> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://help.moveworks.com/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://help.moveworks.com/_mcp/server.

# Amazon S3 Connector Setup

The **Amazon S3 connector** lets Moveworks ingest data — such as user records or files — that is delivered to an Amazon S3 bucket. It is commonly used when a source system cannot expose a direct API, and data is instead delivered to Moveworks as files (for example, user records dropped into an S3 bucket).

Setting up the connector has two parts:

1. **Create the connector in Moveworks Setup** — a quick, self-service step that registers an integration entry for your organization.
2. **Request the AWS folder and access from Moveworks** — Moveworks provisions the S3 folder and the access details you use to deliver your data.

## Create the S3 Connector in Moveworks Setup

Creating the connector in Moveworks Setup registers an integration entry for your organization. No credentials are required at this step.

Log in to **Moveworks Setup** and navigate to **Built-In Connectors**.

From the list of built-in connectors, select **S3** (Amazon S3).

Give the connector a **unique name** that is easy to identify (for example, `s3_user_import`). Use a name that reflects what the connector is used for.

Save to create the connector.

No credentials are required to create the S3 connector. Creating it here simply registers an **integration entry** for your organization — it does not move any data on its own. Data delivery is enabled once Moveworks provisions the AWS folder and access (see below).

## Request AWS Folder Creation and Access from Moveworks

After the connector exists in Moveworks Setup, the AWS folder and the access used to deliver your data are provisioned by Moveworks.

The AWS folder and SFTP access **cannot be created from Moveworks Setup** — they are provisioned by Moveworks.

Before you raise the ticket, **generate an SSH key pair**. You share only the **public key** with Moveworks and keep the **private key** secure — you use it to connect to the SFTP server.

**Raise a support ticket** and include:

* The **connector name** you created in Moveworks Setup.
* Your **SSH public key**, so Moveworks can authorize your access to the SFTP server.
* The **type of data** you plan to deliver (for example, user records) and the expected **delivery cadence**.

Moveworks provisions the folder, authorizes your public key, and returns your **SFTP connection details** — host, port, username, and target directory.

Treat the access details as sensitive. Store them securely and share them only with the team members responsible for delivering data. To rotate or revoke access, raise a support ticket with Moveworks.

## Deliver Your Data Files Over SFTP

After Moveworks provisions your folder and authorizes your public key, deliver your data files to the SFTP server using the connection details from the support ticket response.

Connect with your **SSH private key** and the connection details Moveworks shared with you. The host and target directory are specific to your organization and region — your details look like the following:

| Setting          | Value                                                                                     |
| ---------------- | ----------------------------------------------------------------------------------------- |
| Host             | Provided by Moveworks (for example, `sftp.am-eu-central.moveworks.com` for the EU region) |
| Port             | `22`                                                                                      |
| Protocol         | SFTP (SSH)                                                                                |
| Authentication   | SSH private key                                                                           |
| Target directory | Provided by Moveworks (for example, `uploads/user_identity_data` for user records)        |

Upload your files to the **target directory** Moveworks provided. For user records, deliver a CSV that matches the expected schema.

Verify that the file appears in the target directory. Moveworks imports it on the configured crawl schedule — see [Validation](#validation) below to confirm it was read successfully.

Keep your **private key** secure and never share it with Moveworks — only the public key is required. To rotate your key, generate a new key pair and raise a support ticket with the new public key.

## How It Works

Moveworks uses dedicated, per-customer **Amazon S3 buckets** as the data store. Each bucket is allocated to a single customer and encrypted with a unique key generated via **AWS KMS**, with all data encrypted at rest using **AES-256**.

The end-to-end flow is:

1. **You create the S3 connector** in Moveworks Setup (registers the integration entry).
2. **Moveworks provisions** the AWS folder and shares the access details with you.
3. **You deliver your data files** to that folder over SFTP on an agreed cadence.
4. **Moveworks ingests** the data on the configured crawl schedule, after which it is processed and indexed.

## Validation

After your first file delivery, confirm that Moveworks is successfully reading the data:

1. In **Moveworks Setup**, navigate to **Core Platform > Data Crawling View**.
2. Locate the resource associated with your S3 connector and check the **crawl health** and the latest crawl run.
3. If a run fails, use **View Logs** and the **Error Summary** to troubleshoot (commonly a file format or schema mismatch, or an empty file).

See the [Data Crawling View](/service-management/moveworks-setup/data-ingestion-view) guide for full details on monitoring and troubleshooting ingestion.

## Frequently Asked Questions

No. Creating the S3 connector in Moveworks Setup does not require credentials — it registers an integration entry for your organization. The access details used to deliver data are provided separately by Moveworks after you raise a support ticket.

Moveworks. The folder lives in a dedicated, per-customer, KMS-encrypted bucket provisioned and managed by Moveworks. You request it by raising a support ticket; you do not need to create or own an AWS bucket.

Each customer is allocated a dedicated S3 bucket encrypted with a unique per-customer key via AWS KMS, with all data encrypted at rest using AES-256. The S3 connector follows the same security protocols as Moveworks' other ingestion paths.

You deliver files over SFTP using an SSH key pair. Generate the key pair, share your **public key** with Moveworks when you raise the support ticket, then connect to the SFTP server with your **private key** and upload files to the target directory Moveworks provides. See [Deliver Your Data Files Over SFTP](#deliver-your-data-files-over-sftp).

Raise a support ticket with Moveworks to rotate or revoke the access credentials for your S3 folder.