S3 Evidence Vault
Configure S3 storage for scheduled artifact uploads. All evidence is organized by date, type, and source for easy retrieval and compliance auditing.
Authentication Methods
Three options for S3 authentication, in order of preference:
IAM Role (recommended)
Attach an IAM role to the node instance profile. No credentials to manage.
IRSA (EKS)
Use IAM Roles for Service Accounts on EKS for pod-level credentials.
Kubernetes Secret
Create a secret with AWS credentials:
Secret namespace
The agent always reads the credentials secret from the workload's own namespace — i.e. the namespace of the pod being scanned. This is a deliberate security boundary: an agent running on a node must not be able to read secrets in arbitrary namespaces on behalf of a workload, since that would let any pod that opts into S3 export effectively read any secret in the cluster.
There is no override (no --s3-secret-namespace flag, no fall back to the agent's namespace). Practically, this means every namespace that uses S3 export needs its own copy of the credentials secret. The annotations only choose the secret's name; the namespace is fixed.
Annotation Configuration
Configure S3 settings via pod or namespace annotations:
| Annotation | Description |
|---|---|
| reel.io/s3-bucket | S3 bucket name |
| reel.io/s3-region | AWS region |
| reel.io/s3-secret | Name of Kubernetes secret with AWS credentials (always read from the workload's own namespace — see below) |
Pod annotations take priority over namespace annotations.
Complete Example
S3 Key Pattern
Artifacts are organized in S3 with the following key structure:
| Type | Extension |
|---|---|
| sbom, cbom, volatile, metadata, malware | .json |
| checkpoint, layer, frame, memory | .tar.zst or .core.zst |
Configuration Priority
S3 settings resolve in this order: CLI flags > pod annotations > namespace annotations.