Skip to main content
Sumo Logic

Grant Access to an AWS Product

Before configuring an AWS Source, you'll need to grant Sumo Logic permissions to your data. These permissions are managed through Amazon Web Service Identity & Access Management (IAM). 

If your organization does not yet have Identity & Access Management in your AWS account, you must add this option before configuring an AWS Source. Otherwise Sumo Logic won't have appropriate permissions to access your data.

For instructions and to learn more on using Identity & Access Management, see AWS Identity and Access Management (IAM).

The following steps require providing a custom policy in JSON that specifies the permissions you are granting to Sumo Logic. The JSON policies require different permissions depending on the Source you are creating. You may combine the policies.

IAM User

  1. Create an IAM user in AWS. For more information about this, refer to the appropriate section of the AWS User Guide.
    1. Save the Access Key ID and Secret Access Key credentials. You will need to provide these in Sumo Logic.
  2. Create a Custom Policy for the new IAM user. Refer to the Access Policies section of the AWS User Guide and use the JSON access policy for your Source type.

JSON Access Policies

AWS S3 Policy

This policy is for an AWS S3 Source, AWS S3 Audit Source, AWS CloudFront Source, AWS CloudTrail Source, and an AWS ELB Source.

Replace the your_bucketname placeholders in the Resource section of the JSON policy with your actual S3 bucket name.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:ListBucketVersions",
            "s3:ListBucket"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::your_bucketname/*",
            "arn:aws:s3:::your_bucketname"
         ]
      }
   ]
}

KMS Key Policy for Server Side Encrypted Data

To collect data from encrypted sources, such as encrypted CloudTrail logs, you'll also need to add the appropriate access to the KMS resources in the inline policy for the IAM user you created in the example above, and add that user to the Key Policy. See Example Key Policy for more information.

AWS CloudWatch Source Policy

This policy is for an Amazon CloudWatch Source for Metrics.

The ec2:DescribeInstances parameter is needed only if you are creating a CloudWatch Source to collect from an EC2 namespace.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

AWS Metadata (Tag) Source for Metrics Policy

This policy is for an AWS Metadata (Tag) Source for Metrics.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Action": [
               "ec2:DescribeInstances"
           ],
           "Effect": "Allow",
           "Resource": "*"
       }
   ]
}

Data Forwarding Policy

This policy is for Forwarding Data from Sumo Logic to S3.

Replace the your_bucketname placeholder in the Resource section of the JSON policy with your actual S3 bucket name.

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":[  
            "s3:PutObject"
         ],
         "Resource":[  
            "arn:aws:s3:::your_bucketname/*"
         ]
      }
   ]
}