Skip to main content
Sumo Logic

Grant Access to an AWS S3 Bucket

IAM User Policy

Before configuring an AWS Source, you'll need to grant Sumo Logic permissions to get objects and object versions, and list object and object versions in your organization's bucket.

To grant Amazon S3 permissions:

  1. Create an IAM user in AWS. For more information about this, refer to the appropriate section of the AWS User Guide.
    1. Save the Access Key ID and Secret Access Key credentials. You will need to provide these in Sumo Logic.
  2. Create a Custom Policy for the new IAM user. Refer to the Access Policies section of the AWS User Guide. Use the following JSON policy:
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:ListBucketVersions",
            "s3:ListBucket"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::your_bucketname/*",
            "arn:aws:s3:::your_bucketname"
         ]
      }
   ]
}

All Action parameters shown are required. And make sure to enter the actual name of your S3 bucket to the Resource line of JSON.

KMS Key Policy for Server Side Encrypted Data

To collect data from encrypted sources, such as encrypted CloudTrail logs, you'll also need to add the appropriate access to the KMS resources in the inline policy for the IAM user you created in the exmaple above, and add that user to the Key Policy.  See Example Key Policy for more information.

Managing Access Keys

In addition, while configuring an S3 Source, you'll need to provide Key ID and Secret Key credentials (tokens) to Sumo Logic. Security, token, and access settings are handled through Amazon Web Service Identity & Access Management.

For instructions on using Identity & Access Management, see AWS Identity and Access Management (IAM) to learn about the options available to your organization.