The logs shipping integration with AWS allows you to send all user activity and secure access cloud audit logs to an AWS S3 bucket under your AWS account.
Once the logs are in your S3 bucket you can further pull them into your SIEM, such as Splunk, or a cloud log analytics/SIEM solution such as logz.io, Azure Sentinel and others.
The integration settings are configured under Settings à Logs Shipping.
In order to define the logs shipping integration please follow the outlined steps below:
Open your AWS Management Console and navigate to IAM:
Choose "Create role"
2. Choose "Another AWS Account"
3. Copy the Account ID field from the below dialog in Secure Access Cloud Admin Web Portal:
Choose "Require External ID Option" and copy the External ID from the same dialog in the Secure Access Cloud Admin Web Portal.
The AWS Console should have the values populated as follows:
Click Next, then choose Create Policy (please note that the Policy editing UI will be opened in a different tab)
In the Secure Access Cloud Logs Shipping integration page enter the name of the S3 bucket to which you’d like to export the logs and click on ‘Save’:
Once you’ve saved the name, the IAM Policy will be populated with the JSON containing the required permissions for Secure Access Cloud to write the logs into the S3 bucket configured:
Copy the IAM policy and paste it in the AWS Console ‘Create Policy’ window (make sure to switch to JSON editing view in the Policy Create UI before pasting).
Click on "Review Policy"
Choose a descriptive name for your policy and click "Create Policy"
Return to the IAM Management Console tab and click on Refresh icon.
Copy the ARN of the created IAM role (from the AWS Console) to the Secure Access Cloud Admin Web Portal:
Once the setup is complete the integration should appear as "Online" in the Secure Access Cloud Admin Web Portal:
In case the integration is not setup correctly you will see an error message with the details, for example:
Once the integration is online, Secure Access Cloud will send all available logs to the configured S3 bucket in JSON format using the following structure:
The Log Types are:
The datetime format example is 2019-05-05T11:24:07.962Z_0227.json.gz
The files are compressed using the gzip format.
Please note that this functionality is being offered in preview mode on the moment and might not yet be available in your Secure Access Cloud Admin Web UI. For information on its availability in your environment, please reach out to Secure Access Cloud support.
Please note that the configuration user experience, as described below, is not yet fully supported.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe