IAM User Permissions

AWS Identity and Access Management (IAM) allows you to control user access to AWS services and other resources. Use IAM to create and manage users and groups securely within AWS.

Specific permissions are required for a Kinesis Data Stream consumer so that Verint can capture post-call audio, real-time audio, and for call recovery. The permissions must be added to the IAM identity (user or role) that is used to connect to Verint Interaction Capture. In the following table, is a required permission and is not required.

Service	Actions	Post-Call Capturing	Real-Time Call Capturing	Call Recovery	Resources
S3	GetObject				Can be limited to the buckets used by the adapter if required.
	ListBucket				N/A
KMS	Encrypt				May be limited to the specific KMS Key required for decryption on the S3 bucket or Kinesis stream.
	GenerateDataKey
	Decrypt
Kinesis Data Stream	DescribeStream				This can be limited to the Kinesis Stream monitored by the adapter if required.
	GetRecords
	GetShardIterator
	ListShards
	PutRecord
Kinesis Video Streams	GetDataEndpoint				This can be limited to the Kinesis Video Stream monitored by the adapter if required.
	GetMedia
	PutMedia
Kinesis data streams using Enhanced Fan Out	DescribeStreamConsumer				Requires Kinesis Client Library 2.0, which is installed with Verint IC KB221751 and RIS KB221821 or later. For more info, see Amazon Kinesis Data Streams Adds Enhanced Fan-Out and HTTP/2 for Faster Streaming (AWS News Blog).
	DescribeStreamSummary
	SubscribeToShard
DynamoDB	CreateTable				N/A You can deny the adapter access to the CreateTable action on DynamoDB. For more details, see DynamoDB and the CreateTable action.
	DeleteItem
	DescribeTable
	GetItem
	PutItem
	Scan
	UpdateItem
CloudWatch	PutMetricData				N/A
CloudWatch Logs	CreateLogGroup	Optional	Optional		Resources can be limited to services and streams.
	CreateLogStream	Optional	Optional
	PutLogEvents	Optional	Optional
Connect	ListInstanceAttributes				Resources are limited to the Amazon Connect instance configured at the data source level.
	ResumeContactRecording
	SuspendContactRecording
	DescribeUser				N/A
	DescribeContact
	GetContactAttributes
	ListInstanceStorageConfigs

DynamoDB and the CreateTable action

For security reasons, you can deny the Amazon Connect and Amazon Agent Event Stream adapters access to the CreateTable action on DynamoDB. If you deny the adapters access, before running the adapters, you must manually create the DynamoDB table. The name of the DynamoDB table is slightly different for each adapter type.

• Amazon Connect Adapter – the name of the table must be the configured Application Name in the adapter.

  “verintCTREvents”, where the configured application name is “verintCTREvents”.

• Amazon Agent Event Stream Adapter – the name of the table must be the configured Application Name + “_” + server host name + “.” + adapter ID.

  “verintAgentEvents_verintris.2”, where the configured application name is “verintAgentEvents”, the server host name is “verintris” and the adapter ID is “2”.

  To determine the adapter ID, you can check the RIS logs or look into the IntegrationService.xml file under $IMPACT360SOFTWAREDIR%\Conf directory.

If you create the table manually, you do not need to include the CreateTable permission in the IAM policy for the adapters. All other DynamoDB permissions are required.

To create the DynamoDB table manually, you must configure it with the following:

Field	Description
Table Name	The table name is different depending on the type of adapter being used. See the naming conventions to determine the table name.
Primary partition key	leaseKey (String)
Read/write capacity mode	Provisioned
Provisioned read capacity units	10
Provisioned write capacity units	10

Related topics 

Sample IAM Policy

Create Kinesis data streams

Related information 

Access management for AWS resources AWS Identity and Access Management User Guide

Controlling Access to Amazon Kinesis Data Streams Resources Using IAM (Amazon Kinesis Streams Developer Guide)