Skip to main content
Sumo Logic

Grant Access to an AWS Product

Before configuring an AWS Source or data forwarding to S3, you'll need to grant Sumo Logic permissions. These permissions are managed through Amazon Web Service Identity & Access Management (IAM). 

If your organization does not yet have Identity & Access Management in your AWS account, you must add this option before configuring an AWS Source. Otherwise Sumo Logic won't have appropriate permissions to access your data.

For instructions and to learn more on using Identity & Access Management, see AWS Identity and Access Management (IAM).

You can either use an IAM User or an IAM Role to provide permissions to Sumo Logic. AWS and Sumo Logic recommend using an IAM Role for increased security. An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.

The following video shows how to set up an IAM role while creating an S3 Source.

The following steps require providing a custom policy in JSON that specifies the permissions you are granting to Sumo Logic. The JSON policies require different permissions depending on the Source you are creating. You may combine the policies.

CloudFormation

You can set up a role using the IAM console or through a CloudFormation template. We recommend you use CloudFormation.

IAM Role

To get a roleARN you need to create an IAM Role in AWS. Follow the steps documented in the appropriate section of the AWS User Guide.

  1. Sign in to the AWS Management Console and open the IAM console.

  2. In the navigation pane of the console, choose Roles and then choose Create role.

  3. Choose the Another AWS account role type.

  4. For the Account ID use the following ID for Sumo Logic: 926226587429

  5. In the Options section, it is required to enable Require external ID for better security. For more information refer to Why Do You Need to Use an External ID in the AWS User Guide. The External ID is unique to your Sumo account and needs to be in the specified format.

    Format: SumoDeployment:SumoAccountId
    Example: us1:0000000000000131

    The SumoDeployment should be one of the following in lowercase, us1, us2, eu, au, de, or JP.
    The SumoAccountId is your organization id and can be found on your Account Page.

  6. The Require MFA option is not supported.

  7. Click Next: Permissions.

  8. In the AWS User Guide's step 8, create a Custom policy. Use the JSON access policy for your Source type. For more details refer to the Access Policies section of the AWS User Guide.

  9. After creating the role, copy the role ARN to provide to Sumo Logic when creating your Source.

IAM User

  1. Create an IAM user in AWS. For more information about this, refer to the appropriate section of the AWS User Guide.
    1. Save the Access Key ID and Secret Access Key credentials. You will need to provide these in Sumo Logic.
  2. Create a Custom Policy for the new IAM user. Refer to the Access Policies section of the AWS User Guide and use the JSON access policy for your Source type.

JSON Access Policies

AWS S3 Policy

This policy is for an AWS S3 Source, AWS S3 Audit Source, AWS CloudFront Source, AWS CloudTrail Source, and an AWS ELB Source.

Replace the your_bucketname placeholders in the Resource section of the JSON policy with your actual S3 bucket name.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:ListBucketVersions",
            "s3:ListBucket"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::your_bucketname/*",
            "arn:aws:s3:::your_bucketname"
         ]
      }
   ]
}

KMS Key Policy for Server Side Encrypted Data

To collect data from encrypted sources, such as encrypted CloudTrail logs, you'll also need to add access to the KMS resources in your KMS Key Policy. Add the IAM User or Role to the Principal section of your Key Policy and provide the kms:Decrypt action. See Example Key Policy for more information.

AWS CloudWatch Source Policy

This policy is for an Amazon CloudWatch Source for Metrics.

The ec2:DescribeInstances parameter is needed only if you are creating a CloudWatch Source to collect from an EC2 namespace.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AWS Metadata (Tag) Source for Metrics Policy

This policy is for an AWS Metadata (Tag) Source for Metrics.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Action": [
               "ec2:DescribeInstances"
           ],
           "Effect": "Allow",
           "Resource": "*"
       }
   ]
}

Data Forwarding Policy

This policy is for Forwarding Data from Sumo Logic to S3.

Replace the your_bucketname placeholder in the Resource section of the JSON policy with your actual S3 bucket name.

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":[  
            "s3:PutObject"
         ],
         "Resource":[  
            "arn:aws:s3:::your_bucketname/*"
         ]
      }
   ]
}