to Deep Archive (95% cheaper, slower retrieval)

This saves money without manual intervention—old recordings you rarely access cost almost nothing to store.

Example: 1,000 calls/month × 3 min average × 1 MB/min = 3 GB/month. With lifecycle rules, annual storage costs under $5.

Common Questions

Do I need S3 for Ring Tonic to work?

No. S3 storage is optional. By default, recordings and voicemails are stored in Twilio. S3 is recommended for faster playback, HIPAA compliance, or cost optimization at scale.

How long does Twilio store recordings?

Twilio stores recordings indefinitely unless you delete them. The first 10,000 minutes are free; after that, Twilio charges $0.0005 per minute per month. With S3, you pay AWS directly at typically lower rates.

Are recordings encrypted in S3?

Yes. Enable S3 Server-Side Encryption (SSE-S3 or SSE-KMS) on your bucket. Data in transit is always encrypted via HTTPS.

How long are signed URLs valid?

60 minutes. Each time you play a recording, a fresh signed URL is generated. This prevents sharing via leaked URLs.

Can I use other S3-compatible storage?

Yes. Enter the custom endpoint URL in the Endpoint field. Ring Tonic supports MinIO, DigitalOcean Spaces, and other S3-compatible providers.

What happens if I disable S3 storage later?

Existing S3 recordings remain accessible. New recordings will be stored in Twilio. You can re-enable S3 anytime.

Are S3 recordings deleted when I delete call logs?

Only if you turn it on. In Workspace Settings → Storage → Deletion Settings, toggle "Delete S3 files when call logs are deleted." When ON, deleting a call log (individually, via campaign deletion, or workspace deletion) also removes the corresponding recording from your S3 bucket. When OFF (the default), recordings stay in S3 even after the call log is gone.

What happens to Twilio recordings after migration?

With the Delete Twilio copy after migration toggle ON (the default), Ring Tonic deletes the Twilio copy as soon as the recording is safely on S3 — so you don't pay for storage on both sides. The deletion is retried automatically if Twilio is temporarily unavailable. With the toggle OFF, the Twilio copy is kept and you'll be billed for storage in both places.

What's the difference between the two Deletion Settings toggles?

They control completely different things:

Delete Twilio copy after migration — about avoiding duplicate storage the moment a recording is migrated. ON by default. Most people want it on.
Delete S3 files when call logs are deleted — about whether deleting a call log in your Ring Tonic dashboard also wipes the file from S3. OFF by default. Turn it on only if you want call-log deletion to be permanent.

The first runs once per recording, right after migration. The second runs whenever you (or your team, or the API) deletes a call log. See the Deletion Settings section above for the full breakdown.

Do I need to enable anything on Twilio to avoid duplicate storage?

No. With the Delete Twilio copy after migration toggle ON (the default), Ring Tonic handles cleanup automatically — you don't need to configure anything on the Twilio side. Twilio's account-level "External S3 Storage" feature is still an option if you want recordings to land directly in your bucket without ever touching Twilio's servers, but it's no longer required to prevent duplicates.

PreviousBrowser Dialer NextGoogle Ads Integration

Last updated 23 days ago