Integrations and Connectors/Connectors/Setup Guides/Analytics

AWS S3 Connector

This guide covers implementing Descope's AWS S3 connector. Descope enables you to automatically collect troubleshooting logs and audit events in your AWS S3 Bucket.

Configure AWS S3 Connector in Descope

Configuring the Connector

Navigate to the Connectors page in the Descope Console and select AWS S3 to create a new AWS S3 connector.

AWS S3 connector setup

The following parameters are required to use it:

  • Connector Name: Provide a unique name for your connector. This assists in distinguishing it, especially when multiple connectors are derived from the same template.
  • Connector Description: Briefly explain the purpose of this connector.
  • Authentication: Choose whether to use AWS credentials or role-based permissions to authenticate. Follow the guidance below to configure each method.
  • Region: The AWS S3 region, e.g. us-east-1
  • Bucket: The name of the AWS S3 bucket that the logs and audit events will be sent to.
  • Stream Audit Events: Select which events are sent to AWS S3. Descopers can allow all audit events or filter them based on certain actions that occur or tenants in the project.
  • Stream Troubleshooting Events: Decide whether troubleshooting events are also sent to AWS S3.

Authentication

Use AWS Credentials

Prerequisites

  1. Have an AWS S3 bucket set up.
  2. Have an IAM user with the necessary AWS S3 bucket permissions.

Getting the Access Key

  1. In AWS, navigate to Services in the top left and select IAM. On the IAM page, navigate to Users.

If you don't have an IAM user, create one now. If you already have one, click on "Add Permissions". You can assign the required permissions either by adding the user to a group or by directly attaching policies to the user. For more information see Amazon Documentation.

Adding Permissions to AWS IAM User

  1. Go to the User's page and click on "Create access key" and then on "Third-party service" if you are adding the policy directly.

Create Access Key for AWS IAM User

  1. Make sure to save your Secret access key as you won't be able to view it again.

Access Key Fields in AWS S3

  1. Insert the Access Key ID and secret to the Descope console.

Use Role-Based Permissions

Prerequisites

  1. Have an AWS S3 bucket set up.

Creating the Role

  1. Insert the region and the bucket name.

  2. Doing so will create a Cloud Formation Stack link:

AWS S3 create cloud formation link

  1. Following the link will prompt creating a stack - completing the creation will configure the role for you.

AWS S3 create cloud formation stack

  1. Insert the role ARN created, e.g. arn:aws:iam::312892722078:role/prod-external-role-us-east-1 into Descope's console.

Viewing Audit Logs

Now audit logs will be sent to the AWS S3 bucket as JSON objects. The connector can be tested while configuring it so you can ensure the logs are being sent and collected properly.

The logs can still be viewed in Descope under the Audit and Troubleshoot section of the Descope Console. For more information on audit trail and log streaming see Audit Trail Streaming.

An example of directory structure when streaming Descope audit logs to Amazon S3

An example of the date formatted directory structure when streaming Descope audit logs to Amazon S3

Was this helpful?

On this page