The right approach depends on your needs to distribute what you’re building. If what you plan to build is so general purpose that other Atlassian customers might want it, then, yes, build an Atlassian Connect add-on. However, Atlassian Connect introduces a lot of overhead for authentication. If you only plan to use this utility for your own purposes, then Webhooks and REST APIs with Basic Authentication will be sufficient. The following sequence diagram explains the main steps.
In plain English, an administrator uses the JIRA UI to register a webhook to the URL of your integration service. When your integration service receives webhooks, it should follow the URLs provided in those payloads to navigate to the attachments for that issue. Issues can have multiple issues; hence, the for loop to get each one. The issue has fields.attachment[].content as the content for each attachment. You have to download each attachment as bytes, which you can pipe to your other system.
As long as your integrations service is behind the same firewall as JIRA, you don’t need any authentication on the webhook. But, coming back in to make the REST API request, you will need to authenticate. I suggest simple Basic authentication.
Hope that helps.