Jump to content
2600Hz Community

AWS connector with lowest possible permissions


Rick Guyton
 Share

Recommended Posts

Hi all!

     I'm sure no one else has done this... But, to get things done, I initially setup a few customer accounts with root AWS access keys to get their call recording going. Needless to say, that's super dangerous. So, I recently invested the time to find the minimal possible permissions to provision an account with AWS. And I thought I might as well share. This assumes you will be assigning each customer a separate bucket. Technically, you could put all your clients into a single bucket. But, that makes the permissions much harder.

So, here's the step by step directions. They look really long, but it really is very easy, these are just very detailed instructions:

SETUP AN S3 BUCKET

1) Log into your AWS portal and access the S3 app

2) Click Create Bucket

3) Enter a new bucketname. Doesn't matter what it is, but write it down somewhere

4) US West (N. California) for your region

image.png.34038eea35b47062fc44c4d12827c262.png

5) Next through the remaining panes and create the bucket. You should read through them and make sure that meet your needs. I especially recommend enabling the "Block ALL public access" option.

 

 

 

 

SETUP AN IAM USER

1) Access the IAM app

2) Click Add User

3) Enter your a new username

4) Check Programmatic access

image.png.cdc20fa18ed8f234a69bc59738d601cb.png

5) In the next pane, select Attach existing policies directly and then select create policy

image.png.35ccb155f10a6f43123cba3e8d8189c0.png

6) This will open a new tab for you to enter your policy into. Click the JSON tab and enter this and replace "BUCKET_NAME_HERE" with your bucket name from above. Then, click review policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_HERE/*",
                "arn:aws:s3:::BUCKET_NAME_HERE"
            ]
        }
    ]
}

image.png.edf8b214f9c108aebdc2e5bef4bf86b7.png

7) Name your policy and click create policy

image.png.61fa60abe7e031ae2dd77bf4bf479ffc.png

8 ) Back on you IAM tab, click refresh, enter the name of the policy in the search you assigned in step 7, check it and press next

image.png.df174de203a01618f60a96e1b1847b56.png

9) The next two pages are for tagging and review, you can just leave them blank and click create user.

10) On the next page, you will get you access key and secret access key. SAVE THESE! You need them to input into your connector

image.png.1b2dfe56e0f866957734805727132b93.png

11) Back in the main page for IAM, click Users, and click on your user account. Save the ARN shown

image.png.b51d006ef74011e90ddf262997b49b0a.png

 

 

 

 

BUCKET POLICY

1) Go back into your S3 app and click on your bucket

2) Click permissions, then bucket policy and enter this JSON. Update your bucket name and ARN. Then save.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "ARN_FOR_IAM_USER_HERE"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME_HERE/*",
                "arn:aws:s3:::BUCKET_NAME_HERE"
            ]
        }
    ]
}

image.png.963036806d8cd704bb90e78237e8dd4c.png

 

 

 

 

AWS APP In Kazoo

1) Now, just enter your AWS info as collected above. If you used the region I recommended above, your host is s3-us-west-1.amazonaws.com.

image.png.332c8db53a365c57149e939c7e66743a.png

 

Thats it! If anyone has any feedback, I'd love to hear. I hope you all find it useful!

Edited by Rick Guyton (see edit history)
  • Like 4
Link to comment
Share on other sites

5 minutes ago, Karl Stallknecht said:

This is awesome!! Thanks!! I originally setup using root access as well because I couldn't figure out how to assign permissions properly (I tried and 2600hz wouldn't connect). I'll follow your advice to fix this!

Hey Karl! Glad I could help out! I had a feeling a few others probably just gave root creds...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...