AWS connector with lowest possible permissions

[Rick Guyton]

Hi all!

     I'm sure no one else has done this... But, to get things done, I initially setup a few customer accounts with root AWS access keys to get their call recording going. Needless to say, that's super dangerous. So, I recently invested the time to find the minimal possible permissions to provision an account with AWS. And I thought I might as well share. This assumes you will be assigning each customer a separate bucket. Technically, you could put all your clients into a single bucket. But, that makes the permissions much harder.

So, here's the step by step directions. They look really long, but it really is very easy, these are just very detailed instructions:

SETUP AN S3 BUCKET

1) Log into your AWS portal and access the S3 app

2) Click Create Bucket

3) Enter a new bucketname. Doesn't matter what it is, but write it down somewhere

4) US West (N. California) for your region

5) Next through the remaining panes and create the bucket. You should read through them and make sure that meet your needs. I especially recommend enabling the "Block ALL public access" option.

 

 

 

 

SETUP AN IAM USER

1) Access the IAM app

2) Click Add User

3) Enter your a new username

4) Check Programmatic access

5) In the next pane, select Attach existing policies directly and then select create policy

6) This will open a new tab for you to enter your policy into. Click the JSON tab and enter this and replace "BUCKET_NAME_HERE" with your bucket name from above. Then, click review policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_HERE/*",
                "arn:aws:s3:::BUCKET_NAME_HERE"
            ]
        }
    ]
}

7) Name your policy and click create policy

8 ) Back on you IAM tab, click refresh, enter the name of the policy in the search you assigned in step 7, check it and press next

9) The next two pages are for tagging and review, you can just leave them blank and click create user.

10) On the next page, you will get you access key and secret access key. SAVE THESE! You need them to input into your connector

11) Back in the main page for IAM, click Users, and click on your user account. Save the ARN shown

 

 

 

 

BUCKET POLICY

1) Go back into your S3 app and click on your bucket

2) Click permissions, then bucket policy and enter this JSON. Update your bucket name and ARN. Then save.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "ARN_FOR_IAM_USER_HERE"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_HERE/*",
                "arn:aws:s3:::BUCKET_NAME_HERE"
            ]
        }
    ]
}

 

 

 

 

AWS APP In Kazoo

1) Now, just enter your AWS info as collected above. If you used the region I recommended above, your host is s3-us-west-1.amazonaws.com.

 

Thats it! If anyone has any feedback, I'd love to hear. I hope you all find it useful!

Edited January 16, 2020 by Rick Guyton (see edit history)

[Karl Stallknecht]

This is awesome!! Thanks!! I originally setup using root access as well because I couldn't figure out how to assign permissions properly (I tried and 2600hz wouldn't connect). I'll follow your advice to fix this!

[Rick Guyton]

5 minutes ago, Karl Stallknecht said:

This is awesome!! Thanks!! I originally setup using root access as well because I couldn't figure out how to assign permissions properly (I tried and 2600hz wouldn't connect). I'll follow your advice to fix this!

Hey Karl! Glad I could help out! I had a feeling a few others probably just gave root creds...

[safarov]

I have prepared AWS CloudFormation stack. This allow make requred configration. Just need upload text file in the AWS CloudFormation and then generate tocken in IAM app.

CloudFormation stack

Description: >-
  Stack creates an S3 bucket for Kazoo recordings and configures access permission
Resources:
################################################
# IAM Users
################################################
  UserKazoo:
    Type: AWS::IAM::User
    Properties:
      UserName: kazoo
################################################
# S3 Bucket
################################################
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: 278544129100-kazoo
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      LifecycleConfiguration:
        Rules:
          - Id: DefaultRule
            Status: Enabled
            ExpirationInDays: 40
            Transitions:
              - TransitionInDays: 10
                StorageClass: GLACIER
#          - Id: Tenant-XXX
#            Status: Enabled
#            Prefix: 'subfolder'
#            ExpirationInDays: 40
#            Transitions:
#              - TransitionInDays: 10
#                StorageClass: GLACIER
################################################
# S3 Policy
################################################
  PolicyKazoo:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Id: S3ForKazoo
        Statement:
        - Action:
          - 's3:ListBucket'
          - 's3:PutObject'
          - 's3:GetObject'
          Effect: Allow
          Resource:
            - !Sub arn:aws:s3:::${S3Bucket}
            - !Sub arn:aws:s3:::${S3Bucket}/*
          Principal:
            AWS:
            - !GetAtt UserKazoo.Arn