AWS S3 Bucket Monitoring

Updated Feb 16, 2024

Configure an AWS S3 bucket for Arctic Wolf monitoring

You can configure an Amazon Web Services (AWS)® account to send logs from a Simple Storage Service (S3) bucket to Arctic Wolf®.

Before you begin

For each account containing an S3 bucket that you want to forward logs from, do these actions:


  1. Sign in and select a region.
  2. Launch the CloudFormation stack.
  3. Create the CloudFormation stacks.

Step 1: Sign in and select a region

  1. Sign in to the AWS console as a user, or as an IAM role that has AdministratorAccess or an equivalent IAM policy.

  2. Select the region where your S3 bucket was created.

    Note: Arctic Wolf recommends that you use US West (Oregon) or US East (N. Virginia), known as us-west-2 and us-east-1 respectively, to make sure that all recommended AWS services are available. See Supported AWS regions for more information.

Step 2: Launch the CloudFormation stack

  1. On the CloudFormation Service page, click Create stack > With new resources.

  2. Configure these settings:

    • Prepare template — Select the Template is ready checkbox.
    • Template Source — Select the Amazon S3 URL checkbox.
  3. On a new browser tab, go to the MDR Dashboard, and then copy the AWS stack URL.

  4. Copy the Simple Storage Service (S3) Logs stack URL from the MDR Dashboard, and then paste it into the Amazon S3 URL field.

  5. Click Next.

Step 3: Create the CloudFormation stacks

  1. In the Specify stack details section, in the Stack name field, enter a name for the S3 log forwarding stack. For example, ArcticWolf-S3LogForward.

    Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf. Make sure it is unique.

  2. In the Parameters section, in the bucketName field, enter the name of the S3 bucket that will be used to save logs.

  3. If the bucket is used for:

    • Storing security logs only — Keep the prefixPath field empty.

    • Multiple purposes — In the prefixPath field, enter a prefix to monitor for new objects. For example,<myservice>/logs.

      Only applicable data is forwarded to Arctic Wolf to lower AWS costs.

      Note: When entering the prefixPath value, do not include a trailing slash, /.

  4. If the logs sent to the S3 bucket:

    • Use standard SSE-S3 encryption — Keep the kmsKey field empty.

    • Have SSE-KMS encryption that encrypts them with a KMS key — Enter the ARN of the KMS key in the kmsKey field.

      See Configure GuardDuty to Export Logs for more information.

  5. Click Next

    You are redirected to the Configure stack options page. Do not make changes on this page.

  6. Click Next.

  7. On the Review page, read the Capabilities section.

  8. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  9. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  10. Verify that the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created.

  11. Contact your CST® to verify that Arctic Wolf is processing logs from your S3 bucket.

Next steps