Secure Access Cloud Logs Shipping - Integration with Amazon Web Services (AWS) S3 Buckets
Secure Access Cloud
Amazon Web Services
The logs shipping integration with AWS allows you to send all user activity and secure access cloud audit logs to an AWS S3 bucket under your AWS account.
Once the logs are in your S3 bucket you can further pull them into your SIEM, such as Splunk, or a cloud log analytics/SIEM solution such as logz.io, Azure Sentinel and others.
The integration settings are configured under Settings à Logs Shipping.
In order to define the logs shipping integration please follow the outlined steps below:
Enable S3 Bucket Integration
In the Secure Access Cloud Logs Shipping integration page enter the Bucket Name of the S3 bucket (which you should create prior to it) to which you’d like to export the logs and click on ‘Save’:
Open your AWS Management Console and navigate to IAM: Click on Create Role
Choose "Another AWS Account"
Copy the Account ID and External ID field from the below dialog in Secure Access Cloud Admin Web Portal:
Choose "Require External ID Option" and copy the External ID from the same dialog in the Secure Access Cloud Admin Web Portal
Click Next Permissions
Choose Create Policy (please note that the Policy editing UI will be opened in a different tab)
Once you’ve saved the name, the IAM Policy will be populated with the JSON containing the required permissions for Secure Access Cloud to write the logs into the S3 bucket configured:
Click on JSON nav in opened Create Policy Tab, then copy the IAM policy from Secure Access Cloud and paste it in the AWS Console ‘Create Policy’ window (make sure to switch to JSON editing view in the Policy Create UI before pasting).
Click on "Review Policy"
Choose a descriptive name for your policy and click "Create Policy"
Switch back to the “Create Role” browser Tab and click on Refresh icon
Find the Policy by name given in step 10 and select it
Click on Next: Tags, then on the next page Next: Reviews
Provide a name for the Role created (on the same page you can find policy attached to this Role) then click “Create Role”
Copy the ARN of the created IAM role (from the AWS Console) to the Secure Access Cloud Admin Web Portal:
Click “Save” on Secure Access Cloud
Once the setup is complete the integration should appear as "Online" in the Secure Access Cloud Admin Web Portal:
Once the integration is online, Secure Access Cloud will send all available logs to the configured S3 bucket in JSON format using the following structure:
The Log Types are:
The files are compressed using the gzip format.
Subscribing will provide email updates when this Article is updated. Login is required.