Jump to content

Recommended Posts

  • Administrators
Posted

User Story

  • Reseller wants to store recordings onto Amazon Web Service while insuring as few permissions are given to the service account as is possible.
     
  • Reseller is looking for a solution that helps ensure strong encryption is implemented for call recording features and connect this account to a specific KAZOO account.
     
  • Reseller plans to assign each account a unique “bucket” with its unique credentials.

 Before you Start

  • Sign up and Log in to your Amazon Web Services account.  If you don’t have one already you can go to their website here to get started:  https://aws.amazon.com/

Quick Overview of Steps

  1. Set up an account with Amazon Web Services
  2. Decide what clients and client names to use for each bucket
  3. Create bucket names for each client and define settings
  4. Create user names for each client
  5. Add JSON IAM policy and permissions
  6. Add JSON Bucket policy and permissions
  7. Capture your Access Key ID and Secret Access Key , Bucket Name 
  8. Open the AWS app
  9. Create a new AWS account in KAZOO and  enter that information.  

Set up an S3 Bucket

An Amazon S3 (Simple Storage Service) bucket is Amazon’s term for a place you define to store your data and its metadata.  It is the equivalent to a file folder with your company identifier on it.

  1. From your AWS portal, access the S3 application
  2. Select Create Bucket
  3. Enter a new Bucket name.  You will do this for every client?  
  4. The Region field can be left blank, AWS will read the account default.

    RG-AWS create bucket.png

     
  5. Click NEXT and page through the remaining settings options.   We recommend enabling the “Block ALL public access” option to on.

Set up an IAM User

An IAM (Identity and Access Management) User is an entity name and credential  that you create in AWS to represent the person or application that uses it to interact with AWS. An IAM user with administrator permissions is not the same thing as the AWS account root user.

  1. From your AWS portal, access the IAM application
  2. Select Add User

    RG-AWS add user.png
     
  3. Enter a new username.  This will likely be your client name or client reference
  4. Check the Programmatic Access box under Access Type
  5. Select NEXT
  6. Under Set Permissions, select “Attach existing policies directly” 

    RG-AWS set permission.png

     
  7. Select Create Policy
    This will open a new tab for you to enter your policy details into. A policy defines the AWS permissions that you can assign to a user, group, or role.  Yo can create and edit a policy in the visual editor and using JSON. For this example we will use the JSON.
     
  8. Copy the text below.  Replace the “BUCKET_NAME_HERE” text string with the bucket name you entered earlier. 
     

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket",
                    "s3:PutObject",
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::BUCKET_NAME_HERE/*",
                    "arn:aws:s3:::BUCKET_NAME_HERE"
                ]
            }
        ]
    }

     

     It will display something like below:

    RG-AWS enter policy and review.png
     

  9. Review Policy
    Select Review Policy using the button at the bottom right.  
     
  10. Return to the IAM tab and refresh your screen using the refresh button to the right (circled in red).

    RG-AWS refresh and select new policy.png
     

    • Enter the name of the policy in the search field and select the checkbox to the left of the Policy name  it to be active.
    • Select NEXT
  11. Go to Set Permissions Boundary, Select NEXT: Tags

    The next two pages are for tagging and review, you can just leave them blank and click create user.

    • Your access key and secret access key will be displayed.  
      SAVE these!  You will need to add these to your connector app.


      RG-AWS secret access key dialog.png
       

  12. Return to the main page for IAM  

    • Click Users, and click on your user account. Save the Amazon Resource Name (ARN) shown.  This is your identifier Amazon recognizes. (for more info on these, see HERE.)

      RG-AWS arn path.png
       

  13. Enter your bucket policy
    Return to the S3 app and select the bucket you want to add a policy to.


    RG-AWS bucket policy add.png
     

  • Click on Permissions
  • Click on Bucket Policy
  • Copy / Paste the code below
  • Update your bucket name and ARN (see highlighted area).   SAVE !!!

You should see confirmation of your updates here.

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "ARN_FOR_IAM_USER_HERE"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
               "arn:aws:s3:::BUCKET_NAME_HERE/*",
               "arn:aws:s3:::BUCKET_NAME_HERE"
            ]
        }
    ]
}

Update your bucket name and ARN (See. highlighted areas).  SAVE !

You should see confirmation of  your updates here.

RG-AWS Bucket Policy review.png

 

ra3w1zDc1OoqRnkh9CtoUE9mWOb5LkWe9P-jbAqu   Enter saved data into your AWS Connector App in KAZOO

  • Click on AWS Connector from your Apps listing


l84AhFP4y2QPJsX09JOsJ-LjLLzx3BaUE8dXVEDw

NOTE:  If you can’t find it right away, use the Search Apps field at the left of the screen.

 

 

  • Click Add AWS Account

jYhPumQNLiYIrZRJlnErTJOohRGBYroQWI7gope3

Enter your saved account details

NOTE

 

Frequently Asked Questions

When is it important to assign an AWS account to a client?
AWS offers storage with enhanced privacy encryption, which is often required for HIPAA compliance and other clients who are concerned about privacy.  It also provides automatic backup services to give your client files additional redundancy.   If your client is concerned about tight encryption and security, this is an option to consider.

 

What are Bucket and IAM policies?
Below is an overview provided by Amazon, here:

IAM policies specify what actions are allowed or denied on what AWS resources (e.g. allow ec2:TerminateInstance on the EC2 instance with instance_id=i-8b3620ec). You attach IAM policies to IAM users, groups, or roles, which are then subject to the permissions you’ve defined. In other words, IAM policies define what a principal can do in your AWS environment.

S3 bucket policies, on the other hand, are attached only to S3 buckets. S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached to (e.g. allow user Alice to PUT but not DELETE objects in the bucket). 

Note: You attach S3 bucket policies at the bucket level (i.e. you can’t attach a bucket policy to an S3 object), but the permissions specified in the bucket policy apply to all the objects in the bucket.

IAM policies and S3 bucket policies are both used for access control and they’re both written in JSON using the AWS access policy language, so they can be confused.  

Related Articles

    AccountsManager_x512.png Accounts Manager Wizard  

    2600hz symbol-RGB.png

Notes on HIPAA Compliance Responsibilities

API Reference

docs.2600hz.comdocs.2600hz.com
REST API Reference for Kazoo Crossbar API

####  AWS RG Json Bucket Name Sample.pngAWS Bucket Policy ARN JSON.png


View full File

  • 2600Hz Employees
Posted
10 hours ago, Emily R said:

If you used the West Region as noted earlier, your host is s3us-west-1.amazonaws.com.

you don't need to provide the "host" if you're using aws. the "host" is used for s3 compatible servers like minio or when cnames are used.

×
×
  • Create New...