Jump to content
KAZOOcon: hackathon signup and details here! ×

AWS connector with lowest possible permissions


Rick Guyton

Recommended Posts

Hi all!

     I'm sure no one else has done this... But, to get things done, I initially setup a few customer accounts with root AWS access keys to get their call recording going. Needless to say, that's super dangerous. So, I recently invested the time to find the minimal possible permissions to provision an account with AWS. And I thought I might as well share. This assumes you will be assigning each customer a separate bucket. Technically, you could put all your clients into a single bucket. But, that makes the permissions much harder.

So, here's the step by step directions. They look really long, but it really is very easy, these are just very detailed instructions:

SETUP AN S3 BUCKET

1) Log into your AWS portal and access the S3 app

2) Click Create Bucket

3) Enter a new bucketname. Doesn't matter what it is, but write it down somewhere

4) US West (N. California) for your region

image.png.34038eea35b47062fc44c4d12827c262.png

5) Next through the remaining panes and create the bucket. You should read through them and make sure that meet your needs. I especially recommend enabling the "Block ALL public access" option.

 

 

 

 

SETUP AN IAM USER

1) Access the IAM app

2) Click Add User

3) Enter your a new username

4) Check Programmatic access

image.png.cdc20fa18ed8f234a69bc59738d601cb.png

5) In the next pane, select Attach existing policies directly and then select create policy

image.png.35ccb155f10a6f43123cba3e8d8189c0.png

6) This will open a new tab for you to enter your policy into. Click the JSON tab and enter this and replace "BUCKET_NAME_HERE" with your bucket name from above. Then, click review policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_HERE/*",
                "arn:aws:s3:::BUCKET_NAME_HERE"
            ]
        }
    ]
}

image.png.edf8b214f9c108aebdc2e5bef4bf86b7.png

7) Name your policy and click create policy

image.png.61fa60abe7e031ae2dd77bf4bf479ffc.png

8 ) Back on you IAM tab, click refresh, enter the name of the policy in the search you assigned in step 7, check it and press next

image.png.df174de203a01618f60a96e1b1847b56.png

9) The next two pages are for tagging and review, you can just leave them blank and click create user.

10) On the next page, you will get you access key and secret access key. SAVE THESE! You need them to input into your connector

image.png.1b2dfe56e0f866957734805727132b93.png

11) Back in the main page for IAM, click Users, and click on your user account. Save the ARN shown

image.png.b51d006ef74011e90ddf262997b49b0a.png

 

 

 

 

BUCKET POLICY

1) Go back into your S3 app and click on your bucket

2) Click permissions, then bucket policy and enter this JSON. Update your bucket name and ARN. Then save.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "ARN_FOR_IAM_USER_HERE"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_HERE/*",
                "arn:aws:s3:::BUCKET_NAME_HERE"
            ]
        }
    ]
}

image.png.963036806d8cd704bb90e78237e8dd4c.png

 

 

 

 

AWS APP In Kazoo

1) Now, just enter your AWS info as collected above. If you used the region I recommended above, your host is s3-us-west-1.amazonaws.com.

image.png.332c8db53a365c57149e939c7e66743a.png

 

Thats it! If anyone has any feedback, I'd love to hear. I hope you all find it useful!

Edited by Rick Guyton (see edit history)
Link to comment
Share on other sites

5 minutes ago, Karl Stallknecht said:

This is awesome!! Thanks!! I originally setup using root access as well because I couldn't figure out how to assign permissions properly (I tried and 2600hz wouldn't connect). I'll follow your advice to fix this!

Hey Karl! Glad I could help out! I had a feeling a few others probably just gave root creds...

Link to comment
Share on other sites

  • 2 years later...

I have prepared AWS CloudFormation stack. This allow make requred configration. Just need upload text file in the AWS CloudFormation and then generate tocken in IAM app.

CloudFormation stack

Description: >-
  Stack creates an S3 bucket for Kazoo recordings and configures access permission
Resources:
################################################
# IAM Users
################################################
  UserKazoo:
    Type: AWS::IAM::User
    Properties:
      UserName: kazoo
################################################
# S3 Bucket
################################################
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: 278544129100-kazoo
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      LifecycleConfiguration:
        Rules:
          - Id: DefaultRule
            Status: Enabled
            ExpirationInDays: 40
            Transitions:
              - TransitionInDays: 10
                StorageClass: GLACIER
#          - Id: Tenant-XXX
#            Status: Enabled
#            Prefix: 'subfolder'
#            ExpirationInDays: 40
#            Transitions:
#              - TransitionInDays: 10
#                StorageClass: GLACIER
################################################
# S3 Policy
################################################
  PolicyKazoo:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Id: S3ForKazoo
        Statement:
        - Action:
          - 's3:ListBucket'
          - 's3:PutObject'
          - 's3:GetObject'
          Effect: Allow
          Resource:
            - !Sub arn:aws:s3:::${S3Bucket}
            - !Sub arn:aws:s3:::${S3Bucket}/*
          Principal:
            AWS:
            - !GetAtt UserKazoo.Arn

 

Link to comment
Share on other sites

×
×
  • Create New...