How to set up an S3 Bucket

Amazon S3 bucket integration allows you to store and control your own call recordings made from calls routing through Natterbox systems. 

The bucket must be set up using a cross-account access setup to allow Natterbox to access it. Natterbox will be able to work with permissions granted to your AWS account via Amazon S3 cross-account permissions.

You will need to create a new Amazon S3 bucket, used solely for this solution, and follow the steps to apply the configuration outlined below. 

The process below is only to push new call recordings into an external S3 bucket. Please speak with your Customer Success Manager should you wish to move historic call recordings also.

Note: You cannot use an external bucket in conjunction with Salesforce ECI

Process

1. Ensure your S3 bucket is enabled with SSE-KMS encryption. Please find more information in the FAQ at the bottom of this document.

2. Complete the S3 setup request form

3. Natterbox will create the cross account user

4. Add your bucket policy, which can be copied from the above form (auto-generated) - this should like like the below: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NatterboxBucketPermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::257278351214:user/archiving-external-s3-<CustomerOrgID>"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<CustomerBucketName>"
        },
        {
            "Sid": "NatterboxObjectPermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::257278351214:user/archiving-external-s3-<CustomerOrgID>"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::<CustomerBucketName>/*"
        }
    ]
}

If Natterbox should not delete recordings then it can be turned off, but should do so only in combination with lifecycle management within the S3 bucket.

The time duration after which recordings get deleted through lifecycle management should match the retention period set on the archiving policy that makes use of the S3 bucket. If there are multiple archiving policies with varying retention periods that make use of the S3 bucket, then choose the longest retention period - access to call recordings are still restricted based on the retention period set on individual archiving policies.

With this feature on, s3:DeleteObject action can be removed from the allowed list within the Natterbox Object Permissions section of the Bucket Policy.

5. Re-enable ACLs on your S3 bucket.

With changes to AWS S3 object ownership and ACLs, any newly created S3 bucket will have their Object ACLs disabled by default. This prevents Natterbox from setting bucket-owner-read canned ACL on the objects written to the bucket. Until there is a workaround for this, the S3 bucket must have the ACLs re-enabled.

6. Once Natterbox has confirmed their initial tests have been successful, it's time to configure a policy to push calls to your S3 bucket. In either a test Routing Policy or a policy where you can branch off a call to test separately, add a Record and Analyse App so that it is part of the call flow. Within the configuration of this recording app, you will see a dropdown under ‘Archiving policy to be used’. Select the one that should include your bucket name in the title (Not Default or Call Buffering). Save the policy then make the call. The Natterbox team will help facilitate this if you are not confident.

FAQ

• Is the Natterbox application able to assume AWS IAM roles & access an external S3 bucket?

  • Natterbox cannot assume roles. We are limited to IAM user and keys. If you wish to avoid sharing keys via email etc, then you are able to use cross-account users.

• What encryption needs to be enabled on the S3 bucket?

  • Regardless of whether Natterbox is encrypting or not (to only allow access from salesforce), the S3 bucket should be encrypted to keep the data safe at rest. Natterbox only works ‘out-of-the-box’ with SSE-KMS.

  • Natterbox is unable to specify an encryption key when storing or retrieving data from an S3 bucket. If you have a non default or custom  encryption setup, then please get in touch with your Customer Success Manager to see if this would be compatible with additional configuration and policies. 

• Will Natterbox Insight still work if using an external S3 bucket?

  • As long as Natterbox has access to read from the external bucket, then Insight will continue to work.

• What folder structure will calls be delivered in?  

  • The structure will be <bucketname>/recording/<OrgId>/<CallUUID>. For orgs that have also purchased the Natterbox Insight product, there will be an additional /call-analysis folder with analysis in JSON format.

• What format are the recording files in?

  • Each call is an individual .wav file with the name being the call UUID (unique identifier) which will match to the UUID within Salesforce. Where encryption is turned off, the stored recording file will still be in WAV format, but will not have the .wav extension.

• What audio configuration will the recordings be in? 

  • Each file is mono by default. Each file is mono by default. If you wish to have your recordings in stereo, please let us know. This will double the file size, so please make sure you have enough capacity to accommodate it.