Docs
← Back to site

Amazon S3

5 min readUpdated June 28, 2026

Amazon S3 is the original cloud object storage service and the most widely supported storage provider in the WordPress ecosystem. WP Media Cloud connects to S3 using IAM credentials and supports all AWS regions.

Before you start#

You will need:

  • An AWS account.
  • An S3 bucket in your chosen region.
  • An IAM user or role with read and write permissions on the bucket.
  • An Access Key ID and Secret Access Key for that IAM user.

Step 1: Create an S3 bucket#

Log in to the AWS console and go to S3. Click Create bucket. Choose a name and select your region. Leave Block all public access enabled for now — you can adjust this after setup if you need public URLs without a CDN.

Leave all other settings at their defaults and click Create bucket.

Step 2: Create an IAM user and access keys#

Go to IAM > Users and click Create user. Give the user a name such as wp-media-cloud. On the permissions step, select Attach policies directly and attach the AmazonS3FullAccess policy, or create a custom inline policy restricted to your specific bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

After creating the user, go to the user’s Security credentials tab and click Create access key. Select Application running outside AWS as the use case. Copy and save the Access Key ID and Secret Access Key before closing the page — the secret key is only shown once.

Step 3: Set bucket permissions for public access#

If you want files to be publicly accessible without signed URLs or a CDN, you need to allow public reads on the bucket.

In your bucket settings, go to Permissions. Under Block public access, disable Block all public access and confirm. Then add the following bucket policy under Bucket Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    }
  ]
}

Replace your-bucket-name with your actual bucket name. If you are using a CDN in front of S3, you may be able to leave the bucket private and only allow access from the CDN. Refer to your CDN provider’s documentation for that configuration.

Step 4: Connect Amazon S3 in WP Media Cloud#

You have two options for connecting S3 to WP Media Cloud. Use whichever suits your setup.

Option A: Setup wizard

Go to WP Media Cloud > Setup Wizard. The wizard walks you through provider selection, credential entry, and CDN configuration. It can list your existing S3 buckets automatically once credentials are entered. This is the recommended option for most users.

Option B: wp-config.php constants

Add the following constants above the /* That's all, stop editing! */ line in wp-config.php:

define( 'WPMC_PROVIDER',        's3' );
define( 'WPMC_AWS_REGION',      'us-east-1' );
define( 'WPMC_AWS_ACCESS_KEY',  'your-access-key' );
define( 'WPMC_AWS_SECRET_KEY',  'your-secret-key' );
define( 'WPMC_AWS_BUCKET',      'your-bucket-name' );
define( 'WPMC_AWS_CDN_TYPE',    'custom' );
define( 'WPMC_AWS_CDN_URL',     'https://your-cdn.com' );

Set WPMC_AWS_REGION to the region code for your bucket (e.g. us-east-1, eu-west-1, ap-southeast-1). The region code is shown in the AWS console URL and in the bucket’s properties tab. Once the constants are in place, go to WP Media Cloud > Settings > Storage and confirm the plugin has loaded them. Constants override any values saved in the settings panel.

Step 5: Test the connection#

Click Test Connection. WP Media Cloud will upload a small test file to your S3 bucket and confirm it can be read back. A green success message confirms the connection is working.

Step 6: Configure CDN delivery (optional)#

S3 can serve files directly from the bucket URL, but using a CDN reduces egress costs and improves delivery speed globally. Common options include:

  • Amazon CloudFront — AWS’s own CDN. Create a CloudFront distribution with your S3 bucket as the origin and enter the CloudFront URL in WP Media Cloud > Settings > CDN > Custom CDN URL.
  • Bunny CDN — create a pull zone pointed at your S3 bucket’s public URL and enter the Bunny pull zone hostname in Settings > CDN.
  • KeyCDN or CDN77 — both work with any public HTTP origin including S3 bucket URLs.

Troubleshooting#

Connection test returns Access Denied
The IAM user does not have the required permissions on the bucket. Confirm the policy attached to the user includes s3:PutObject, s3:GetObject, s3:DeleteObject, and s3:ListBucket for the correct bucket ARN.

Connection test returns NoSuchBucket
The bucket name is incorrect or the region does not match where the bucket was created. S3 bucket names are globally unique but region-specific for endpoint routing. Confirm both the bucket name and region in the AWS console.

Files upload but return 403 when accessed publicly
Block public access is still enabled on the bucket or the bucket policy is missing the public read statement. Check the bucket’s Permissions tab in the AWS console.

Wrong region error
Each S3 bucket is tied to a specific region. If you enter the wrong region code, requests will be redirected or fail. Find the correct region code in the bucket’s Properties tab in the AWS console.

Access Key ID or Secret Access Key not accepted
Credentials are copy-paste sensitive. Check for leading or trailing spaces. If the secret key was lost, create a new access key in the IAM user’s Security credentials tab — you cannot retrieve a secret key after the initial creation screen.

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only