Skip to main content

Amazon S3

Overview

This document outlines the process for submitting data stored in an Amazon S3 bucket to AlphaSOC for analysis. AlphaSOC analyzes log files stored in the Amazon S3 bucket by identifying security threats and detecting anomalies.

To transfer data, set up the following AWS resources:

  • S3 bucket that stores the data and triggers event notifications when objects are uploaded.
  • SQS queue that receives messages generated by the S3 event notifications.
  • IAM role that provides the necessary permissions to access and retrieve data from the S3 bucket and read messages from the SQS queue.

To set up necessary AWS resources, refer to Configuring Amazon S3 bucket for notifications.

To enable integration, please provide the following configuration details to AlphaSOC:

  • SQS queue URL.
  • IAM role ARN.
  • S3 bucket name.

Setting IAM Role Permissions

Replace the following placeholders with the appropriate AWS resource identifiers in the policies listed below.

  • {{ALPHASOC_ORGANIZATION_ID}} - ID of your organization assigned in the AlphaSOC's console
  • {{SQS_QUEUE_ARN}} - ARN of your SQS queue
  • {{S3_BUCKET_ARN}} - ARN of your S3 bucket

IAM Trust Policy

Define who can assume an IAM role by setting a trust relationship.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::610660487454:role/data-import"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "{{ALPHASOC_ORGANIZATION_ID}}"
        }
      }
    }
  ]
}

IAM Role Permissions

Define permissions for accessing an Amazon S3 bucket and an Amazon SQS Queue.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "{{S3_BUCKET_ARN}}"
    },
    {
      "Sid": "SQS",
      "Effect": "Allow",
      "Action": [
        "SQS:ChangeMessageVisibility",
        "SQS:DeleteMessage",
        "SQS:ReceiveMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "{{SQS_QUEUE_ARN}}"
    }
  ]
}

If AWS KMS encryption is enabled for the Amazon S3 bucket or Amazon SQS queue, define additional permissions to allow access to the encrypted resources. Replace {{AWS_KEY_ARN}} placeholder with the ARN of your AWS KMS key.

{
  "Sid": "KMS",
  "Effect": "Allow",
  "Action": "kms:Decrypt",
  "Resource": "{{AWS_KEY_ARN}}"
}