Skip to content

AWS S3 Bucket

Many security products have a built-in capability to export various logs to S3. For these sources, Hunters supports ingesting straight from your S3 buckets. In order to allow us access to your S3 bucket, please follow these steps to configure an appropriate ARN role.

Step 1 - Create IAM Policy

  1. Log into the AWS Management Console.
  2. From the home dashboard, choose Identity & Access Management (IAM).
  3. Choose Policies from the left-hand navigation pane and then click Create Policy.

    Create Policy

  4. Click the JSON tab and paste the following document.

    Note: Make sure to replace bucket and prefix with your actual bucket name and folder path prefix.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "s3:ListAllMyBuckets",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:ListBucket",
            "s3:GetObject",
            "s3:GetBucketLocation"
           ],
          "Resource": [
             "arn:aws:s3:::BUCKET-NAME-HERE",
             "arn:aws:s3:::BUCKET-NAME-HERE/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "kms:Decrypt" 
           ],
          "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:KEY/EXAMPLE_NAME"
        }
      ]
    }
    
  5. Give a name to the IAM policy and click Create policy.

    Create Policy Wizard

Step 2 - Create IAM Role

  1. Login to AWS console and go to Services > IAM.
  2. Click Create role.
  3. Choose "Another AWS account".
  4. In Account ID enter Hunters’ Account ID (as provided by Hunters Team).

    Add Account ID

  5. Select the "Require external ID" checkbox. Note: External IDs are always created for you by the Hunters.AI team, you should not create them manually on your own. For further reading on the purpose of an external ID, go here.

    Check External ID

  6. Go to Hunters Portal, select the Dataflow page and click "Add Dataflows" at the top left of the page:

    Dataflow Page

  7. Under "Product", select "AWS". This should automatically set "AWS S3" under "Source". Scroll down to "Use Cross Account Role" and copy the generated "External ID":

    Copy External ID

  8. Final result should look like this (with the AWS account and External ID replaced with the real values):

    Final Role Creation

  9. Click "Next: Permissions" at the bottom right of the screen.

  10. Choose the previously created IAM policy and click Next. Attach Policy
  11. Click "Next: Tags". If required, add tags to the role.
  12. Click "Next: Review" and grant the role a name:

    Role Name

  13. Click "Create role"

  14. Go back to the IAM menu and click Roles.
  15. Filter the newly created role and click on it.

    Show role

  16. Copy the Role ARN:

    Role ARN

  17. Note: ACCOUNT_ID should match the account you are giving Hunters permissions to.

  18. If you wish to narrow the role permissions to a specific user provided by Hunters.AI, click the "Trust Relationship" tab under the role and click "Edit trust relationship":

    Edit Trust Relationship

  19. Under "Principal -> ARN", replace arn:aws:iam::ACCOUNT_ID:root with a Hunters.AI provided User ARN and click "Update Trust Policy"

After following these directions and creating all the required resources in your AWS account, go back to the relevant Product guide, where you will be asked to provide your role's ARN.