Exporting Your Activity Log to Amazon S3
Last updated: October 7, 2024
Background
This article outlines how to configure an S3 bucket as the destination of your Lumos Activity Logs.
Step 1: Create an IAM policy
You'll need to create an IAM policy so Lumos can put objects (Activity Logs, each in a JSON file) in your S3 bucket.
Click on the "Create policy" button.
Choose the JSON tab to create a custom policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject"
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
}
]
}Note: Replace YOUR_BUCKET_NAME with the name of your S3 bucket.
Click on the "Review policy" button.
Enter a name and description for the policy, then click on the "Create policy" button.
Step 2: Create an IAM role and attach the policy
Firstly, you need to create an IAM role. This role will grant Lumos the necessary permissions to write Activity Logs to your S3 bucket.
Log in to your AWS Management Console.
Navigate to the IAM dashboard.
Select "Roles" from the left-hand menu and click on the "Create role" button.
Configure the role as shown below. Tick the "Require External ID" checkbox and enter the External ID shown on Lumos. Enter our AWS account ID, 134185523792.
Click on the "Next: Permissions" button.
Search for the Policy you created in Step 1.
From the newly-created role page, make note of the role's ARN
Step 3: Get the ARN of the S3 bucket
Navigate to the S3 bucket that you want to ship logs to, and copy its ARN by going to Properties > Bucket overview.
Step 4: Verify your credentials in Lumos
Paste the ARNs from the previous steps into Lumos by going to Settings > SIEM > S3. You must verify the credentials before saving the S3 configuration to your SIEM settings.
Step 5: Verify delivery of your logs to your S3 bucket
After some actions are taken in Lumos, ensure that logs are being properly shipped to your S3 bucket. If you experience any issues, please contact us at support@lumos.com or via Slack.