Secure Export Setup – AWS Configuration

In order to utilize boberdoo’s data retention and secure export feature, you need to configure your Amazon Web Services account. If you already have an AWS account, you can use it. If you do not have an AWS account, sign up for an account here before proceeding to step 1.

Step 1: Create/Verify Your Amazon S3 Bucket

All data exported from your boberdoo system will be stored in an Amazon S3 bucket.

If you have an existing S3 bucket you would like to use, log in to your AWS account and select S3 from the Services dropdown. Record the name and region of the bucket you plan on using.

If you do not have an existing S3 bucket that you would like to use, you will need to create one. From your AWS account, locate the Services dropdown and select S3. Click Create Bucket.

boberdoo leadsystem export 1

Step 1 Name and region: Name your bucket (e.g. boberdooexport-{yourcompany}), select a region and click Next. Be sure to record the name of your bucket and the region you selected. This will be used in a later step.

boberdoo leadsystem export

Step 2 Set properties: No specific property settings are required. Click Next.

Step 3 Set permissions: No specific permissions are required. Click Next.

Step 4 Review: Record your Bucket name and Region and click Create bucket.

boberdoo leadsystem export

Step 2: Create An Amazon KMS Key

Next, you must create a KMS Key that is responsible for the server-side encryption of your data and specify permissions for this key to allow specific IAM users access to this data.

Select your username in the top right corner of your AWS account and select My Security Credentials. Click on the Encryption keys link from the navigation menu. If this is your first time accessing Encryption keys in your AWS account you will receive a welcome message. Click the Get Started Now button.

Your next step is to create an Encryption key. This key must be created in the same region that your S3 bucket is using. From the Region dropdown, select the appropriate region and click Create key.

boberdoo leadsystem export

Create Alias and Description: Name your key in the Alias field (e.g. boberdoo-secure-export) and enter a description (e.g. boberdoo secure export key). Click Next Step.

boberdoo leadsystem export

Add Tags: Tags are not required for this setup. Click Next Step.

Define Key Administrative Permissions: This step allows you to grant administrative permissions for this key to any of your existing IAM users. This will not affect API calls, but it affects which users can administer this key in AWS for encryption and decryption. In steps 3 and 4 below you will create a new IAM user and policy to access this data so if you do not wish to grant any additional IAM users administrative permissions for this key, click Next Step.

Define Key Usage Permissions: This step allows you to grant usage permissions for this key to any of your existing IAM users. This will not affect API calls, but it affects which users can use this key in AWS for encryption and decryption. In steps 3 and 4 below you will create a new IAM user and policy to access this data so if you do not wish to grant any additional IAM users usage permissions for this key, click Next Step.

Preview Key Policy: Finally you will see a preview of the key policy you just created. Click Finish.

You will now see your key in your dashboard. Copy your Key ID.

boberdoo leadsystem export

Next, click your key Alias to open your key’s properties. From here, you will see the ARN field. Copy the ARN string.

boberdoo leadsystem export

Step 3: Create User Policy

Next, select your username in the top right corner of your AWS account and select My Security Credentials. This time, select the Policies link from the navigation menu. Click the Create policy button.

Create Policy: Select the Create Your Own Policy option.

boberdoo leadsystem export

Review Policy: Name your policy (e.g. boberdoo-secure-export-policy) and add a description (e.g. boberdoo secure export policy). Record this policy name. It will be used in a later step. In the Policy Document field, paste the following string:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Effect": "Allow",
            "Resource": "[kms_key_arn]"
        },
        {
            "Action": [
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::[your_s3_bucket_name]/*"
        }
    ]
}

Within this string, you’ll see the fields [kms_key_arn] and [your_s3_bucket_name].

boberdoo leadsystem export

Before creating your policy, replace [kms_key_arn] with the ARN string that you copied in Step 2. Replace [your_s3_bucket_name] with the bucket name created or reviewed in Step 1. Once you have replaced these values, click Create Policy.

Step 4: Create IAM User

Once again, select your username from the upper right hand corner and click My Security Credentials. This time, select the Users link from the navigation menu. Click the Add user button.

Step 1 Details: Add a User name (e.g. boberdoo-export-user), select the Programmatic access option and click Next: Permissions.

boberdoo leadsystem export

Step 2 Permissions: Select the Attach existing policies directly option and search the policy name that you created in step 3. Select your newly created policy and click Next: Review.

boberdoo leadsystem export

Step 3 Review: Click the Create user button.

Step 4 Complete: Your IAM user is now created. On this page you will see an Access key ID and a hidden Secret access key. Copy both of these values. You will never be able to view these credentials again so be sure to store them in a safe place.

Step 5: Provide Your Credentials And Request To boberdoo

You should now have the following credentials:

  • S3 Bucket name: Step 1
  • AWS Region: Step 1 and 2
  • KMS Key ID: Step 2
  • AWS Access Key: Step 4
  • AWS Secret Key: Step 4

Please open a ticket titled “Enable Secure Export”. In this ticket, please provide these five values and specify your desired export interval for each lead type. You have the option to run the automated export on the hourly or daily interval of your choosing.