Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This guide describes creating an S3 bucket to export interaction content into. It then describes configuring AWS permissions that enable the Interaction Content Export API to export the interaction content from VCC into the S3 bucket.

In this page

Creating an S3 bucket and getting its ARN

Amazon S3 is an object storage service that stores data as objects within buckets. An object is a file and any metadata that describes the file. A bucket is a container for objects. 

Start by creating an S3 bucket that can store exported interaction content data. It is recommended that you encrypt this bucket using AWS Key Management Service (KMS).

Creating a KMS key and getting its ARN

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data.

For information about creating an KMS key using AWS Management Console, see Creating keys (console) (AWS help).

To find the ARN, go to Amazon KMS and — within Customer Managed Keys — locate your created key. The key's ARN will be in the General configuration section.

After creating the bucket, you must then find its Amazon Resource Name (ARN) which uniquely identifies the AWS resource. To find the ARN, go to Amazon S3 and — within Buckets — locate your created bucket. The bucket's ARN will be in the Properties section.

You'll need the ARN of the bucket — and the KMS key's ARN if you encrypted the bucket — to create the IAM policy in the Creating an IAM policy section later in this page.

Using Amazon's Identity and Access Management (IAM) to manage access to the S3 bucket

You manage permissions in AWS by creating IAM policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. IAM policies define permissions required to perform an action.

Creating an IAM policy

You need to create a policy that will allow a user to transfer data from VCC to your bucket. For information about creating an IAM policy using the AWS Management Console, see Creating IAM policies (console) (AWS help).

Using the JSON method, provide the following JSON file, replacing braces ({}) with applicable values from the S3 bucket you created (if bucket won't use encryption, remove JSON object starting with Sid property from array property named Statement):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "{customer-bucket-arn}/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "{customer-bucket-arn}",
                "{customer-bucket-arn}/*"
            ]
        },       
        {
            "Sid": "KMSpermissions",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKeyPair",
                "kms:ReEncryptFrom",
                "kms:Decrypt",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:GenerateDataKeyPairWithoutPlaintext",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:ReEncryptTo",
                "kms:DescribeKey"
            ],
            "Resource": "{customer-kms-arn}"
        }    
    ]
}

Replace:

  • customer-bucket-arn with the bucket's ARN.
  • customer-kms-arn with the KMS key's ARN.

Name and save your new policy.

You'll need the name of your IAM policy in the Creating an IAM role and getting its ARN section later in this page.

Creating an IAM role and getting its ARN

An IAM role is an IAM identity, with specific permissions, that you can create in your account.

You need to create a role that will be connected to the IAM policy created earlier. For information about creating an IAM role using the AWS Management Console, see Creating a role using custom trust policies (console) (AWS help).

Using the AWS account, provide the following JSON file, replacing braces ({}) with applicable values from the S3 bucket you created:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"{primary-service}",
					"{secondary-service}"
				]
			},
			"Action": "sts:AssumeRole",
			"Condition": {}
		}
	]
}

Replace primary-service and secondary-service with the values in the following table. Use the values for the region that your VCC account is in.

Regionprimary-servicesecondary-service
APAC

arn:aws:iam::496745973653:role/prd-apac-syd-app01-ecs-task-interaction-content-export-wd4

arn:aws:iam::496745973653:role/prd-apac-syd-app01-ecs-task-interaction-content-export-wd4
EMEAarn:aws:iam::382688127288:role/prd-emea-lon-app01-ecs-task-interaction-content-export-7xf
arn:aws:iam::382688127288:role/prd-emea-fra-app01-ecs-task-interaction-content-export-21r
NAM

arn:aws:iam::048768717337:role/prd-nam-ric-app01-ecs-task-interaction-content-export-77z

arn:aws:iam::048768717337:role/prd-nam-pdx-app01-ecs-task-interaction-content-export-wy9

When asked to set permissions, search for the policy name you created and assign it. Then name and save the role.

After creation, you must then find its Amazon Resource Name (ARN) which uniquely identifies the role. To find the ARN, go to Amazon S3 and — within Roles — locate your created role. The role's ARN will be in the Summary section. You must use this role's ARN when you create an external storage item for your S3 bucket using the Interaction Content Export API. For information about creating an external storage item, see Create an external storage item.

  • No labels