# Get started

<!-- WARNING: THIS FILE WAS AUTOGENERATED! DO NOT EDIT! -->

Enable and add a storage location.

## Prerequisites

-   A Video SDK account with Cloud Recording add-on plan. **Universal Credit plans already include Cloud Recording.**
-   AWS account with administrator access
-   An Amazon S3 bucket created for storing recordings

## Enable Bring Your Own Storage

1. In the Developer account web portal, go to **Account Settings** > **General** > **Communications Content Storage Location**.
2. Toggle **Bring Your Own Storage** on.
    - When enabled, the storage region setting no longer applies.
    - The first time you enable BYOS, Zoom prompts you to [add a storage location](#add-a-storage-location).
3. If you have existing cloud recording files stored on Zoom and want to reduce or eliminate future Zoom storage charges, download and save your recordings, then delete them from the Zoom cloud.
4. If you later disable BYOS, Zoom deletes the configured storage locations from your account. The recording files already saved in S3 remain untouched, but their metadata will no longer appear in the Zoom web portal.

## Add a storage location

Storage locations are destinations where your cloud recordings are saved. You must add at least one storage location to use BYOS. See [Manage storage locations](/docs/build/storage-manage/) for details.

1. Click **Manage Storage** and then **Add Storage**.
2. Name the storage location.
3. Enter the region (for example, `us-west-2`).
4. Enter the bucket name.
5. Choose an authentication mechanism: **AWS Access Key** or **Cross Account Access**.
    - **AWS Access Key**: Enter your **Access Key ID** and **Access Secret Key**. Zoom encrypts these values. Click **Save**.
    - **Cross Account Access**: See [Set up cross account access](#set-up-cross-account-access).
6. To validate the credentials, Zoom performs HTTP PUT, GET, and LIST operations against the specified AWS bucket before saving the recording.

### Set up cross account access

Follow these steps if you chose the **Cross Account Access** authentication mechanism for your storage location.

1. Enter Your ARN in the following format:

    ```txt
    arn:aws:iam::Account ID:role/ZoomArchivingRole
    ```

2. Configure IAM Role Permissions for your S3 bucket.

    - Bring Your Own Storage (BYOS) requires permissions to list the bucket and manage objects.
    - In the [IAM Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) tab, create a custom policy using the following template.
    - Replace `your_bucket_name` with your actual S3 bucket name.

        ```json
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "S3BucketList",
                    "Effect": "Allow",
                    "Action": ["s3:ListBucket", "s3:GetBucketLocation"],
                    "Resource": "arn:aws:s3:::your_bucket_name"
                },
                {
                    "Sid": "S3ObjectAccess",
                    "Effect": "Allow",
                    "Action": [
                        "s3:GetObject",
                        "s3:PutObject",
                        "s3:DeleteObject"
                    ],
                    "Resource": "arn:aws:s3:::your_bucket_name/*"
                }
            ]
        }
        ```

3. Configure Trust Relationships.

    - Navigate to the **Trust relationships** tab in your IAM role settings.
    - Add the **Zoom ARN** to establish a trust relationship between your AWS account and Zoom's AWS ARN.
    - Set `sts:ExternalId` to your **Zoom `account_id`** to ensure only your Zoom account can access this S3 bucket.

        > **Finding your Zoom account ID**
        >
        > Your Zoom `account_id` is displayed in the help text on the **Add a storage location** form below the **ARN** field, where it says "Please add the string (ABCDE...) in your AWS assume role policy..." You can also retrieve it using the [Get Account Settings API](/docs/api/accounts/#tag/accounts/get/accounts/{accountId}/settings).

    - Use the following trust policy template. _Add the **Zoom ARN** where indicated._

        ```json
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "Zoom ARN"
                    },
                    "Action": "sts:AssumeRole",
                    "Condition": {
                        "StringEquals": {
                            "sts:ExternalId": "account_id"
                        }
                    }
                }
            ]
        }
        ```

## Verify storage locations

Verification tests the input parameters (region, bucket, access key ID, and access secret key) against your storage provider. You may need to verify a storage location if, for example, you rotate keys or delete a bucket.

1. Click **Manage Storage**.
2. Click the **ellipsis** next to the storage location and choose **Verify**.

## Test storage connection

After configuration, test the connection by recording a Zoom meeting.

1. Verify that recordings appear in your S3 bucket.
2. Check AWS CloudTrail logs to confirm proper access patterns.

> **Audit IAM roles and S3 permissions**
>
> Regularly audit your IAM roles and S3 bucket permissions to ensure they maintain the principle of least privilege.