Celeris Home
S3 Compatible App-scoped permissions JIT access + approvals

S3 object storage —natively wired into your app.

Define buckets as components. Celeris binds permissions automatically—AWS SDK works out of the box.

Create a bucket See access flow
Application: ecommerce
api Service
App binding: auto-grant read/write
assets Bucket

No manual IAM. No secret keys.

Explore

Same application → instant access

Celeris understands your application topology. When a service and bucket live in the same app, permissions bind automatically.

Application A
api
✓ Auto-bound
Application A
assets
// PutObject to assets bucket
await s3.putObject({
  Bucket: "assets",
  Key: "img/hero.png",
  Body: file
});
// No credentials in code
// Celeris injects identity

AWS SDK just works. Identity injected at runtime.

No standing privileges. Just-in-time.

Time-bound, reason-bound, approver-bound access. Automatically expires and revokes. No lingering permissions.

Access Lifecycle

Request

Developer or service initiates access request with reason and duration

Scope

Define allowed actions (read/write/delete), prefix paths, and conditions

Approve

Designated approvers or break-glass flow validates the request

Active Window

Time-bound session begins with live countdown and audit logging

Auto Revoke

Access automatically expires—no cleanup required

Duration + reason + ticket URL required
Approver group + threshold (1-of-N, 2-of-N)
Break-glass option (stronger audit, alerts)
Auto-expire / auto-revoke guaranteed

JIT Access Grant

Request ID: jit-2026-01-06-a3f7

Active
Time Remaining 01:47:32
Duration 2 hours
Bucket logs-archive
Prefix Scope /exports/2026/*
Actions
GetObject ListBucket
Requestor alice@acme.com

Audit Trail

Approved by @platform-team • Reason: "Export Q4 analytics for compliance report"

Ticket: JIRA-4521

Auto-revokes in 1h 47m 32s
temporary bridge
DEMO: JIT request → approval → access granted

Describe intent. Agent delivers policy.

The Celeris Agent translates natural language into least-privilege policies. You review, approve, and ship—fully audited.

Intent Composer

Try an example:

Example intents:

Proposed Policy Change
Generated by Celeris Agent
bindings:
- application: ecommerce
service: api
+ bucket: assets
+ actions:
+ - s3:PutObject
+ - s3:GetObject
+ prefix: "/uploads/*"
+ reason: "api needs write access for user uploads"
Impact Analysis
Blast radius: 1 service gains access
Risk level: Low
Principle: Least privilege (prefix-scoped)
Simulation
ALLOW PutObject assets/uploads/img.png
DENY DeleteObject assets/uploads/img.png
DENY PutObject assets/private/secret.txt
Approvers: @platform-team @security
Requires 1-of-2
All changes fully audited and reversible
DEMO: AI generates policy + approval + applied change

Full S3 toolkit. Zero friction.

Every S3 capability you need—presigned URLs, lifecycle rules, versioning, events—wired into Celeris.

Presigned URLs Secure uploads
Lifecycle Auto archive
Events Trigger functions
Versioning Object history
Encryption At-rest secure
Metrics Observability
DEMO: Presigned upload + event triggers function

Every action. Fully audited.

Policy versioning, decision logging, blast radius analysis. Roll back any change. Prove compliance.

PUT /assets/img/hero.png ALLOW
service: api policy: app-binding-v3 12ms
GET /logs/2026/01/export.csv ALLOW
user: alice jit-grant: jit-a3f7 8ms
DELETE /assets/temp/draft.png DENY
service: cleanup-job reason: delete not allowed 3ms
JIT Grant user: alice → logs bucket APPROVED
approver: @platform-team duration: 2h prefix: /exports/*
Policy Change Agent proposed binding update APPLIED
ticket: SEC-1242 approved by: @security v4 → v5
LIST /data-lake/analytics/ ALLOW
service: analytics-job org-scope binding 5ms
PUT /private/config.json DENY
service: web-frontend prefix not allowed 2ms
Break-Glass emergency access activated ACTIVE
user: bob@ops incident: INC-789 audit: enhanced
PUT /assets/img/hero.png ALLOW
service: api policy: app-binding-v3 12ms
GET /logs/2026/01/export.csv ALLOW
user: alice jit-grant: jit-a3f7 8ms
DELETE /assets/temp/draft.png DENY
service: cleanup-job reason: delete not allowed 3ms
JIT Grant user: alice → logs bucket APPROVED
approver: @platform-team duration: 2h prefix: /exports/*

Audit Log Retention

Configurable retention. Export to SIEM. Full decision context preserved.

Policy Versioning

Every policy change tracked. Instant rollback to any previous version.

Org / Product / App Scopes

Buckets scoped to org, product, or app. Inheritance and override rules.

Separation of Duties

Approval gates, threshold policies, and conflict-of-interest checks.

Learn more about Celeris Auth + Policy

Storage that fits your entire platform.

Buckets integrate with preview environments, test execution, functions, deployments, and your software catalog.

Bucket: assets

Central storage hub

Preview Envs

Isolated prefixes per preview

Test Execution

Artifacts & reports storage

Functions

Event-driven triggers

Deployments

Release artifacts

Catalog

Ownership & docs

Marketplace

CDN & integrations

Get started with S3 storage

Free tier includes 5GB storage, 10,000 requests/month