Comment on page
Logs in Amazon S3
Activate your CloudTrail, ALB or ELB logs in RunReveal
This guide describes how to setup your S3 buckets that have AWS logs for RunReveal to be able to process them.
First, ensure you're sending CloudTrail / ALB / ELB logs to an S3 bucket of your choice, for which you have permissions to modify the IAM policy.
Attach the following IAM policy to the bucket, ensuring to replace
YOUR_BUCKET_NAMEwith the name of the bucket the policy's being attached to.
Then, enable sending notifications to one of RunReveal's regional SNS queues by following along below.
- 1.Find the bucket containing the logs you wish to send to RunReveal.
- 2.From the bucket overview, click the "Properties" tab, then scroll down to "Event Notifications"
- 3.Click "Create Event Notification"
- 4.Give the configuration a name (for your own identifying purposes, doesn't matter what it is).
- 5.Select "All object create events" in the events section (photo below)
Select All object create events for the S3 Event Notifications
- 6.Then input RunReveal's S3 regional SNS queue ARN (
arn:aws:sns:<s3-bucket-region>:253602268883:RunReveal) under the "Destinations" block at the bottom like so. See the table below for the regions we currently have SNS topics created for. Please reach out to [email protected] if your region is not listed so we can create it.
The SNS configuration for the bucket.
- 8.To associate the given bucket with the log type stored in this bucket, follow the guide given for that log type (found in the navigation pane to the left). Right now, the supported logs are ALB, ELB or CloudTrail logs, with more to come soon. After about 5-15 minutes, you should start seeing logs in your RunReveal workspace. Verify with:
runreveal logs ... TODO
If you created your S3 bucket using the UI, this will be set to "ACLs enabled" by default. You must disable the ACLs to allow RunReveal to read your S3 logs.
Before you begin, ensure you know which KMS key is being used to encrypt the logs stored in the given bucket. Take note of which key it is, and go to the KMS UI. Add the following statement to that policy to allow RunReveal to decrypt the objects within your bucket.
To do this, in the KMS UI, select "Edit"
Add the following statement to your KMS policy.
"Sid": "Enable RunReveal to decrypt objects in s3",