Get started
Enable and add a storage location.
Prerequisites
- A Video SDK account with Cloud Recording add-on plan. Universal Credit plans already include Cloud Recording.
- AWS account with administrator access
- An Amazon S3 bucket created for storing recordings
Enable Bring Your Own Storage
- In the Developer account web portal, go to Account Settings > General > Communications Content Storage Location.
- Toggle Bring Your Own Storage on.
- When enabled, the storage region setting no longer applies.
- The first time you enable BYOS, Zoom prompts you to add a storage location.
- If you have existing cloud recording files stored on Zoom and want to reduce or eliminate future Zoom storage charges, download and save your recordings, then delete them from the Zoom cloud.
- If you later disable BYOS, Zoom deletes the configured storage locations from your account. The recording files already saved in S3 remain untouched, but their metadata will no longer appear in the Zoom web portal.
Add a storage location
Storage locations are destinations where your cloud recordings are saved. You must add at least one storage location to use BYOS. See Manage storage locations for details.
- Click Manage Storage and then Add Storage.
- Name the storage location.
- Enter the region (for example,
us-west-2). - Enter the bucket name.
- Choose an authentication mechanism: AWS Access Key or Cross Account Access.
- AWS Access Key: Enter your Access Key ID and Access Secret Key. Zoom encrypts these values. Click Save.
- Cross Account Access: See Set up cross account access.
- To validate the credentials, Zoom performs HTTP PUT, GET, and LIST operations against the specified AWS bucket before saving the recording.
Set up cross account access
Follow these steps if you chose the Cross Account Access authentication mechanism for your storage location.
-
Enter Your ARN in the following format:
arn:aws:iam::Account ID:role/ZoomArchivingRole -
Configure IAM Role Permissions for your S3 bucket.
-
Bring Your Own Storage (BYOS) requires permissions to list the bucket and manage objects.
-
In the IAM Role Permissions tab, create a custom policy using the following template.
-
Replace
your_bucket_namewith your actual S3 bucket name.{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3BucketList", "Effect": "Allow", "Action": ["s3:ListBucket", "s3:GetBucketLocation"], "Resource": "arn:aws:s3:::your_bucket_name" }, { "Sid": "S3ObjectAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::your_bucket_name/*" } ] }
-
-
Configure Trust Relationships.
-
Navigate to the Trust relationships tab in your IAM role settings.
-
Add the Zoom ARN to establish a trust relationship between your AWS account and Zoom's AWS ARN.
-
Set
sts:ExternalIdto your Zoomaccount_idto ensure only your Zoom account can access this S3 bucket.Finding your Zoom account ID
Your Zoom
account_idis displayed in the help text on the Add a storage location form below the ARN field, where it says "Please add the string (ABCDE...) in your AWS assume role policy..." You can also retrieve it using the Get Account Settings API. -
Use the following trust policy template. Add the Zoom ARN where indicated.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "Zoom ARN" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "account_id" } } } ] }
-
Verify storage locations
Verification tests the input parameters (region, bucket, access key ID, and access secret key) against your storage provider. You may need to verify a storage location if, for example, you rotate keys or delete a bucket.
- Click Manage Storage.
- Click the ellipsis next to the storage location and choose Verify.
Test storage connection
After configuration, test the connection by recording a Zoom meeting.
- Verify that recordings appear in your S3 bucket.
- Check AWS CloudTrail logs to confirm proper access patterns.
Audit IAM roles and S3 permissions
Regularly audit your IAM roles and S3 bucket permissions to ensure they maintain the principle of least privilege.