Secure External Access

This page is for Cloud Storage in AWS. If you use Cloud Storage in Azure, see the Azure storage section of the Cloud Storage Services online help.

Required permissions: Secure External Access Edit

Secure External Access (SEA) allows you to securely copy or move files from active storage to a storage location outside of CXone. When you enable this feature, you are assigned a secure, dedicated storage location on AWS storage owned by NICE CXone.

When a Life Cycle Management rule is configured to copy or move files to SEA, the files are placed in your assigned storage location. You can then download the files and store them in a location of your choice.

Files are encrypted while in transit to SEA and while they're at rest in your temporary SEA location. Cloud Storage Services uses the system-generated key management system (KMS) key in AWS to provide this encryption. If you set up a custom AWS KMS key, that key is used instead.

Files remain in SEA for 30 days, after which they're automatically deleted. You can delete them manually after you download them.

Set Up and Use SEA

  1. Generate SEA credentials in CXone Cloud Storage Services. You only need to do this once, unless you need to regenerate the credentials for any reason.
  2. Create Life Cycle Management rules that include criteria to copy or move files to SEA. Because of how these rules work, any existing files that are already managed by rules in Cloud Storage Services are not eligible for moving into SEA.

    You can modify an existing rule to add moving files into SEA, but it's not recommended. It could result in files managed by the same rule being processed in different ways. Files created after you modify the rule would be moved to SEA, while files processed before you changed the rule are not in SEA.

  3. Download files from your SEA temporary location before their expiration date, which is after 30 days. You can manually delete the files after you download them.

SEA File Downloads

You can download files from SEA using an FTP client that supports connecting to Amazon S3. You can also use an application such as S3 browser, a freeware application that provides access to files in an S3 bucket.

Use the credentials you generated in CXone Cloud Storage Services to set up a new account (S3 browser) or site (most FTP clients). If you use S3 browser, you also need to create a new external bucket where you specify the File Location generated with your credentials. The following table shows the fields you need to complete and the information to use.  After you log into your temporary SEA location, you can download the files to your own server.

S3 Field Name

FTP Client

Complete with this Information

Account Type   Select Amazon S3 Storage.
  Protocol Select the option that supports Amazon S3, such as S3/HTTPS or S3 Amazon Simple Storage.
  Host Enter
Access Key ID Access Key Enter the access key ID you generated.
Secret Access Key


Enter the secret access key you generated.
Use Secure Transfer (SSL/TLS) Use Secure Transfer (SSL/TLS)  Select this option so all file transfer are done securely.
Add External Bucket > Bucket Name Remote Path Enter the path and file name of your assigned file location, generated when you created your credentials. For example, if your file location is, enter my-s3-bucket/folder/ in the field.

The field names for the S3 browser and FTP clients may differ from what's listed in the preceding table. Refer to the online help for the application you're using if you have questions.

Key Facts About SEA

  • Your organization incurs an active storage charge while files are in SEA.
  • Files must be in active storage to move to SEA. Files in long-term storage or custom storage cannot be moved. SEA depends on Life Cycle Management rules to move files from active Cloud Storage into SEA. These rules don't work with custom storage, and cannot move files from long-term storage into active storage.
  • Files are automatically deleted from SEA after 30 days. You can delete files yourself after downloading them onto your external server.
  • You are only allowed one set of SEA credentials per tenant. If you regenerate credentials, the previous set no longer works.
  • A file can be placed in SEA one time only. If a file is copied into SEA, it cannot later be moved into SEA. Be cautious when testing Life Cycle Management rules that involve SEA. Files that you copy or move to SEA to test rules cannot be placed in SEA again in the future. They also cannot be moved back into active storage in Cloud Storage.
  • You cannot access your SEA folder if it is empty.
  • Faster Secure External Access is a billable licensed feature. It allows you to copy or move CXone Recording files to SEA at a faster rate than standard SEA speeds for rules configured for zero-day copying or moving of files.  Contact your CXone Account Representative for more information.