AWS S3 Connector
This guide covers implementing Descope's AWS S3 connector. Descope enables you to automatically collect troubleshooting logs and audit events in your AWS S3 Bucket.
Configure AWS S3 Connector in Descope
Configuring the Connector
Navigate to the Connectors page in the Descope Console and select AWS S3 to create a new AWS S3 connector.
The following parameters are required to use it:
- Connector Name: Provide a unique name for your connector. This assists in distinguishing it, especially when multiple connectors are derived from the same template.
- Connector Description: Briefly explain the purpose of this connector.
- Authentication: Choose whether to use AWS credentials or role-based permissions to authenticate. Follow the guidance below to configure each method.
- Region: The AWS S3 region, e.g.
us-east-1
- Bucket: The name of the AWS S3 bucket that the logs and audit events will be sent to.
- Stream Audit Events: Select which events are sent to AWS S3. Descopers can allow all audit events or filter them based on certain actions that occur or tenants in the project.
- Stream Troubleshooting Events: Decide whether troubleshooting events are also sent to AWS S3.
Authentication
Use AWS Credentials
Prerequisites
- Have an AWS S3 bucket set up.
- Have an IAM user with the necessary AWS S3 bucket permissions.
Getting the Access Key
- In AWS, navigate to Services in the top left and select IAM. On the IAM page, navigate to Users.
If you don't have an IAM user, create one now. If you already have one, click on "Add Permissions". You can assign the required permissions either by adding the user to a group or by directly attaching policies to the user. For more information see Amazon Documentation.
- Go to the User's page and click on "Create access key" and then on "Third-party service" if you are adding the policy directly.
- Make sure to save your Secret access key as you won't be able to view it again.
- Insert the
Access Key
ID and secret to the Descope console.
Use Role-Based Permissions
Prerequisites
- Have an AWS S3 bucket set up.
Creating the Role
-
Insert the
region
and thebucket
name. -
Doing so will create a
Cloud Formation Stack
link:
- Following the link will prompt creating a stack - completing the creation will configure the role for you.
- Insert the role ARN created, e.g.
arn:aws:iam::312892722078:role/prod-external-role-us-east-1
into Descope's console.
Viewing Audit Logs
Now audit logs will be sent to the AWS S3 bucket as JSON objects. The connector can be tested while configuring it so you can ensure the logs are being sent and collected properly.
The logs can still be viewed in Descope under the Audit and Troubleshoot section of the Descope Console. For more information on audit trail and log streaming see Audit Trail Streaming.