Create IAM resources for AWS S3 bucket

Note: This article applies to the AWS S3 recording bulk actions integration.

To access AWS S3 functions, Genesys Cloud must have permission to use resources in your Amazon Web Services (AWS) account. This procedure explains how to create a policy, create an IAM role in AWS, and attach this role to the policy. Later you assign this role to the AWS S3 integration in Genesys Cloud.

Note: AWS Identity and Access Management (IAM) is a web service that controls access to AWS resources. An IAM role is similar to a user, because it defines an AWS identity with permission policies that determine what the identity can and cannot do in AWS. Trusted identities, including applications such as Genesys Cloud, AWS services such as EC2, or a user, assume the IAM role. Each IAM role defines necessary permissions to make AWS service requests. For more information, see IAM Roles in Amazon’s AWS Identity and Access Management User Guide.

To create a policy, create an IAM role, and attach this role to the policy, follow these steps:

  1. Log in to AWS.
  2. Navigate to the AWS Services page.
  3. To create an S3 bucket, click S3.
  4. After you create an S3 bucket, go to the AWS Services page and click IAM.
  5. Create a policy. Policies specify what resources roles can act on and how roles can act on the resources.
    1. Under Dashboard, select Policies.
    2. Click Create policy
    3. On the Visual editor tab, configure the following items:
      1. Under Service, click Select a service and click S3. This setting specifies what service the policy calls.
      2. Under Actions and Access level, click the arrow next to Write and select the PutObject check box. This setting specifies what actions the policy grants to the AWS S3 bucket.
      3. Under Read, select GetBucketLocation and GetEncryptionConfiguration.
      4. Under Permission Management, select PutObjectAcl.
      5. Under Resources, select Specific and click Add ARN. For Bucket Name, enter the name of the S3 bucket you created. For Object Name, check the box next to Any. Click Add.
      6. Click Review policy.
    4. In the Name box, type a name for the policy. 
    5. Click Create policy.
  6. Create a role that uses this policy.
    1. Under Dashboard, click Roles.
    2. On the Roles page, click Create role.
    3. Select Another AWS Account as the type of trusted entity.
    4. In the Account ID box, enter 765628985471 (Core/Satellite regions). This number is Genesys Cloud’s production account ID. If needed, please contact your Genesys representative for the FedRAMP region [US-East-2] account ID.
    5. Select the Require external ID check box and enter your Genesys Cloud organization ID.
    6. Click Next: Permissions.
  7. Attach permission policies to this role.
    1. Select the policy that you created.
    2. Click Next: Tags
    3. Click Next: Review.
    4. In the Role name box, type a name for the role.
    5. In the Role description box, enter descriptive text about the role.
    6. Verify that the account number for Trusted entities matches the Genesys Cloud production AWS account ID that you entered earlier.
    7. Click Create role.

Next, Add the AWS S3 Recording Bulk Actions Integration.

    Note: By default, the export process will use an AWS Managed Key (KMS) for encryption of the files stored in the S3 bucket.  If usage of a Customer Managed Key (CMK) is needed, see Use a CMK key for export (optional).