Introduction:
This is an extension to our existing documentation on exporting Cloudsmith logs to AWS S3. This guide will help you configure your AWS infrastructure to start receiving your logs to Cloudsmith - it takes 3 easy steps.
Getting Started:
You will need the following access permissions for your AWS account (you can also continue with the guide and send the config over to your admin):
- IAM - Create Role/Policy
- S3 - Create bucket/folder
How to:
Step 1: Set up your S3 Bucket
NOTE: You can use an existing bucket for this, please inform us of the full bucket name and prefix (folders) as to where the logs should be stored. For example, if you already have a bucket for all of your logs called all-logs, and a folder for each service, you can create a cloudsmith-logs/access-logs folder and provide all-logs/cloudsmith-logs/access-logs.
If you need to create an S3 bucket on AWS, it’s super easy:
- Login to your AWS portal with relevant permissions.
- In the search bar, search for S3
- You should then see a button for Create Bucket
- Fill in the information relevant to your configuration (or leave everything as default)
Next, we will need to create two folders, one for your Cloudsmith Audit logs and the other for Cloudsmith Client (access) logs. To do this, click into your newly created bucket or click into an existing bucket.
- Click on Create folder
- Provide a name i.e. cloudsmith-access-logs and cloudsmith-audit-logs
Save the following details before providing them to our support team:
- The name of the bucket
- The path to the folder where logs should be stored
Now that you have set up your bucket, we can continue to the next step of creating the IAM Role and Policy.
Step 2: Set up your IAM configuration
NOTE: This step only needs to be done once, if you’re already exporting logs with us, you can skip this step and use the same role/policy connection that was already created. The only thing worth checking is the Policy resource ARN to make sure that the new logs can be uploaded to the updated path.
First, we will create a role without a policy. We can configure that later, either inline or by creating an IAM Policy.
Role creation:
- In your AWS portal, search for IAM and click on Roles
- Click on Create role and select AWS Account
- You should then be prompted with few options, select Another AWS account and fill in with 884446598447
- This is a Cloudsmith AWS Account ID used to export logs
- Click Next and Next again on the policy list screen
- Now provide a meaningful role name e.g. CloudsmithLogsWriter and a description.
- In the Trust Policy, insert the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::884446598447:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-external-id"
}
}
}
]
}
- The ExternalID will be provided by the Cloudsmith support team, in case you are setting this up before receiving one, you can continue this process and update this later.
- Leave permissions empty for now (we will configure this soon)
- (optional) Add any relevant tags
- Click on Create role
Policy creation:
There are two different ways to approach policy creation.
- Inline policy
- Managed policy
Consult with your AWS administrator on the practices used in your organization to create policies, you can find out more about each type by heading over to AWS Documentation.
Inline Policy:
- Navigate to IAM and click on Roles, select your newly created Cloudsmith role
- Scroll down to Permissions policies and click on Add permissions -> Create inline policy
- In the policy editor, select JSON and paste in the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/OPTIONAL-PREFIX/*"
]
}
]
}
- Replace the Resource array with the ARN of the bucket that you have created for the Cloudsmith logs. This lets the Cloudsmith AWS account know that it has permission only to insert logs to that specific path.
- Click Next and provide a Policy name then Create Policy
Managed Policy:
The process for creating a managed policy is very similar to the inline policy, the only difference is that we need to create the policy separately and then attach it to the role.
- Navigate to IAM and click on Policies -> Create policy
- In the policy editor, select JSON and paste in the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/OPTIONAL-PREFIX/*"
]
}
]
}
- Replace the Resource array with the ARN of the bucket that you have created for the Cloudsmith logs. This lets the Cloudsmith AWS account know that it has permission only to insert logs to that specific path.
- Navigate to IAM and click on Roles, select your newly created Cloudsmith role
- Scroll down to Permissions policies and click on Add permissions -> Attach policies
- Find your newly created managed policy and select it by ticking the checkbox (not the + icon) and clicking Add permissions
You’re all set! Let’s step…
Step 3: Enable Export
Contact Cloudsmith’s support team, to let us know that you’ve completed the configuration, and we’ll enable the export!
Comments
Please sign in to leave a comment.