Merge pull request #1755 from segmentio/DOC-270

stayseesong · web-flow · commit a3b8970cd956 · 2021-07-23T11:19:10.000-07:00
DOC-270 Added warnings for using the Workspace ID as the External/Secret ID
diff --git a/src/connections/destinations/catalog/amazon-kinesis-firehose/index.md b/src/connections/destinations/catalog/amazon-kinesis-firehose/index.md
@@ -178,27 +178,33 @@ Replace that snippet with the following, and replace the contents of the array w
 
 #### Use a single secret ID
 
-If you have so many sources using Kinesis that it is impractical to attach all of their IDs to your IAM role, you can set a single ID to use instead. **This approach requires that you securely store a secret value, so we recommend that you use the method above if at all possible. **
+If you have many sources using Kinesis that it's impractical to attach all of their IDs to your IAM role, you can set a single ID to use instead. *This approach requires that you securely store a secret value, so we recommend that you use the method above if at all possible.*
 
-To set this value, go to the Kinesis Firehose destination settings from each of your Segment sources and set the **Secret ID'** to a value of your choosing. This value is a secret and should be treated as sensitively as a password. Once all of your sources have been updated to use this value, find the IAM role you created for this destination in the AWS Console in Services > IAM > Roles. Click on the role, and navigate to the **Trust Relationships** tab. Click **Edit trust relationship**. You should see a snippet that looks something that looks like this:
+To set this value for a single Secret ID:
+1. Go to the Kinesis Firehose destination settings from each of your Segment sources.
+2. Click **Secret ID** and enter your Workspace ID.
+    * **NOTE:** For security purposes, Segment recommends you to use your Segment Workspace ID as your Secret ID. If you’re using a Secret ID different from your Workspace ID, you're susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID** from the Segment dashboard.
+3. Once all of your sources are updated to use this value, find the IAM role you created for this destination in the AWS Console in **Services > IAM > Roles**.
+4. Select the role and navigate to the **Trust Relationships** tab.
+5. Click **Edit trust relationship**. You should see a snippet that looks something that looks like this:
 
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
+    ```json
     {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::595280932656:root"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {
-        "StringEquals": {
-          "sts:ExternalId": "YOUR_SEGMENT_SOURCE_ID"
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::595280932656:root"
+          },
+          "Action": "sts:AssumeRole",
+          "Condition": {
+            "StringEquals": {
+              "sts:ExternalId": "YOUR_SEGMENT_SOURCE_ID"
+            }
+          }
         }
-      }
+      ]
     }
-  ]
-}
-```
-Replace your source ID (found at "YOUR_SEGMENT_SOURCE_ID") with your secret ID.
+    ```
+6. Replace the value of `sts:ExternalId` ( "YOUR_SEGMENT_SOURCE_ID") with the Secret ID / Workspace ID value from the previous step.
diff --git a/src/connections/destinations/catalog/amazon-kinesis/index.md b/src/connections/destinations/catalog/amazon-kinesis/index.md
@@ -182,7 +182,7 @@ Replace that snippet with the following, and replace the contents of the array w
 
 ### Update IAM to Support PutRecords
 
-The Kinesis destination defaults to use PutRecords. A previous version of the IAM policy document only granted `PutRecord` access, which can slow down Kinesis write times and degrade data deliverability. Substitute the updated policy document above to grant Kinesis `PutRecords` (plural) and allow batching, like this: 
+The Kinesis destination defaults to use PutRecords. A previous version of the IAM policy document only granted `PutRecord` access, which can slow down Kinesis write times and degrade data deliverability. Substitute the updated policy document above to grant Kinesis `PutRecords` (plural) and allow batching, like this:
    ```json
    {
       "Version": "2012-10-17",
@@ -205,25 +205,31 @@ The Kinesis destination defaults to use PutRecords. A previous version of the IA
 After you update the IAM policy, Segment systems default to use PutRecords for more efficient data transmission. This is a zero-downtime change and does not impact your data other than increasing the deliverability success rate.
 
