This guide describes creating an S3 bucket to export interaction content into. It then describes configuring AWS permissions that enable the Interaction Content Export API to export the interaction content from VCC into the S3 bucket.
| Panel | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
|
Creating an S3 bucket and getting its ARN
Amazon S3 is an object storage service that stores data as objects within buckets. An object is a file and any metadata that describes the file. A bucket is a container for objects.
...
| Info | ||
|---|---|---|
| ||
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. For information about creating an KMS key using AWS Management Console, see Creating keys (console) (AWS help). To find the ARN, go to Amazon KMS and — within Customer Managed Keys — locate your created key. The key's ARN will be in the General configuration section. |
After creating the bucket, you must then find its Amazon Resource Name (ARN) which uniquely identifies the AWS resource. To find the ARN, go to Amazon S3 and — within Buckets — locate your created bucket. The bucket's ARN will be in the Properties section.
...
Using Amazon's Identity and Access Management (IAM) to manage access to the S3 bucket
You manage permissions in AWS by creating IAM policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. IAM policies define permissions required to perform an action.
Creating an IAM policy
You need to create a policy that will allow a user to transfer data from VCC to your bucket. For information about creating an IAM policy using the AWS Management Console, see Creating IAM policies (console) (AWS help).
Using the JSON method, provide the following JSON file, replacing braces ({}) with applicable values from the S3 bucket you created (if bucket won't use encryption, remove JSON object starting with Sid property from array property named Statement):
| Code Block | ||
|---|---|---|
| ||
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "{customer-bucket-arn}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"{customer-bucket-arn}",
"{customer-bucket-arn}/*"
]
},
{
"Sid": "KMSpermissions",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKeyPair",
"kms:ReEncryptFrom",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey"
],
"Resource": "{customer-kms-arn}"
}
]
} |
...
customer-bucket-arnwith the bucket's ARN.customer-kms-arnwith the KMS key's ARN.
Name and save your new policy.
...
Creating an IAM role and getting its ARN
An IAM role is an IAM identity, with specific permissions, that you can create in your account.
You need to create a role that will be connected to the IAM policy created earlier. For information about creating an IAM role using the AWS Management Console, see Creating a role using custom trust policies (console) (AWS help).
Using the AWS account, provide the following JSON file, replacing braces ({}) with applicable values from the S3 bucket you created:
| Code Block | ||
|---|---|---|
| ||
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"{primary-service}",
"{secondary-service}"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} |
...
After creation, you must then find its Amazon Resource Name (ARN) which uniquely identifies the role. To find the ARN, go to Amazon S3 and — within Roles — locate your created role. The role's ARN will be in the Summary section. You must use this role's ARN when you create an external storage item for your S3 bucket using the Interaction Content Export API. For information about creating an external storage item, see Create an external storage item.