Managing AWS Role for Conviva Connect

Creating AWS Role for SSD Upload Access

Login to the AWS Management console using appropriate credentials.
Create a new (or verify an existing) S3 Bucket:
1. Navigate to S3 from the service list.
2. Confirm the SSD upload bucket has already been created. If not, create a new bucket. Remember the bucket name.
Create a new role:
1. Select IAM from the list of available services.
2. Select Roles from the left navigation pane and click Create Role.
In the Select trusted entity page, specify a trusted account:
1. Select the AWS account option as the trusted entity type.
2. In the Account ID field, enter Conviva's AWS account (546944332888). Ensure the Require external ID option is selected, and provide a value of your choice for example, conviva-connect. Do not select the option Require MFA.
3. Click Next.
In the Add permissions page, click Next to skip adding the policies.
In the Role Name field, enter a name for example, conviva-ssd-upload-role and click Create Role.
Click View role to view details of the role.

Create a new inline policy for S3 access:

Under the Permissions tab, expand the Add permissions list and select Create inline policy.

Switch to the JSON tab and paste the following JSON policy replacing the existing one.

Copy

{
    "Version": "2012-10-17",
    "Statement": 
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": 
        [
            "arn:aws:s3:::<BUCKET_NAME>",
            "arn:aws:s3:::<BUCKET_NAME>/*"
        ]
    }
}

Note: Ensure to replace <BUCKET_NAME> with the actual name of the SSD uploads bucket created in Step 2.

Click Next to finalize the inline policy.

In the Review and Create page, enter a policy name for example, access-to-s3-<BUCKET_NAME>, and click Create policy.
Navigate to the Trust relationships tab and click Edit trust policy to updat restrictions for the role.

Paste the following JSON policy replacing the existing policy to enable only the users of Conviva’s AWS Account 546944332888 to modify the Principal field:

Copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::546944332888:user/conviva-connect"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "conviva-connect"
                }
            }
        }
    ]
}

Click Update policy to apply the changes.

Send the following details to Conviva customer support team through Pulse Portal Support page or email to Conviva Support:

Requirements	Descriptions
Delivery Method Type	AWS ARN role.
Customer c3 Account
S3 Bucket Name	See step 2
S3 Bucket AWS Region	See step 2
ARN of the Role	See step 6
External ID	See step 4(b)

Create AWS Role for SSD Upload Access with KMS Encryption

Login to the AWS Management console using appropriate credentials.
Create a Key using the Key Management Service (KMS):
1. From the AWS services list, click Key Management Service.
2. From the left navigation pane, click Customer-managed keys.
3. Select the correct region and click Create key.
  Note: The KMS key and S3 bucket should belong to the same region.
4. Configure the key with default settings and click Next.
5. In the Alias field, provide an appropriate name for the key for example, conviva-ssd-upload.
6. (Optional) Add description and tags, if needed.
7. Click Next.
8. (Optional) Add key administrators, if required.
9. Click Next.
10. Select the Allow key administrators to delete this key option, and click Next.
11. In the Define key usage permissions page, click Next without selecting any users.
12. Review the key policy to ensure the AWS account ID, and click Finish.
Note: Open the key and take a note of its ARN.
Configure S3 Bucket for KMS Encryption:
1. From the AWS services list, click S3.
2. Select an existing SSD uploads bucket (or create a SSD upload bucket if not present).
3. Navigate to the Properties tab.
4. Scroll to the Default encryption section and click Edit to specify the followings:
  1. Encryption type as Server-side encryption with AWS Key Management Service (SSE-KMS).
  2. AWS KMS key as Enter AWS KMS key ARN.
5. In the AWS KMS key ARN field, enter the ARN and click Save changes.
Create an IAM Role:
1. From the AWS services list, click IAM.
2. From the left navigation pane, select Roles and click Create Role.
3. Select the AWS account option as the trusted entity type.
4. Enter the number, 546944332888 (Conviva's AWS Account) as Account ID and ensure the Require external ID option is selected.
5. Enter an appropriate external ID for example, conviva-connect and click Next.
6. In the Add permissions page, click Next.
7. Provide a role name for example, conviva-ssd-upload-role, and click Create role.
8. Click View role to view details of the role.

Attach inline policy to the role:

Under the Permissions tab, expand the Add permissions list and select Create inline policy.

Switch to the JSON tab and paste the following JSON policy replacing the existing one and click Next.

Copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::546944332888:user/conviva-connect"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "conviva-connect"
                }
            }
        }
    ]
}

Provide an appropriate policy name for example, access-to-s3-<BUCKET_NAME>, and click Create policy.

Update the trust policy:

Navigate to the Trust relationships tab of the role, click Edit trust policy.

Paste the following JSON policy replacing the existing policy to enable only the Conviva’s AWS Account 546944332888 users modify the Principal field.

Copy

{
    "Version": "2012-10-17",
    "Statement": 
    [
        {
            "Effect": "Allow",
            "Principal": 
            {
                "AWS": "arn:aws:iam::546944332888:user/conviva-connect"
            },
            "Action": "sts:AssumeRole",
            "Condition": 
            {
                "StringEquals": 
                {
                    "sts:ExternalId": "conviva-connect"
                }
            }
        }
    ]
}

Click Update policy.

Attach role to the KMS Key:
1. From the AWS services list, click Key Management Service.
2. From the left navigation pane, click Customer-managed keys.
3. Search for the key and open the key policy
4. Under the Key policy tab scroll down to the Key users section.
5. Click Add to add a key user.
6. Search for the role created in step 4.
7. Select the role as a key user and click Add.
8. Confirm the role is now listed under Key users section.

Send the following details to Conviva customer support team through Pulse Portal Support page or email to Conviva Support:

Requirements	Descriptions
Delivery Method Type	AWS role with KMS encryption provided by the customer.
Customer c3 Account
S3 Bucket Name	See step 3
S3 Bucket AWS Region	See step 3
ARN of the KMS Key	See step 3(e)
ARN of the Role	See step 4(b)
External ID	See step 4(d)

Configure Conviva-Connect in Pulse. For more details about how to configure Conviva Connect in Pulse, see Get Started with Conviva Connect.

Other Links

AWS IAM Role AWS IAM Role AWS IAM Role Conviva Connect Conviva Connect Conviva Connect