 ### Use a single secret ID
-If you have so many sources using Kinesis that it is impractical to attach all of their IDs to your IAM role, you can instead opt to set a single ID to use instead. This approach should be avoided in favor of the above approach if possible since it will result in you having to keep track of a secret value. To set this value, go to the Kinesis destination settings from each of your Segment sources and set the 'Secret ID' to a value of your choosing. This value is a secret and should be treated as sensitively as a password. Once all of your sources have been updated to use this value, find the IAM role you created for this destination in the AWS Console in Services > IAM > Roles. Click on the role, and navigate to the **Trust Relationships** tab. Click **Edit trust relationship**. You should see a snippet that looks something that looks like this:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
+If you have many sources using Kinesis that it's impractical to attach all of their IDs to your IAM role, you can instead opt to set a single ID to use. To set this value:
+1. Go to **Connections > Destinations > Amazon Kinesis** for each of your Segment sources.
+2. Click **Secret ID** and enter your Workspace ID.
+    * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your Secret ID. If you’re currently using a Secret ID different from your Workspace ID, you’ll be susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID**.
+3. Once all of your sources have been updated to use this value, find the IAM role you created for this destination in the AWS Console in **Services > IAM > Roles**.
+4. Click on the role and navigate to the **Trust Relationships** tab.
+5. Click **Edit trust relationship**. You should see a snippet that looks something that looks like this:
+
+    ```json
     {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::595280932656:root"
-      },
-      "Action": "sts:AssumeRole",
-      "Condition": {
-        "StringEquals": {
-          "sts:ExternalId": "YOUR_SEGMENT_SOURCE_ID"
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::595280932656:root"
+          },
+          "Action": "sts:AssumeRole",
+          "Condition": {
+            "StringEquals": {
+              "sts:ExternalId": "YOUR_SEGMENT_SOURCE_ID"
+            }
+          }
         }
-      }
+      ]
     }
-  ]
-}
-```
-Replace your source ID (found at "YOUR_SEGMENT_SOURCE_ID") with your secret ID.
+    ```
+6. Replace the value of `sts:ExternalId` (`"YOUR_SEGMENT_SOURCE_ID"`) with your Secret ID.
diff --git a/src/connections/destinations/catalog/amazon-lambda/index.md b/src/connections/destinations/catalog/amazon-lambda/index.md
@@ -57,43 +57,47 @@ There are two options for setting up the IAM policy and role:
 
 ### Use CloudFormation
 
-Using CloudFormation minimizes the set up steps needed, and is Segment's recommended way to create your Lambda's policy and role.
+Using CloudFormation minimizes the setup steps needed, and is Segment's recommended way to create your Lambda's policy and role. To use CloudFormation:
+1. Create the CloudFormation Template.
+   1. Copy or download the [SegmentLambdaDestinationCFTemplate](https://github.com/segmentio/segment-lambda-recipes/blob/ead6c0f77deb38cea7ed486a7b98b47207796b5c/SegmentLambdaDestinationCFTemplate#L1){:target="_blank"} from the [segment-lambda-recipes](https://github.com/segmentio/segment-lambda-recipes){:target="_blank"} GitHub repo. 
+   2. Save the file with a name you like, but make sure it doesn't have a file extension.
+2. Create the CloudFormation stack.
+   1. Within the AWS Console, navigate to **CloudFormation > Stacks**.
 
-**Create the CloudFormation Template**
+      ![](images/CloudFormationStackNav.png)
 
-Copy or download the [SegmentLambdaDestinationCFTemplate](https://github.com/segmentio/segment-lambda-recipes/blob/ead6c0f77deb38cea7ed486a7b98b47207796b5c/SegmentLambdaDestinationCFTemplate#L1) from our [segment-lambda-recipes](https://github.com/segmentio/segment-lambda-recipes) GitHub repo. Save the file with whatever name you like, but make sure it doesn't have a file extension.
+   2. Click **Create Stack**.
 
-**Create the CloudFormation stack**
+      ![](images/CloudFormationCreateStack.png)
 
-Within the AWS Console, navigate to CloudFormation. Navigate to the Stacks page.
+   3. On the **Select Template** page, select **Upload a template to Amazon S3**. Using **Choose File**, select the SegmentLambdaDestinationCFTemplate you downloaded in the previous step.
 
-![](images/CloudFormationStackNav.png)
+   4. Click **Next**.
 
-Click the "Create Stack" button.
+      ![](images/CloudFormationUploadTemplate.png)
 
-![](images/CloudFormationCreateStack.png)
+   5. Give your stack a name.
+   6. For the **ExternalId** parameter, enter the "External ID" setting in your Segment Lambda destination settings. This should be your **Workspace ID**.
+      * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your External ID. If you’re currently using an External ID different from your Workspace ID, you’ll be susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID**.
+   7. The **LambdaARN** parameter corresponds to the **Lambda** setting in your Segment Lambda destination settings.
 
-On the "Select Template" page, select "Upload a template to Amazon S3", then using "Chose File", select the SegmentLambdaDestinationCFTemplate you created/downloaded in the previous step.
+      ![](images/CloudFormationStackDetails.png)
 
-Click "Next".
+   8. You can leave the next page as is, no changes needed.
+   9. On the last page, review your template details and click **Create**.
+   10. You will now see your new Stack listed in the Stacks page.
 
