Help Documentation

Cloud Detection and Response

AWS S3 Bucket Monitoring

Updated Sep 19, 2023

Configure AWS S3 bucket log monitoring

This document describes how to configure an Amazon Web Services® (AWS) account to send logs from a Simple Storage Service (S3) bucket to Arctic Wolf. For example, you may have security-related products or services that write or forward logs to S3 bucket storage. After you perform these steps, Arctic Wolf can receive these logs to further improve your security posture.

Before you begin

Complete the following for each account that contains a S3 bucket you wish to forward logs from:

Sign in and select a region

  1. Sign in to the AWS console as an AWS user or IAM role that has AdministratorAccess or an equivalent IAM policy.

  2. Select the region where your S3 bucket was created.

    Arctic Wolf recommends using US West (Oregon) or US East (N. Virginia), known as us-west-2 and us-east-1 respectively, to ensure that all recommended AWS services are available. See Supported AWS regions for a complete list of supported regions.

  3. Proceed to Launch the CloudFormation stack.

Launch the CloudFormation stack

  1. Navigate to the CloudFormation Service page.

  2. Click Create stack > With new resources.

  3. Select these options:

    • Prepare templateTemplate is ready
    • Template SourceAmazon S3 URL

  4. In a new tab, go to the Arctic Wolf® Unified Portal to retrieve the AWS stack link.

  5. Copy and paste the Simple Storage Service (S3) Logs stack link from the Arctic Wolf Portal into the Amazon S3 URL text box, and then click Next.

  6. Proceed to Create the CloudFormation stacks.

Create the CloudFormation stacks

  1. Under Specify stack details, enter a name in the Stack name field for the S3 log forwarding stack, such as ArcticWolf-S3LogForward.

    Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf, so make sure that it is unique.

  2. Under Parameters, in the bucketName field, enter the name of the S3 bucket that will be used to store logs.

  3. If the bucket is used for:

    • Storing security logs only — Leave the prefixPath field empty.

    • Multiple purposes — In the prefixPath field, enter a prefix to monitor for new objects, such as <myservice>/logs.

      This ensures that only relevant data is forwarded to Arctic Wolf, controlling your AWS costs.

      Note: When entering the prefixPath value, do not include a trailing slash, /.

  4. If the logs sent to the bucket:

    • Use standard SSE-S3 encryption — Leave the kmsKey field empty.

    • Have SSE-KMS encryption that encrypts them with a KMS key — Enter the ARN of the KMS key in the kmsKey field.

      For more information about the KMS key ARN, see Configure GuardDuty to Export Logs in the Amazon GuardDuty Monitoring configuration guide.

  5. Click Next to proceed to the Configure stack options page. Do not make any changes on this page.

  6. Click Next to proceed to the Review page.

  7. On the Review page, read the Capabilities section and select all checkboxes to proceed.

    Note: The stack does not create properly if you do not select all checkboxes.

  8. Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.

  9. Verify that the base stack and all nested stacks have the status CREATE_COMPLETE to confirm that the CloudFormation stacks were successfully created.

  10. Contact your CST to confirm that Arctic Wolf is processing logs from your S3 bucket.

Next steps

See Configure AWS Account Monitoring for other optional AWS configurations.