AWS S3 Access Log
Overview
This guide will walk you through the steps to set up the AWS integration in Bronto.
Please note this In-App option is for S3 Access Log ingestion only, for all other use cases refer to our Client Side option.
To set up the AWS integration manually, create an IAM policy and IAM role in your AWS account, and configure the role with an AWS External ID generated in your Bronto account. This allows Bronto’s AWS account to query AWS APIs on your behalf, and pull data into your Bronto account. The sections below detail the steps for creating each of these components, and then completing the setup in your Bronto account.
Setup
Generate an AWS External ID
- In the AWS integration configuration page, click the “Add New AWS Account” button.
- Enter your AWS account ID in the “AWS Account ID” field and click "Generate External ID". The ID will be generated and available for you to copy. For more information on AWS External IDs**, **see the IAM user guide.
AWS IAM role for Bronto
- Create a new role in the AWS IAM Console.
- Select Custom trust policy for the trusted entity type and paste the trust policy below. (Note: don’t forget to copy in your External ID generated on the integration page)
- Skip the permission policy section as it will be created after the role.
- Name the role
BrontoBytesIntegration-AWSRole, and provide an apt description. - Click Create Role.
AWS IAM policy for Bronto
Create an IAM policy for the BrontoBytes role in your AWS account with the necessary permissions to take advantage of every AWS integration offered by BrontoBytes. As other components are added to an integration, these permissions may change.
- Go to the newly created
BrontoBytesIntegration-AWSRolerole in the AWS IAM Console. - Click
Add Permissionsand chooseCreate inline policy. - Paste the BrontoBytes Integration Policy below.
- Click Next to review your changes.
- Name the policy
BrontoBytesIntegrationPolicyor one of your own choosing, and provide an apt description. - Click Create policy.
AWS IAM Permissions
AWS IAM permissions enable Bronto to collect metrics, tags, EventBridge events, and other data necessary to monitor your AWS environment.
To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Bronto AWS Integration IAM Role in your AWS account.
AWS Integration IAM Custom Trust Policy
Don’t forget to copy in your External ID generated on the integration page
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BrontoBytesAssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::637423326566:role/BrontoBytesAWSIntegration"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<External ID created in your BrontoBytes account>"
}
}
}
]
}
Bronto Integration Policy
The below config needs to be updated first before pasting.
BUCKET_NAMEis the name of the S3 bucket that contains the log data and PREFIX is the path to the parent folder where the logs are actually stored.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:List*",
"s3:Get*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BUCKET_NAME>/<PREFIX>/*",
"arn:aws:s3:::<BUCKET_NAME>"
]
}
]
}
S3 Notifications
The final step is to enable notifications for your S3 bucket. This will allow Bronto to receive notifications when new objects are added to your bucket.
- Go to the S3 console and find the bucket you want to enable notifications for.
- Choose the
Propertiestab and scroll down toEvent notifications - Click Create event notification
- Set the event type to
All object create events - Set the destination to
SNS Topicand enter ARN that matches the region where your bucket is:
- EU West 1
arn:aws:sns:eu-west-1:637423326566:brontobytes-aws-ingestion - US East 1
arn:aws:sns:us-east-1:637423326566:brontobytes-aws-ingestion