-![](images/CloudFormationUploadTemplate.png)
+        ![](images/CloudFormationCreateInProgress.png)
 
-Give your stack a meaningful name. The "ExternalId" parameter corresponds to the "External ID" setting in your Segment Lambda destination settings. The "LambdaARN" parameter corresponds to the "Lambda" setting in your Segment Lambda destination settings.
+   11. Once the status is **CREATE_COMPLETE**, click on the name of your Stack.
+   12. On the Stack Detail page under the **Resources** section, you will see a policy and role listed.
 
-![](images/CloudFormationStackDetails.png)
+        ![](images/CloudFormationLambdaRole.png)
 
-You can leave the next page as is, no changes needed. On the last page, review your template details and click "Create".
+   13. Click the **Physical ID** of the role. You will be redirected to the summary page for the role within the IAM console.
+   14. Copy the **Role ARN** and copy it into the **Role Address** setting in your Segment Lambda destination settings.
 
-You should now see your new Stack listed in the Stacks page.
-
-![](images/CloudFormationCreateInProgress.png)
-
-Once the status is "CREATE_COMPLETE", click on the name of your Stack. On the Stack Detail page, under the "Resources" section, you should see a policy and role listed.
-
-![](images/CloudFormationLambdaRole.png)
-
-Click on the "Physical ID" of the role. You will be redirected to the summary page for the role within the IAM console. Copy the "Role ARN" and copy it into the "Role Address" setting in your Segment Lambda destination settings. Using the examples provided, your Segment Lambda destination settings would now look something like this:
+Using the examples provided, your Segment Lambda destination settings will look something like this:
 
 ![](images/SegmentLambdaSettingsPostCF.png)
 
diff --git a/src/connections/destinations/catalog/amazon-personalize/index.md b/src/connections/destinations/catalog/amazon-personalize/index.md
@@ -15,23 +15,23 @@ Developing the machine-learning capabilities necessary to produce these sophisti
 
 {% include content/connection-modes.md %}
 
-There are a few pre-requisites:
+There are a few pre-requisites before getting started. They are:
 
 1. Segment data flowing into an S3 destination OR a warehouse
-  1. Ability to create AWS Glue jobs (only required if using S3 to [train your model](#train-your-model))
-2. Ability to deploy Lambda functions in Amazon Web Services
-3. Access to AWS Personalize
+2. You have the ability to create AWS Glue jobs (only required if using S3 to [train your model](#train-your-model))
+3. You have the ability to deploy Lambda functions in Amazon Web Services
+4. You have access to AWS Personalize
 
-don't have an S3, Redshift warehouse, or Snowflake warehouse set up? You can read more about setting up S3 [here](https://segment.com/docs/connections/storage/catalog/amazon-s3/), Redshift [here](https://segment.com/docs/connections/storage/catalog/redshift/), and Snowflake [here](https://segment.com/docs/connections/storage/catalog/snowflake/).
+If you don't have S3, Redshift warehouse, or Snowflake warehouse configured, you can read more about setting up [S3](/docs/connections/storage/catalog/amazon-s3/), [Redshift](/docs/connections/storage/catalog/redshift/), and [Snowflake](/docs/connections/storage/catalog/snowflake/).
 
 ***If you're a Segment business tier customer, contact your Success contact to initiate a replay to S3 or your Warehouse.***
 
 
 There are three main parts to using Amazon Personalize with Segment:
 
-1. [**Train your model**]() on historical data in S3 or a Warehouse.
-2. [**Create a Personalize Dataset Group**]() and Campaign
-3. [**Connect Recommendations**] and Live Event Updates to your Campaign and Segment
+1. [**Train your model**](/docs/connections/destinations/catalog/amazon-personalize/#train-your-model) on historical data in S3 or a Warehouse.
+2. [**Create a Personalize Dataset Group**](/docs/connections/destinations/catalog/amazon-personalize/#create-personalize-dataset-group-solution-and-campaign) and Campaign
+3. [**Connect Recommendations**](/docs/connections/destinations/catalog/amazon-personalize/#getting-recommendations-and-live-event-updates) and Live Event Updates to your Campaign and Segment
 
 ## Train Your Model
 
@@ -645,22 +645,23 @@ In the next section, we will build a real-time clickstream ingestion pipeline th
 
 ## Getting Recommendations and Live Event Updates
 
-Once you deployed your Personalize solution and enabled a Campaign, your Lambda can consume event notifications from Segment and use the Solution and Campaign to react to events which will drive your business cases.
+Once you deploy your Personalize solution and enable a Campaign, your Lambda instance consumes event notifications from Segment and use the Solution and Campaign to react to events which drive your business cases.
 
-The example code we provide below shows how to forward events to the Personalize Solution you deployed to keep your model updated.  It then forwards an `identify` event back to Segment with the recommendations from your Solution.
+The example code Segment provides below shows how to forward events to the Personalize Solution you deployed to keep your model updated.  It then forwards an `identify` event back to Segment with the recommendations from your Solution.
 
 
 ### Set up Segment IAM policy & role for invoking your Lambda
 
 Segment will need to be able to call ("invoke") your Lambda in order to process events.  This requires you to configure an IAM role for your Lambda which allows the Segment account to invoke your function.
 
-**Create an IAM policy.**
+#### Create an IAM policy
+To create an IAM policy:
+1. Sign in to the [Identity and Access Management (IAM) console](https://console.aws.amazon.com/iam/){:target="_blank"}  and follow these instructions to [Create an IAM policy](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html){:target="_blank"} to allow Segment permission to invoke your Lambda function.
 
-Sign in to the [Identity and Access Management (IAM) console](https://console.aws.amazon.com/iam/) and follow these instructions to [Create an IAM policy](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) to allow Segment permission to invoke your Lambda function.
+2. Select **Create Policy from JSON** and use the following template policy in the `Policy Document` field. Be sure to change the `{region}`, `{account-id}` and `{function-names}` with the applicable values. Here's example of a Lambda ARN `arn:aws:lambda:us-west-2:355207333203:function:``my-example-function`.
 
-Select the **Create Policy from JSON** option and use the following template policy in the `Policy Document` field. Be sure to change the {region}, {account-id} and {function-names} with the applicable values. An example of a Lambda ARN `arn:aws:lambda:us-west-2:355207333203:function:``my-example-function`.
-
-_Note: you can put in a placeholder ARN for now, as you will need to come back to this step to update with the ARN of your Lambda once that's been created._
+> note ""
+> **NOTE:** You can put in a placeholder ARN for now, as you will need to come back to this step to update with the ARN of your Lambda once that's been created.
 
 ```json
 {
@@ -682,21 +683,22 @@ _Note: you can put in a placeholder ARN for now, as you will need to come back t
 }
 ```
 
+#### Create an IAM role
+To create an IAM role:
+1. Sign in to the [Identity and Access Management (IAM) console](https://console.aws.amazon.com/iam/){:target="_blank"} and follow these instructions to [Create an IAM role](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-console){:target="_blank"} to allow Segment permission to invoke your Lambda function.
+2. While setting up the new role, add the policy you created in the [previous step](/docs/connections/destinations/catalog/amazon-personalize/#create-an-iam-policy).
+3. Finish with any other set up items you may want (like `tags`).
+4. Search for and click on your new roles from the [IAM home](https://console.aws.amazon.com/iam/home#/home){:target="_blank"}.
+5. Select the **Trust Relationships** tab, then click **Edit trust relationship**.
 
-**Create an IAM role**
-
-Sign in to the [Identity and Access Management (IAM) console](https://console.aws.amazon.com/iam/) and follow these instructions to [Create an IAM role](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-console) to allow Segment permission to invoke your Lambda function.
-
-While setting up the new role, add the policy you created in the previous step.
-
-Finish with any other set up items you may want (like `tags`). Once that's complete, search for and click on your new roles from the [IAM home](https://console.aws.amazon.com/iam/home#/home).
-
-Select the "Trust Relationships" tab, then click the "Edit trust relationship" button.
+    ![](images/LambdaTrustRelationship.png)
 
-![](images/LambdaTrustRelationship.png)
+6. Copy and paste the following into your trust relationship. You should replace `<your-source-id>` with either the Source ID of the attached Segment source (the default) or the custom external ID you set in your Amazon Lambda destination settings.
 
-Copy and paste the following into your trust relationship. You should replace `<your-source-id>` with either the Source ID of the attached Segment source (the default) or whatever custom external id you set in your Amazon Lambda destination settings.
-  Note: Source ID *can be found by navigating to Settings > API Keys from your Segment source homepage.*
+> note ""
+> **NOTE:** Your Source ID can be found by navigating to **Settings > API Keys** from your Segment source homepage.
+>
+> If you're using an External ID, for security purposes, Segment recommends you to use your Segment Workspace ID as your External ID. If you use an External ID different from your Workspace ID, you’re susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID** in the Segment dashboard.
 
 ```json
 {
