This document describes how a user can enable read-only access for Last9 user to an S3 bucket or an S3 bucket path. This is often required for ingesting Load balancer or API Gateway logs.

Pre-requisites

Steps

  1. The following policy should be added to Last9 user or IAM role.

    Where

    1. <bucket>: target S3 bucket
    2. <prefix>: target S3 bucket prefix, if any.
  2. From the main console, click on Identity & Access Management.

  3. From the IAM dashboard select the Policies section and then click the Create Policy **button.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ab1b9236-b785-4007-8eed-f077a78f5d6d/image4.png

  4. Paste the policy and fill in name of the S3 bucket and prefix, if any as used in Step-1

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/614162c0-e511-43f6-96bb-3848d80fd702/image3.png

  5. Give a meaningful name to the policy and click on Create Policy - in this example, we gave the name access-lb-logs as the policy was tied to an AWS load balancer logging bucket. A similar name like access-apigw-logs can be provided for API Gateway logging bucket and so on.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/1d7f7ac5-c4c6-43d7-8df6-d1d6741c3a27/image7.png

  6. Go back to the Policies section, select the policy we just created, click on Policy Actions, and select Attach

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f402caa4-4c92-4770-a311-b963f57fd140/image8.png

  7. Select the Last9 user or IAM role to attach the policy to, and then click on Attach Policy

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/354df035-1e26-4f4a-94aa-d117095f2227/image5.png